Mutliple Possible Exploit Ideas

Discussion in 'Xbox One Modding' started by KittenMilkshake, Nov 7, 2017 with 16 replies and 1,969 views.

  1. KittenMilkshake

    KittenMilkshake Enthusiast

    Messages:
    46
    Ratings:
    6
    I have been lurking this sub-board for a while now. I have been eager for a long time to see a Xbox One exploit. I have concluded some ideas on how this may be possible but I could be wrong.

    1. Buffer Overflow to escape a VM Sandbox

    It may not sound probable but it is. Take a look at this thread first.
    https://www.se7ensins.com/forums/threads/xbox-weak-link.1672922/

    It sends a payload within a document file. I know that through Metasploit or various tools you can manipulate a weakness in .docx and word documents to include your payload within the document and make it FUD. First you would have to get the document with the payload into the xbox through whatever vulnerability. Before hand you would have to code the exploit to escape the VM Sandbox. Doing so may be tough and I have supplied the links but it may work. Correct me if I am wrong. There are many exploits to escape VM Sandboxes within Internet Explorer and other Microsoft applications. Most of which would have to be compiled into a payload through Metasploit Framework.

    Links:
    Exploit Database :https://www.exploit-db.com/
    Metasploit: https://www.metasploit.com/

    Tutorials on escaping VM Sandboxes:
    https://www.blackhat.com/docs/us-14/materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes.pdf
    https://papers.put.as/papers/macosx/2016/sandbox_defcon.pdf

    2. Complete Wi-Fi Traffic Interception

    For this I was thinking to run a sniffer tool to ARP spoof the network and record ALL traffic on you LAN network. While doing so you can run an Xbox One update, downloading games, etc. This could grant raw code and access to it to explore and data mine. The number one way to find an exploit is to reverse engineer what you are trying to manipulate. One thought I had is this which requires 2 consoles. On the first console update it but do not update the second. While updating the first grab all network traffic and dig through to find the Xbox One update files. You could then edit the update files to include an exploit code. Afterward you login to the router and set a block on the port and host of which the update came through. Then you could set up your own local server spoofing or having the same port and host name therefore your Xbox can connect. However it might not connect if there is some sort of Peer to Host validation within the update between Microsoft servers and the Xbox One. This idea could be tinkered with and changed in order to figure out how this could be done.

    3. Ripping or Editing disc ISO

    The final idea I had was to load an Xbox One game disc into a disc drive and read it with a computer. In order to do so you might need some sort of certain drivers, software of firmware on the disc drive in order to read write the disc. If this can be done, most likely not, then you could add a payload on a game disc within certain data chunks so when you load the game and access a certain feature of the game or load something it will load the payload also. This will be the same payload to break out of the VM Sandbox.

    I would really like to see an exploit and I am trying my best to come up with ideas. I am willing to collaborate with someone who is interested in working towards an exploit. When it comes to technology there will always be a backdoor and exploit to every security system no matter how secure it might be. Don't get discouraged. Hardware exploration could also help out a lot. Any feed back is appreciated.

    Thank you.
     
  2. Sketch

    Sketch Enthusiast

    Messages:
    696
    Ratings:
    316
    2 and 3 are completely out the box.
    Unless you ended up with the correct signing keys for the discs then... yeah. Not happening.

    In regards to the first one, you are slightly on right track. The only problem is that the Xbox One System OS, and even the other operating systems, are not like a direct copy of Windows... it's almost "heavily" modified with many programs rewritten to work hand in hand between each partition, alongside the security processor. You'd have to dump the file system of the System OS and then figure out how you are going to dump the System OS kernel (not entirely hard... not able to say exactly but requires priv-esc) and then reverse the drivers and other additional modules.
     
  3. Extern

    Extern Banned

    Messages:
    1,459
    Ratings:
    673
    Regarding the first idea, VM escapes aren't common and are worth BIG money, so attempting to find a vulnerability with the sole objective of modifying a game console is foolish. Existing exploits won't be publicly disclosed - rather they will be submitted to Microsoft's bug bounty (or similar) to be quickly patched and rewarded with a large sum of money (https://technet.microsoft.com/en-us/mt784431.aspx).

