pegaswitch icon indicating copy to clipboard operation
pegaswitch copied to clipboard

Published 20 hours ago verified publisher icon reswitched

Fix sploitMixin bug that doesn’t properly close service handles.

Open Hallowizer opened this issue 3 years ago • 2 comments

Currently, the for loop that closes service handles initializes a variable “shi” for the service handler index, and increments that variable. However, the actual check for finishing the loop is done using the older “si” variable that is set to the highest service handle.

This results in the service handles never being freed, as the condition is always false, unless the user added handles themself, in which case that for loop never exits, and the switch probably crashes eventually because an invalid handle gets freed.

NOTE: I do not have a Switch that is vulnerable to PegaSwitch or fusee-gelee, so I am unable to test this. Please test this code before merging it.

Hallowizer avatar Mar 01 '21 20:03 Hallowizer

Found another bug; https://github.com/reswitched/pegaswitch/blob/4d9d4866866091a6392c9a196f3074d39208d137/exploit/ipc.js#L153 this should be pushing to inputObjectIds, not inputObjectId.

Hallowizer avatar Mar 22 '21 23:03 Hallowizer

Gonna be honest: nobody maintains or even uses pegaswitch any more.

The effort is certainly appreciated, but you should probably know that the odds of anyone actually testing any of this stuff to merge it are approximately zero.

SciresM avatar Mar 23 '21 01:03 SciresM