Print

[Arakon]

@illicitx: can you send me any flash file that does definitely work for you? so I have a base to mess with. email it to arakon "at" gmail dot com please.

[illicitx]

QUOTE(Arakon @ Dec 28 2005, 03:46 PM)

@illicitx: can you send me any flash file that does definitely work for you? so I have a base to mess with. email it to arakon "at" gmail dot com please.

Yes but Im not at that computer, It would have to be tonight

[kanderson]

Since I don't have a 360 myself, I will post all the info I have right now to help you guys out :

The player is Flash 6 / 7.  ActionScript 1 and 2 run on both. zlib compression is very common on Flash files, if not always (there's an option in the Flash IDE to turn it off, but that's not really relevant.)

The Player on the xbox is a custom build player. This means it might or might not have certain features the Flash players 6/7 do have. For instance using webcam features might or might not be implemented for specific reasons.

One thing which is for sure is that most "special" implementations of the MM Flash Player have hooks build in to talk to the host machine/os. On Flash Lite fscommand / fscommand2 is the method used to hook to the hosting platform (phones,mostly).

On the Xbox 360 Flash Player this is implemented through fscommands, aswell as through the getURL method, which is normally used to call a http page. This implementation is pretty weird and seems very hackish... I've compiled a little list of fscommands and getURLs possible :

getURL("FSCommand:LeaderBoardGameMode", GameMode); // XBOX LIVE/ARCADE Method
getURL("FSCommand:LeaderBoardSortOrder", SortOrder); // XBOX LIVE/ARCADE Method
getURL("FSCommand:LeaderBoardQuery", LeaderBoardSelected); // XBOX LIVE/ARCADE Method
getURL("FSCommand:LeaderBoardGameMode", GameMode);// XBOX LIVE/ARCADE Method
getURL("FSCommand:ShowGamercard", index); // XBOX LIVE/ARCADE Method
getURL("FSCommand:Presence", xml); // ?
getURL("FSCommand:DifficultyContext", xml); // XBOX Settings call ?
getURL("FSCommand:WriteStats", xml); //Writes an xml to the os ?
getURL("FSCommand:SaveSettings", xml); //saves an xml to the os ?
getURL("FSCommand:SoundFX", _loc2._Level_sfx); //Tells the os to play a sound ?
getURL("FSCommand:MusicVolume", _loc2._Level_music); //Changes volume on os ?
getURL("FSCommand:SaveGame", str); //
getURL("FSCommand:FileIOReadHeader", text); //Reads utf8 text from file
getURL("FSCommand:FileIOReadBody", text);  //Reads utf8 text from file    
getURL("FSCommand:FileIOWriteHeader", text); //writes utf8 text to file
getURL("FSCommand:FileIOWriteBody", text);//writes utf8 text to file
getURL("FSCommand:FileIOButton", text);//?
fscommand("LoadSettings", "settings");
fscommand("LoadGame");
fscommand("SessionReady", "true");
fscommand("TerminateGame", "<data><exit v=\"UserButton\"/></data>"); //Exiting the player?

These 2 geturls interrestl me most :
getURL("FSCommand:FileIOWriteHeader", text);
getURL("FSCommand:FileIOWriteBody", text);

[crobar]

where did you get your info, if you dont have a 360 to run the tests on?

This post has been edited by crobar: Dec 28 2005, 04:44 PM

[kanderson]

QUOTE(crobar @ Dec 28 2005, 04:15 PM)

where did you get your info, if you dont have a 360 to run the tests on?

You do not need to have an xbox to look at swf files. So maybe I do have swf files but not an xbox.

[crobar]

im not saying your info is fake... just asking, idlove to get my hands on the files myself to do some testing.
hopfully tonight ill have the dvd and ill be able to get my hands dirty

[Zenofex]

Sorry for a repost but did we ever establish if the xbox360's stack is executeable? if so could we try to do a buffer overflow using the:

text = & quot;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

getURL("FSCommand:FileIOWriteHeader", text);

or

getURL("FSCommand:FileIOWriteBody", text);

I know we would have to develop some shell code and i would give it a shot but im still trying to find a 360 in my area

[TheRandomDude]

would somebody please just decompile helix so we know at least some of the commands to fool around with, there are plently of swf to fla converters out there.

[illicitx]

I will be back at my pc and xbox 360 in 5 hours, thats when alot of testing will be done and new info will be released.

This post has been edited by illicitx: Dec 28 2005, 07:44 PM

[Zenofex]

I found this out there about geturl() with FSCommands

http://www.iay.org.u...ki.pl?FSCommand

[Monoxboogie]

Has anybody considered the recent Zlib exploit?  There is a buffer overflow in versions 1.2.1 and 1.2.2 of Zlib.  Though there is a fat chance that MS used a vulnerable version, it may not be completely impossible.  They did, after all, build their flash player off of an old version.

There also appear to be several vulnerabilities to the flash player 6.x.y series.  Though MS probably got to pick and choose certain functionalities, it's possible that some of the vulnerable code may still be resting in there.  http://www.securiteam.com/ and search for "Zlib" will yield 1 promising result (the rest are old).  Searching for "Flash" yields quite a few interesting results.

[shakaru]

And do what? Crash the hypervisor so the machine needs to repost? Wont do but kill a virtual machine.

[bowser22]

Stack memory on the 360 is not executable making it virtually impossible to do a buffer overload

[GileS]

Well I can verify the fscommands and getURLs posted by kanderson.  They are all right in the swf file for hexic once decompiled

[Monoxboogie]

QUOTE(shakaru @ Dec 28 2005, 10:17 PM)

And do what? Crash the hypervisor so the machine needs to repost? Wont do but kill a virtual machine.

QUOTE(bowser22 @ Dec 28 2005, 10:28 PM)

Stack memory on the 360 is not executable making it virtually impossible to do a buffer overload

The answer I was looking for would be "No."  Not some commentary from people who don't know otherwise.

How do you know it would *kill* the VM?  What if it instead rendered control of the VM over to us?  Though it's not the entire 360; it's a start.

And though stack memory may not be executable, that hasn't stopped it from happening before.  Look for the NX bit exploits.  Also, at least one of those exploits is heap based, not stack.

If anybody told you guys one month ago that MS would fuck up and release a disc which could be modified, burnt to a CD, and run, you'd had assumed we were full of shit.