Skip to content

Commit 53a1b35

Browse files
committed
initial commit
0 parents  commit 53a1b35

34 files changed

Lines changed: 4180 additions & 0 deletions

README.md

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# Overview:
2+
3+
This is a Stack Based Buffer Overflow exploit for Black Ops 3 on the Xbox 360 that gives the attacker full memory and execution manipulation ability on every client's xbox.
4+
5+
# The Exploit:
6+
7+
This epxloit relies on a buffer overflow vulnerability when receiving voice chat data from other people in the game lobby.
8+
9+
Voice Data is processed by the game though "voice packets" that contains, among other things, the voice data and the size of the voice data. The handling code looks something like this:
10+
```
11+
voiceData->dataSize = readPacketUnsignedShort(packetPtr);
12+
voiceData->data = readPacketArray(packetPtr, voiceData->dataSize);
13+
```
14+
Key points:
15+
- The data's size is only defined by what value the packet has
16+
- There is no check on the data size to prevent a buffer overflow
17+
- The location of the voiceData structure is on the stack
18+
- The voiceData structure is at the end of the stack
19+
20+
Internally the maximum voice data size is 1198 bytes, but dataSize is an unsigned short so we can write up to 65535 bytes. This means that we can write up to 64337 bytes into the stack.
21+
22+
As the expliot allows the stack to be corrupted, we can manipulate the return address and other saved registers to perform a Return-Oriented-Programming (ROP) chain exploit. Through both exploits, it is possible to control the memory and execution flow of any client connected to the current game lobby.
23+
24+
The attacker doesn't need to be host and just needs to connect to the game lobby for the exploit to work. Thus commands like "fast_restart" can be executed as if it was the host that used the command.
25+
26+
# Proof Of Concept: Sending server commands
27+
28+
This section is a writeup of how the exploit packet is crafted to send a malicious server command. My aim for the ROP chain was to execute the command and return execution flow back to the game without any exceptions or errors being produced. The parameters of the server command are:
29+
1. the client number of which the command is executed on behalf of
30+
2. the command string to execute
31+
32+
The malicious voice data structure is first loaded with the command string being executed by the attacker.
33+
34+
The entry point for the ROP chain is when the exploitable function returns to the caller function:
35+
```
36+
addi r1, r1, 0x540
37+
b __restgprlr_29
38+
```
39+
- It adds 0x540 to the stack
40+
- __restgprlr_29 loads the registers 29-31 and return value saved on to the stack back into the original registers.
41+
42+
The malicious voice packet uses the buffer overflow to overwrite the saved return address with the address of gadget 1 and uses __restgprlr_29 to jump to gadget 1.
43+
44+
Gaget 1:
45+
```
46+
addi r1, r1, 0x80
47+
b __restgprlr_28
48+
```
49+
- It adds 0x80 to the stack
50+
- __restgprlr_28 loads the registers 28-31 and return value saved on to the stack back into the original registers.
51+
52+
The saved values of r28-r31 are overwritten by the buffer overflow which contain the client index (r29), the command to execute (r31), and the command execution function address (r28). These values are used in gadget 2. The return address is overwritten with the address of gadget 2.
53+
54+
Gaget 2:
55+
```
56+
mr r4, r31
57+
mr r3, r29
58+
mtctr r28
59+
bctrl
60+
addi r1, r1, 0x90
61+
b __restgprlr_25
62+
```
63+
- It loads r31 into r4, r29 into r3, and execution jumps to the value in r28
64+
- It adds 0x90 to the stack
65+
- __restgprlr_25 loads the registers 25-31 and return value saved on to the stack back into the original registers.
66+
67+
This gadget uses the registers from gadget 1 to execute the command execution function (r3 is the client, r4 is the command string).
68+
69+
Once gadget 2 is executed, the total stack size used by the exploit is 0x110. This is the exact size of the stack used by the exploitable function's caller, so when gadget 2 returns, execution flow will be returned to how it was before the exploit was executed.
70+
71+
72+
# Proof Of Concept Usage:
73+
74+
This PoC was only written to work on the zombies version of the game and will NOT work on multiplayer.
75+
1. Load the DLL into Black Ops 3.
76+
2. Open the executable and connect to your xbox 360.
77+
3. Load into a game with other people.
78+
4. Fill in the data needed for a command and press the send button.
79+
5. The commands will be executed on every client's xbox apart from yourself.
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
2+
Microsoft Visual Studio Solution File, Format Version 11.00
3+
# Visual Studio 2010
4+
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "VoicePacketExploitDLL", "VoicePacketExploitDLL.vcxproj", "{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}"
5+
EndProject
6+
Global
7+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
8+
CodeAnalysis|Xbox 360 = CodeAnalysis|Xbox 360
9+
Debug|Xbox 360 = Debug|Xbox 360
10+
Profile_FastCap|Xbox 360 = Profile_FastCap|Xbox 360
11+
Profile|Xbox 360 = Profile|Xbox 360
12+
Release_LTCG|Xbox 360 = Release_LTCG|Xbox 360
13+
Release|Xbox 360 = Release|Xbox 360
14+
EndGlobalSection
15+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
16+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.CodeAnalysis|Xbox 360.ActiveCfg = CodeAnalysis|Xbox 360
17+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.CodeAnalysis|Xbox 360.Build.0 = CodeAnalysis|Xbox 360
18+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.CodeAnalysis|Xbox 360.Deploy.0 = CodeAnalysis|Xbox 360
19+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Debug|Xbox 360.ActiveCfg = Debug|Xbox 360
20+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Debug|Xbox 360.Build.0 = Debug|Xbox 360
21+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Debug|Xbox 360.Deploy.0 = Debug|Xbox 360
22+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Profile_FastCap|Xbox 360.ActiveCfg = Profile_FastCap|Xbox 360
23+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Profile_FastCap|Xbox 360.Build.0 = Profile_FastCap|Xbox 360
24+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Profile_FastCap|Xbox 360.Deploy.0 = Profile_FastCap|Xbox 360
25+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Profile|Xbox 360.ActiveCfg = Profile|Xbox 360
26+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Profile|Xbox 360.Build.0 = Profile|Xbox 360
27+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Profile|Xbox 360.Deploy.0 = Profile|Xbox 360
28+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Release_LTCG|Xbox 360.ActiveCfg = Release_LTCG|Xbox 360
29+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Release_LTCG|Xbox 360.Build.0 = Release_LTCG|Xbox 360
30+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Release_LTCG|Xbox 360.Deploy.0 = Release_LTCG|Xbox 360
31+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Release|Xbox 360.ActiveCfg = Release|Xbox 360
32+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Release|Xbox 360.Build.0 = Release|Xbox 360
33+
{FC7C753C-ABCD-4D02-B70D-C2F01A8F083C}.Release|Xbox 360.Deploy.0 = Release|Xbox 360
34+
EndGlobalSection
35+
GlobalSection(SolutionProperties) = preSolution
36+
HideSolutionNode = FALSE
37+
EndGlobalSection
38+
EndGlobal
16.5 KB
Binary file not shown.
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3+
</Project>

0 commit comments

Comments
 (0)