    Regarding the second idea, updates are not only encrypted, but they also contain files that are signed. Going this route would require you to obtain their private keys, a fault in RSA or their implementation of it, or several million (?) years to bruteforce the key.

    Regarding the third idea, even if you manage to get past their anti-piracy implementation, the files still need to be signed. Even then, you're only going to be running as a low-privileged application in a sandbox.
     
    • Like Like x 2
    Last edited: Nov 7, 2017
  4. OP
    KittenMilkshake

    KittenMilkshake Enthusiast

    Messages:
    46
    Ratings:
    6
    There are some publicly released VM escapes. This issue is there is none public or private for Xbox OS. This means a community would have to come together and code one. I would like to see a community that people all come together on say Discord or a IRC Chat room to communicate on methods how to. There are websites where you can buy exploits. How much depends. It could be very expensive or relatively cheap. I know a few people that work with high end exploits and other experimental exploits in the hacking community. I will ask around later if any of my buddies know but escaping the VM is how exploiting can occur without modifying the hardware of the Xbox One. The main issue is I am 100% CERTAIN THAT THE WEBSITE AND MANY OTHER EXPLOIT WEBSITES ARE MONITORED BY SOMONE AT MICROSOFT AND THEY PATCH AND RECORD PROGRESS. A private place to communicate would help out the most to be secure in progress.

    Would a Dev Kit help with any of this? It could come in handy in some regards. I will also look into tools and devices for hard ware exploitation. The types of tools and devices that are used to exploit and debug test a wide range of devices.

    Edit: Check this site out.

    https://www.cvedetails.com/vulnerab...roduct_id-32367/year-2015/Microsoft-Edge.html

    This is possible we just have to find a way.[DOUBLEPOST=1510075351][/DOUBLEPOST]Also in the future Microsoft said eventually Xbox will be software and not hardware. They are working on porting Xbox One OS to the Windows 10 platform. If anything we would have to wait for Microsoft to set up an exploit by adding new features or ports.

    Just my 2 cents. Is anyone interested in starting a Discord to do research into exploits? Anyone dedicated enough to join?
     
    Last edited: Nov 7, 2017
  5. Extern

    Extern Banned

    Messages:
    1,459
    Ratings:
    673
    null
     
    Last edited: Sep 18, 2018
  6. schitzotm

    schitzotm Contributor

    Messages:
    2,115
    Ratings:
    1,882
    Ok, so lets just pretend for the sake of argument you managed an exploit on the xbox one.
    Lets also say you do not get the C&D letter from microsoft as well.
    You break the console and can now inject unsigned code. How on earth are you going to unban the console?
    The only reason the xbox 360 didn't become a paperweight was because we had kv replacement. The reset glitch allowed us to redirect which nand the console was reading from. So, how many consoles do you have to burn?
    You need to extract nand storage and you need to know what is used to ban a console. (so right there is one console burned in the name of science.) But you need full access to everything in the console so you can read out what is blocked.
    And lets not forget how you are getting there. "The web browser". First off the xbox one does not use internet explorer. It uses edge browser. (maybe just as vulnerable) And where will you start? What makes you think the same vulnerabilities exist from a pc to an xbox?
    And to your third idea. The most valuable idea. Also the most impossible idea.
    So lets say you manage to make a complete duplicate of the disc. You still need to insert the first disc to validate then hotswap the disc. That only gets you to install the exact copy of the original disc.
    Have you decrypted the disc yet? Have you found how to re sign the data within the disc yet?
    I would venture to say decrypting the disc wouldn't be as hard as one would think. But that still leaves signing it again.
    And finding an alternative to hotswapping as that is tedious and not many are willing to pull apart their console and drive.
    But lets just say you have all this working. Ok, so now you have installed this magical payload that has now jumped out of bounds on the vm it was operating in. What are you going to do now? And again how are you gonna stop the console from getting banned the next time it connects? And now with most games using anticheat even on consoles that have yet to be public exploited how are you going to keep that from banning your profile? How do you know that somehow the console isn't going to pick up on the malformed disc data and treat it as piracy?
    Things aren't as simple as just inserting a payload and now you have a hacked console. You want that buy a nintendo.
    Even though team xecuter made the rgh an easy install the work that went in to development and rebuild took forever.
    And was met with huge resistance. So much so that even being on ninja server does not guarantee no ban.
    There is so much work to get anything of value out of a hack that those that develop want paid. So breaking via software is likely to never get a release. But guess what? Microsoft is paying users that submit exploits. So there is the payday. So why would people spend that much time on something and give it away when someone else is paying? Reset glitch hack does not exist on the xbox one like it did with xbox 360. Besides that can you decrypt the nand? Can you alter it and resign it? Or at least can you get it past the signature check then point it to the new nand? And here again... How are you going to keep the console from getting banned?
    If things were even close to as easy as prior consoles it would have been hacked day one. But why on earth would a console manufacturer not improve it? (Dont use nintendo as an excuse. They obviously have no clue what they are doing...)
     
