VBA 1.8.0, VBA-M 2.0.2 - Multiple vulnerabilities in ELF file parser

Подписаться 37 тыс.

Просмотров 21 тыс.

50% 1

Breaking the emulators even more. All versions of VBA and VBA-RR, and versions of VBA-M before 2.1.0, happen to have several bugs in their ELF file parsers. Loading specially prepared ELF files could either result in running untrusted code outside the emulator, or leak information about the outside environment to the emulated ROM, including user account information, filesystem paths, configuration, or even save data from other games.
PoC exploits + technical writeup: sites.google.c...

Опубликовано:

27 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 123

@Crystal_2 6 лет назад

So VBA is the real ELF MONSTER.

@TheEnderLeader1 6 лет назад

This should be favourited.

@abarette_ 2 года назад

absolutely golden comment

@TheZZAZZGlitch 6 лет назад

Yeah, VBA sucks. Not the first time. Get a better emulator, like mGBA or BGB. Or at least upgrade to VBA-M.

@John_Sturgeon 6 лет назад

Why don't you talk in any of your videos?

@Zelinkokitsune 6 лет назад

How is Bizhawk looking for this role as it's based on Gambatte

@John_Sturgeon 6 лет назад

I know It's ZZAZZ's choice, it just seemed odd that every Arbitrary Code Execution poketuber uses on-screen text instead of talking aloud, and channels that have on-screen text generally have less subscribers, so I didn't know if there was a reason for it or they were just shy or what lol

@1yaz 6 лет назад

VBA runs on Win98, obviously the superior GBA emulator

@paincreatesfame 6 лет назад

I use TGB Dual but idk

@LStranck 6 лет назад

12 sept 2016: Windows 7 aero, Banjo kazooie theme, Mario Kart Wii losing music, Notepad++ 6 jul 2018: Windows 10, Dubstep music, Wii plaza theme, Sublime Text I can clearly see an upgrade here

@JS_SN_UQAU 6 лет назад

It's Visual Studio Code :P

@JS_SN_UQAU 5 лет назад

@@Mabi19 I meant Visual Studio Code :P

@MinePlayersPE 4 года назад

btw it wasnt aero

@seba2366 4 года назад

In the future we might see Mario Kart Wii Menu theme and Visual Studio Code

@ISSOtm 6 лет назад

But what is that mysterious poc_infoleak_dumper.elf? OwO

@livk06 6 лет назад

This just shows that when ZZAZZ sees a mistake, glitch or bug in anything they will make a cool video out of it

@stereo374 6 лет назад

I recently upgraded to mGBA, not for the emulation inaccuracies with VBA, but because VBA always made Pokemon Mystery Dungeon run really chopped up. The framerate was inconsistent and the music was unbearable due to that.

@deltathedummy2303 6 лет назад

oddly enough it works fine for me hell the emulation glitches only happens to me after a number of resets

@Pacca64 6 лет назад

I find it odd that VBAs' framerate gets so bad, even on hardware that can definitely hold up. After trying mGBA, VBA seems completely worthless due to that one issue alone.

@pikksen7905 6 лет назад

...hold on, is that Rush B?...

@cubrucessecretchanneld969 6 лет назад

Yes

@viegodelfuego 6 лет назад

RUSH 🅱 as the background music? I see you are a man of culture.

@gudenau 6 лет назад

So, make a Homebrew game that looks for gadgets in the background?

@kargaroc386 6 лет назад

strcpy strikes again

@mingfeid.4627 3 года назад

So when is "using 8F in Pokemon Yellow to steal your credit card number"

@thebigdawgj 6 лет назад

I'd just like to say that this was much easier to read than some of your recent Pokemon videos I've seen where you do the tiny text on the right side and show the game on the left. Stick with this format.

@WishMakers 6 лет назад

More buffer overflow exploits with VBA. Where have I seen this before /s Thanks as always for informing, ZZAZZ.

