Merge pull request #4 from xboxoneresearch/feat/add_solstice_nw_loader
feat: Added solstice payload server and network-loading GameScript payload
This commit is contained in:
commit
3aca48f3f0
15
README.md
15
README.md
@ -2,12 +2,13 @@
|
||||
Collateral Damage is a kernel exploit for Xbox SystemOS using [CVE-2024-30088](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30088).
|
||||
It targets Xbox One and Xbox Series consoles running kernel versions 25398.4478, 25398.4908, and 25398.4909. The initial entrypoint is via the Game Script UWP application.
|
||||
|
||||
This exploit was developed by [Emma Kirkpatrick](https://x.com/carrot_c4k3) (vulnerability discovery & exploitation) and [Lander Brandt](https://x.com/landaire) ([PE loader](https://github.com/exploits-forsale/solstice) development)
|
||||
The first stage payloads, PE loader and network loader are provided by [Solstice](https://github.com/exploits-forsale/solstice).
|
||||
|
||||
This exploit was developed by [Emma Kirkpatrick](https://x.com/carrot_c4k3) (vulnerability discovery & exploitation) and [Lander Brandt](https://x.com/landaire) (Solstice)
|
||||
|
||||
## Important Caveats
|
||||
This initial release is largely intended for developers. Currently a way to place files into the `LocalState` directory of Game Script is required via an app such as [Adv File Explorer (FullTrust)](https://apps.microsoft.com/detail/9nbnjpsxfsqb).
|
||||
This is due to the requirement of placing the `stage2.bin` and `run.exe` files onto into the `LocalState` directory. In the near future a payload will be supplied which will load those files over the network, so the initial payload will simply be
|
||||
a script which can be inputted via a USB keyboard emulator.
|
||||
|
||||
To place the payload locally on the Xbox console a full-trust explorer like [Adv File Explorer (FullTrust)](https://apps.microsoft.com/detail/9nbnjpsxfsqb) is recommended. Alternatively, the initial payload can be served via a USB keyboard simulator (rubber ducky etc.) and further payload stages can then be loaded over the network.
|
||||
|
||||
The reverse shell example provided here requires that your console is connected to a network. When connecting your console to a network be very careful to avoid connecting to the internet and updating. Try to block connectivity to Xbox LIVE as
|
||||
much as possible, at the very least by setting your DNS to invalid servers.
|
||||
@ -15,8 +16,10 @@ much as possible, at the very least by setting your DNS to invalid servers.
|
||||
This exploit is not fully reliable. It relies on a CPU side channel as well as a race condition, both of which have the potential to fail. In the event of a failure, the exploit may alert you that it has failed via network output, or the console itself may crash and reboot.
|
||||
|
||||
## Usage
|
||||
- Modify line 7 of `gamescript_autosave.txt` to contain the local IP of your PC.
|
||||
- Copy `gamescript_autosave.txt`, `stage2.bin`, and `run.exe` to the `LocalState` directory of the Game Script application on your Console (`Q:\Users\UserMgr0\AppData\Local\Packages\27878ConstantineTarasenko.458004FD2C47C_c8b3w9r5va522\LocalState\`)
|
||||
|
||||
- Modify line 7 of `gamescript_autosave_network.txt` or `gamescript_autosave.txt` to contain the local IP of your PC.
|
||||
- For use with Full-Trust File Explorer App: Copy `gamescript_autosave.txt`, `stage2.bin`, and `run.exe` to the `LocalState` directory of the Game Script application on your Console (`Q:\Users\UserMgr0\AppData\Local\Packages\27878ConstantineTarasenko.458004FD2C47C_c8b3w9r5va522\LocalState\`)
|
||||
- For HID / Keyboard simulator input: Type the contents of `gamescript_autosave_network.txt` into the GameScript window. Serve `stage2.bin` and `run.exe` via `payload_server_win_x64.exe --stage2 stage2.bin --run run.exe`
|
||||
- Listen on port 7070 on your PC using netcat or a similar tool (command example: `nc64.exe -lvnp 7070`)
|
||||
- Open the Game Script application on your console and select "Show Code Run window" and click "Run code once"
|
||||
- If the exploit is success you should see output on your PC that resembles the following:
|
||||
|
364
solstice_artifacts/gamescript_autosave_network.txt
Normal file
364
solstice_artifacts/gamescript_autosave_network.txt
Normal file
File diff suppressed because one or more lines are too long
BIN
solstice_artifacts/payload_server_win_x64.exe
Normal file
BIN
solstice_artifacts/payload_server_win_x64.exe
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user