  7. Sketch

    Sketch Enthusiast

    Messages:
    696
    Ratings:
    316
    Why would anyone want to be online in the first place? Not like anyone would be on live after an exploit since you'd instantly fail challenges when an unknown process or failed boot log is sent off.
     
  8. schitzotm

    schitzotm Contributor

    Messages:
    2,115
    Ratings:
    1,882
    Nobody wants an offline only modded console. There is no purpose in that. Enabling modded content and mod menus are what modded consoles are for. Offline only means what, story mode only pirating?
    Youll find the only things people want: high rank/prestige, weapon unlocks, modded clothes, in game money, progress unlocks, super speed, high jump, rapid fire, god mode, pirated games, ect. Anything besides that and you might as well consider the console as not hacked.
     
  9. Sketch

    Sketch Enthusiast

    Messages:
    696
    Ratings:
    316
    If people want a console hacked because they want to be online and cheat on games then they can expect nothing to ever come from t he One. That's pathetic and I can already assure that it won't be happening.
     
    • Like Like x 2
  10. decima7e

    decima7e Contributor

    Messages:
    1,819
    Ratings:
    957
    1. I was going to type that you'd be better off exploiting edge browser, then I found this article that unknownv2 already did it on the xbox one but the application is not running as Admin so you'd need another exploit to escalate privileges
    http://wololo.net/2017/03/31/xbox-o...pt-released-based-chakra-exploit-unconfirmed/

    2. The Xbox one hash checks the updates after they are downloaded. Not possible.

    3. Nope.

    I hope game mods never come to Xbox. A flashed drive would be sweet, though.
     
  11. schitzotm

    schitzotm Contributor

    Messages:
    2,115
    Ratings:
    1,882
    Agree that cheating in games is pathetic. But come on man. You had to know that this is the only things people are interested in for hacking a console. Microsoft hands out dev access for free all the time. So there goes that reason. And piracy? Well really not much need as xbl always handing out free games and free play days. And I believe in paying for my games. Developers gotta eat too.
    Point being there really isnt much point in exploiting a console unless it can do things it didnt do before. And most games are mainly played online.
    So what does that leave? Yep online modding. And one isnt going to modify a game without adding free stuff and level ups.
    What was your goal before being handed a cease and desist?
     
  12. Sketch

    Sketch Enthusiast

    Messages:
    696
    Ratings:
    316
    For creating an environment where people can explore the freedom of the console and maybe enjoy offline modding. There can still be interesting things done without the need to be online.
     
    • Like Like x 2
  13. Chrishockey55

    Chrishockey55 Lifetime Premium Lifetime

    Messages:
    1,033
    Ratings:
    349
    Honestly The Main reason why there is no exploit yet is because People that have been doing this from day 1 when they where kids are now older and onto better things in there life. Honestly The entire thing has to deal with the new generation of modders trying to obtain a task that they have no background on. You don't think for a second That tx people and others have someone working within there friend group ( probably 30 - 35 ish in age) the ogs of the scene .... Yeah! 100 percent! But that will never hit the public. The developers of these projects dont want people cheating on these games they want to exploit these console for home brew use and the use of doing things offline!

