Post by: Slack3er on November 24, 2005, 08:43:00 AM
If you do a nmap scan of the 360, tcp port 1026 is open. The other udp & tcp ports are in a state of filtered. Theres three things, I'll like to point out.
1) Port 1026 is open. Does anyone have any idea, what service is running. My best guess would be something to do with xbox live. Maybe the messenger service, as you would need that service open to recieve emails.
2) All other udp & tcp ports are filtered. Most of the time if you scan a host the ports are either open or closed. Being filtered tells me something is blocking my probes. Like a firewall. I'm guessing the xbox 360 has a firewall, what do you think. Just say for a minute it does, we know it blocks incoming traffic. What about outgoing? If we do exploit the xbox somehow, a firewall will make it harder to open a ftp/telnet server. If it filters outgoing traffic.
3) If you type http://ipaddressofxbox360here:1026/ into a web browser, it'll download a file called index.html(http server?). I edited the below file, to remove my serial number, etc.
<?xml version="1.0"?><root xmlns="urn:schemas-upnp-org:device-1-0" xmlns:ms=" urn:MS-com:wmc-1-0"><specVersion><major>1</major><minor>0</minor>
</specVersion><device ms:X_MS_SupportsWMDRM="true">
<deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType>
<manufacturer>MS Corporation</manufacturer><manufacturerURL>http://www.MS.com/
</manufacturerURL><modelName>Xbox 360</modelName><modelNumber></modelNumber>
<modelDescription>Xbox 360</modelDescription><modelURL>http://www.xbox.com/</modelURL>
<friendlyName>Xbox 360</friendlyName><serialNumber>REMOVEDINFORMATION</serialNumber>
<UDN>uuid:REMOVEDINFORMATION</UDN>
<serviceList><service>
<serviceType>urn:schemas-upnp-org:service:RenderingControl:1
</serviceType><serviceId>urn:upnp-org:serviceId:RenderingControl
</serviceId>
<SCPDURL>/Content/RenderingControl</SCPDURL><controlURL>
/Control/RenderingControl</controlURL><eventSubURL>
/Event/RenderingControl</eventSubURL></service>
<service><serviceType>urn:schemas-upnp-org:service:ConnectionManager:1
</serviceType><serviceId>urn:upnp-org:serviceId:ConnectionManager
</serviceId>
<SCPDURL>/Content/ConnectionManager</SCPDURL><controlURL>
/Control/ConnectionManager</controlURL><eventSubURL>
/Event/ConnectionManager</eventSubURL>
</service></serviceList></device></root>
Don't know if any of this is any good. But I though I'll past it along. Take it littlely, I'm not a coder, just a geek. :)
Just like to say thanks to Xbox-Scene, Xbox-Linux, etc. Been a long time reader.
Cheers;
Slack3er
This post has been edited by Slack3er: Nov 24 2005, 04:45 PM
Post by: Tp21 on November 24, 2005, 08:54:00 AM
Post by: Tp21 on November 24, 2005, 10:56:00 AM
(i don't have an xbox 360 here (yet) i live in the netherlands... the 360 comes out here on 2 december :( )
Post by: crystalgeek on November 24, 2005, 11:09:00 AM
This post has been edited by crystalgeek: Nov 24 2005, 07:09 PM
Post by: Slack3er on November 24, 2005, 12:51:00 PM
crystalgeek:
I tried scanning my xbox with intellitamper. The only file it finds is called, _index_defaultpage.html. I tried different settings, like /Content/ConnectionManager or /event/. But thats all it finds, the file contains the same info as I posted above.
Tp21:
When I tried that(http://XBOX360IP:1026/Content/ConnectionManager) it finds a new file called, ConnectionManager.xml
I also tried different combations, but no more luck. :(
/Content/ConnectionManager
/Control/ConnectionManager
/Event/ConnectionManager
/Content/
/Control/
/Event/
Thanks again;
Slack3er
================New file contains=====================
<?xml version="1.0" ?>
- <scpd xmlns="urn:schemas-upnp-org:service-1-0">
- <specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
- <actionList>
- <action>
<name>GetCurrentConnectionIDs</name>
- <argumentList>
- <argument>
<name>ConnectionIDs</name>
<direction>out</direction>
<relatedStateVariable>CurrentConnectionIDs</relatedStateVariable>
</argument>
</argumentList>
</action>
- <action>
<name>GetCurrentConnectionInfo</name>
- <argumentList>
- <argument>
<name>ConnectionID</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_ConnectionID</relatedStateVariable>
</argument>
- <argument>
<name>RcsID</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_RcsID</relatedStateVariable>
</argument>
- <argument>
<name>AVTransportID</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_AVTransportID</relatedStateVariable>
</argument>
- <argument>
<name>ProtocolInfo</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_ProtocolInfo</relatedStateVariable>
</argument>
- <argument>
<name>PeerConnectionManager</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_ConnectionManager</relatedStateVariable>
</argument>
- <argument>
<name>PeerConnectionID</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_ConnectionID</relatedStateVariable>
</argument>
- <argument>
<name>Direction</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_Direction</relatedStateVariable>
</argument>
- <argument>
<name>Status</name>
<direction>out</direction>
<relatedStateVariable>A_ARG_TYPE_ConnectionStatus</relatedStateVariable>
</argument>
</argumentList>
</action>
- <action>
<name>GetProtocolInfo</name>
- <argumentList>
- <argument>
<name>Source</name>
<direction>out</direction>
<relatedStateVariable>SourceProtocolInfo</relatedStateVariable>
</argument>
- <argument>
<name>Sink</name>
<direction>out</direction>
<relatedStateVariable>SinkProtocolInfo</relatedStateVariable>
</argument>