@Ayalolis 6 лет назад

WHEN YOU'RE GOING TO MAKE A NEW ABC VIDEO? I'VE BEEN WAITING FOR THESE FOR MONTHS

@thisisvildus7119 6 лет назад

yes try to use f8ff

@TheZZAZZGlitch 6 лет назад

A new ABC video is in the works (yes, with $F8FF, although with a small twist)

@fattata2142 5 лет назад

But can you steal everyone's personal data in 0.5 A presses?

@ais4185 6 лет назад

But could you run an ELF file from inside a regular rom (gbc file for instance)?

@Christer2222 6 лет назад

ELF? FALLED BORT

@w7u 4 года назад

Me, a VBA user: lol what does this even mean lmao

@lucasgreer1736 Год назад

wait, that's vba-m? I've only ever used the crappy cross-platform version which has basically no options and only ever has run for me at like 75% speed

@MetaBloxer 4 года назад

1:19 come ON! You cut of the video there!? How the heck are we supposed to know what 2+2 equal? I got homework to do, man!

@starleaf-luna 4 года назад

it's 5

@bobbob1876 4 года назад

@@starleaf-luna no it's 2

@kimgkomg 4 года назад

Wait but how is showing the user their own security info a problem?

@Interpause 5 лет назад

Thanks for the practice assignment

@legocreator768 6 лет назад

what was the dubstep music used?

@jfb- 6 лет назад

So technically would it be possible to do this from within a game that has ACE, such as Pokémon Emerald?

@ndm13 6 лет назад

No, it's in the way the software loads a certain type of file. Not that there isn't a way to perform ACE from within a ROM, we just need ZZAZZ to find it...

@Kimeki00 6 лет назад

I guess a Linux machine comes handy when having to deal with things like cloning Git repositories (0:38), but I wonder how often you use it... Says a guy who uses desktop Linux as his main OS. Not fond of accurate emulators for Linux for glitching around, though :'( PS: Also wondering whether it's an old computer you have around or a remote server...

@txqea9817 6 лет назад

someone enjoys sheet music boss

@PandaXclone2 6 лет назад

So basically don't load .elf files. In before ISSOtm replies.

@ISSOtm 6 лет назад

PandaXclone2 Meow >:C

@LStranck 6 лет назад

im laughing

@Windo0ows 5 лет назад

I load them everyday Oh that’s the wrong platform

@TheEnderLeader1 6 лет назад

I heard that Rush B...

@paincreatesfame 6 лет назад

Get that Rush B music

@Skul1ManEXE 4 года назад

So, in a nutshell, VBA 1.8.0 can doxx you through .ELF files. Yikes...

@plushifoxed 6 лет назад

*There is no help here*

@MegoZ_ 5 лет назад

Try to limit the turbo's speed next time

@burritoman2k 6 лет назад

But... But... 4 4...

@megalucarioex3558 6 лет назад

Music at 0:39?

@firstnamelastname8684 6 лет назад

whats an elf file sounds like something from a sci fi movie tbh also i never even used any sort of vba branch mgba is better

@TheLucarioBaoJunior 6 лет назад

What’s an ELF file?

@TheZZAZZGlitch 6 лет назад

ELF files is essentially a ROM file. It's no different from a GBA file - it contains code to be run in an emulator. (Before someone complains, note that this description is not technically accurate - but it's simple to understand)

@Selicre 6 лет назад

Wait, is this the exact file type used for linux executables? Although I'm not sure why exactly you'd put rom data there, except for maybe adding debugging symbols to the compiler output.

@gudenau 6 лет назад

Hyper Homebrew gets compiled to an elf then a ROM.

@Selicre 6 лет назад

Which compiler? WLA-DX uses its own format as far as I can tell, and it uses the .o extension.

@gudenau 6 лет назад

Hyper Those are ELF files. :-P GCC and CLANG both output ELF filles. Many assemblers support it as well with preprocessor commands.

@deltathedummy2303 6 лет назад

i'm still using VBA lmao who cares

@ISSOtm 6 лет назад

It's a shitty emu that sucks and it can cause your computer to execute malware. But you do you, I guess?