    Also as to the point of burning through xb1 consoles by getting them banned. Some times there are ways around this. When xbox 360 kvs started out i was selling unshareds for 100 120 a pop now with the demand of consoles on the market and the rgh hack more consoles are exploitable and we would never see a price like that for a kv again. In 2010 etc kvs for 360 where either shared or unshared most people bought shared which where sold to 5 or more people. Therefore getting 40 for a shared with 5 people on it would pay for it. But like stated above consoles are not supposed to be for online usage. I remember when we would use kvs to test live and they would get banned super quick For testing purposes this sucks! but in the end run if your goal is to use the console online trial and error and waste always pays off.

    xb1 honestly dont plan on anything soon. But ps4 thats been done! i just came back from the non modding scene just a few days ago and i made contact with people i haven't talked to in months and i have personally seen things done on the ps4 its all about when they want to show it and who wants to post it. Some people just dont quit! they could get arrested, sued , be in jail and months later they are back trying to give something back to the community :wink:
     
  14. HexDecimal

    HexDecimal Getting There

    Messages:
    522
    Ratings:
    122
    Its not that people are not working on the console, its that Microsoft has and will stop anyone from going public with their research. Which is for the best, most people just want it exploited for aimbots and mod menus. They want to make a profit off of it with KVs and stealth servers and what not. No one is going to "give" to the community when they will get their lives ruined in lawsuits, and why should they?

    Exploits would just be used to ruin multiplayer for others. Sure a few would create homebrew, custom dashboards, etc, but the vast majority would just download the latest menu and fire up call of duty. So why should they spend their time and money finding exploits to release publicly, only to be slammed by Microsoft and then aimbotted by a nine year old? Most people (like myself) would rather report to MS's bug bounty program, preventing the above from happening, along with being able to pursue their interest in a legal way.
     
    • Like Like x 3
    Last edited: Nov 7, 2017
  15. schitzotm

    schitzotm Contributor

    Messages:
    2,115
    Ratings:
    1,882
    I agree with this completely.
    And to add to it. Without some sort of hardware issue there is nothing to gain from exploiting the console. Other than it getting patched and you getting banned or worse yet a C&D and possibly a lawsuit.
    The only way you will beat microsoft is to find a flaw in their hardware like the reset glitch in the 360. You would need something they cant repair via software so you can point back to bugged firmware.
    If your interest is in exploiting the console then do so. And make money by reporting your findings to microsoft bounty.
    If you need rank, weapons, or better skill then just practice.
    For me personally I like knowing that the guy that dominated me in game was just a better player. Much more fun when you know the other guy isn't cheating. Also gives hope to getting a win in every once in a while.
     
  16. Lipton01

    Lipton01 Enthusiast

    Messages:
    91
    Ratings:
    12
    most definitely an exploit for xbox one is possible. seeing how its basically a computer and from what I skimmed from above its VM and sanboxed etc etc. back when I was on HF with a couple people there were a few exploits such as Athena insomnia or crimepack etc that removed sandboxie by hooking into sys32. seeing xbox is basically windows 10 modified I'm sure theres something but honestly. like bhrishockey(chrishockey) said. we're all old now so the scene is basically a new generation . but hey . I still got my 360 lol
     
    • Like Like x 1
  17. HexDecimal

    HexDecimal Getting There

    Messages:
    522
    Ratings:
    122
    Its not that simple, the UWP app-container prevents you from making unauthorized API calls. The memory is also protected, among other things. Say you did somehow manage to evade all of those things and get full system code exec in the SystemOS VM. You need a whole new set of exploits to gain access to the other 2 VMs (Hyper-V Exploits), exploits that would be worth thousands.
     

Share This Page