NSG650 NSG650

## a.md

      
              1 file
            
          
              0 forks
            
          
              2 comments
            
          
              9 stars
            
          
                aglab2
                / a.md
            
            
              Last active
              May 29, 2024 00:43
            
              
                Project 64 1.6 container escape vulnerability writeup
              
          
    Vulnerable emulator is Project 64 1.6.x/1.7. 2 vulnerabilities can be used to gain arbitrary code
execution from emulation container from N64 ROM.

Container escape and arbitrary writes from N64 ROM outside of designated N64 RAM

Vulnerable function Compile_R4300i_SB and its friends Compile_R4300i_S*
https://github.com/zeromus/pj64/blob/master/RecompilerOps.cpp#L1955C6-L2024
If non const Opcode.base is used to avoid condition at 1961-1971 which does checks properly, we can
load from volatile address addr (compiled to MIPS asm inside ROM):

  
## bf.c
/* The world's smallest Brainfuck interpreter in C, by Kang Seonghoon
 * http://j.mearie.org/post/1181041789/brainfuck-interpreter-in-2-lines-of-c */
s[99],*r=s,*d,c;main(a,b){char*v=1[d=b];for(;c=*v++%93;)for(b=c&2,b=c%7?a&&(c&17
?c&1?(*r+=b-1):(r+=b-1):syscall(4-!b,b,r,1),0):v;b&&c|a**r;v=d)main(!c,&a);d=v;}
	/* The world's smallest Brainfuck interpreter in C, by Kang Seonghoon
	* http://j.mearie.org/post/1181041789/brainfuck-interpreter-in-2-lines-of-c */
	s[99],r=s,d,c;main(a,b){charv=1[d=b];for(;c=v++%93;)for(b=c&2,b=c%7?a&&(c&17
	?c&1?(r+=b-1):(r+=b-1):syscall(4-!b,b,r,1),0):v;b&&c\|a*r;v=d)main(!c,&a);d=v;}