@deltathedummy2303 6 лет назад

i never got malware

@deltathedummy2303 6 лет назад

hell alot of the roms i run work perfectly (well beyblade never worked but who cares about beyblade)

@ISSOtm 6 лет назад

It's not because you never got it thus far that it will never happen. Otherwise why install anti-virus software at all?

@ISSOtm 6 лет назад

They may appear to work (for example, Pinball Deluxe kinda works in VBA but didn't work in more accurate emulators), but that was because VBA sucks so much that the game doesn't manage to actually crash). Also, VBA's sound and colors are far past incorrect. And, "VBA-only" bugs are everywhere.

@epicspeedrunning3207 6 лет назад

Lol. As a beginner slowly getting into security, I can immediately see how any type of buffer supplied with user input can go wrong without some sort of check. Nice job, and I definitely advise everyone using VBA or an old VBA-M to immediately update to VBA-M 2.1.0 or switch to a better GBA emulator!

@epicspeedrunning3207 6 лет назад

Actually, would this work with GBA files? They should be loaded quite similarly, seeing that they're somewhat identical besides from a few things.

@gypsysprite4824 5 лет назад

@@epicspeedrunning3207 i think there is one or two quirks with ELF files that makes this possible in the first place

@Pacca64 6 лет назад

What do ELF files even do in VBA? I only know about them in the context of Wii and Gamecube homebrew...

@renakunisaki 6 лет назад

They're just programs, can be made for any platform. Dunno why you'd make them for GBA tho...

@meithecatte8492 6 лет назад

Also, ELF bundles debug information, which is impossible in a raw ROM format.

@pikksen7905 6 лет назад

WELCOME! IT’S ELF’S WORLD!

@dorukayhanwastaken 6 лет назад

"14-year-old discontinued piece of software" sounds a lot like "14-year-old discontinued piece of shit" in disguise.

@TwilightFlower9 6 лет назад

Thanks for the 4 day late notification, RU-vid. Also, reminder that VBA sucks and is very inaccurate. Use BGB for GB/GBC and mGBA for GBA.

@MagikGimp 2 года назад

Since when has ANY non-commercial app had actual help in the Help menu??!? GAH!!

@CJohn95 4 года назад

01:55 I don't remember Dwarf Fortress being ported to GBA

@bootmii98 5 лет назад

that Rush B tho

@Cahos_Rahne_Veloza 6 лет назад

Too bad the recent DMCA action of Nintendo against VBA has caused the folks over at VBA-Ms site to nuke their site and forums and the only available download for VBA-M 2.1.0 is the wx build whereas I prefer their MFC builds. But seeing as they're currently incognito an MFC build might take a while to come to pass.

@elrichardo1337 4 года назад

0:38 R U S H 🅱️

@randomnumbers710 6 лет назад

this makes me uncomfortable

@philsose4844 Год назад

The website that hosted the exploit write up is dead is there any other way to get it? (i checked the other video, that write up is also gone)

@tomypower4898 4 года назад

cool

@peachymunmagenta Год назад

I think a meta game where it (consensually!) reads your save data and system username would be cool; I know it’d only work properly (or at all) on specific emus, and would likely need to be made for specific operating systems so it’d work properly, but I think it’d be cool

@nintendoloverin9567 6 лет назад

2+2.....is 4 minus 1 thats 3 QUICK MEFFS

@greenknight9000 5 лет назад

Someone went to ELF practice

@goodmorningchat 6 лет назад

This video was simple delicious.... can i get that hit-marker bit for 10 hours

@nothankyou4859 6 лет назад

BGB is such a fantastic emulator

@LiEnby 5 лет назад

Can't you still do ROP with the /GS flag?

@easyaspi31415 3 года назад

/GS (and -fstack-protector) work like so: Normally, the stack is like this: variables frame pointer return address /GS and -fstack-protector do this variables magic random number (canary or cookie) frame pointer return address Before returning from a function, it checks to make sure that random number matches. If it doesn't, it immediately aborts the program. It is still technically possible to do a stack overflow ROP chain, but you would need to know that random number which changes each time the program starts, which would either require a second exploit or some serious luck.

@LiEnby 3 года назад

@@easyaspi31415 oh its just a stack cookie lol.