</argumentList>
</action>
</actionList>
- <serviceStateTable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_ProtocolInfo</name>
<dataType>string</dataType>
</stateVariable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_ConnectionStatus</name>
<dataType>string</dataType>
- <allowedValueList>
<allowedValue>OK</allowedValue>
<allowedValue>ContentFormatMismatch</allowedValue>
<allowedValue>InsufficientBandwidth</allowedValue>
<allowedValue>UnreliableChannel</allowedValue>
<allowedValue>Unknown</allowedValue>
</allowedValueList>
</stateVariable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_AVTransportID</name>
<dataType>i4</dataType>
</stateVariable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_RcsID</name>
<dataType>i4</dataType>
</stateVariable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_ConnectionID</name>
<dataType>i4</dataType>
</stateVariable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_ConnectionManager</name>
<dataType>string</dataType>
</stateVariable>
- <stateVariable sendEvents="yes">
<name>SourceProtocolInfo</name>
<dataType>string</dataType>
</stateVariable>
- <stateVariable sendEvents="yes">
<name>SinkProtocolInfo</name>
<dataType>string</dataType>
</stateVariable>
- <stateVariable sendEvents="no">
<name>A_ARG_TYPE_Direction</name>
<dataType>string</dataType>
- <allowedValueList>
<allowedValue>Input</allowedValue>
<allowedValue>Output</allowedValue>
</allowedValueList>
</stateVariable>
- <stateVariable sendEvents="yes">
<name>CurrentConnectionIDs</name>
<dataType>string</dataType>
</stateVariable>
</serviceStateTable>
</scpd>
Post by: Dameon on November 24, 2005, 04:58:00 PM
The original Xbox had some support for this to automatically forward ports for LIVE, but that was outgoing. It would connect to your router and use the UPnP protocol for an Internet Gateway Device to open ports. Check out the specs at http://www.upnp.org/
Unlike the old Xbox, the 360 appears to have support for being a device rather than just a client. Some of the names match up to the UPnP spec for MediaServer and MediaRenderer. (Such as MediaServer, MediaRenderer, ConnectionManager, and RenderingControl). I'm going to read the PDF and see what kind of features. This looks like a good point of attack for buffer overflows or even HD access (If the Xbox can serve the media).
http://www.upnp.org/...mediaserver.asp
As Tp21 guessed, this is likely to allow communications with Media Center. Amazingly enough, MS used a standard protocol on this one.
As a further experiment, try poking around using the name ContentDirectory. That was the only of the components listed on the upnp mediaserver page to not be referenced in the index file.
Post by: Slack3er on November 24, 2005, 05:54:00 PM
I tried ContentDirectory, but couldn't find anything. But for some reason I missed RenderingControl. It returns a file called RenderingControl.xml
http://192.168.0.102:1026/Content/RenderingControl
If theres anything else you'll like me to try feel free. I'm all out of ideas, but will check out those links you recommended. If I find anything else, I'll post.
Regards;
===============File Contains==================
<scpd>
-
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
-
<actionList>
-
<action>
<name>ListPresets</name>
-
<argumentList>
-
<argument>
<name>InstanceID</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_InstanceID</relatedStateVariable>
</argument>
-
<argument>
<name>CurrentPresetNameList</name>
<direction>out</direction>
<relatedStateVariable>PresetNameList</relatedStateVariable>
</argument>
</argumentList>
</action>
-
<action>
<name>SelectPreset</name>
-
<argumentList>
-
<argument>
<name>InstanceID</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_InstanceID</relatedStateVariable>
</argument>
-
<argument>
<name>PresetName</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_PresetName</relatedStateVariable>
</argument>
</argumentList>
</action>
</actionList>
-
<serviceStateTable>
-
<stateVariable sendEvents="yes">
<name>LastChange</name>
<dataType>string</dataType>
</stateVariable>
-
<stateVariable sendEvents="no">
<name>PresetNameList</name>
<dataType>string</dataType>
</stateVariable>
-
<stateVariable sendEvents="no">
<name>A_ARG_TYPE_PresetName</name>
<dataType>string</dataType>
-
<allowedValueList>
<allowedValue>FactoryDefaults</allowedValue>
<allowedValue>InstallationDefaults</allowedValue>
<allowedValue>Vendor defined</allowedValue>
</allowedValueList>
</stateVariable>
-
<stateVariable sendEvents="no">
<name>A_ARG_TYPE_InstanceID</name>
<dataType>ui4</dataType>
</stateVariable>
</serviceStateTable>
</scpd>
This post has been edited by Slack3er: Nov 25 2005, 01:55 AM
Post by: meawoppl on November 25, 2005, 12:07:00 AM
Post by: Tp21 on November 25, 2005, 01:37:00 AM
there's a hell lot more security in the 360 so why not
Post by: blerik on November 25, 2005, 06:24:00 AM
--Blerik
Post by: Tp21 on November 25, 2005, 07:06:00 AM
but, can we exploit the 360 using this?
(if not, can we build an "media center replacer"?
Post by: Slack3er on November 25, 2005, 10:31:00 AM
Thanks for the input.
Regards;
Slack3er
Post by: BlueCELL on November 25, 2005, 10:38:00 AM
Yeah, its a uPnP port. Basically what they use to connect to Windows Media Connect or whatever its called. Basically it tells all uPnP devices that the Xbox 360 can play "media".
Exploitable? Probably yes. I've worked w/ Windows Media Connect before and there are alot of bugs inside of it. So lets hope that MS screwed something up this time
.BlueCELL
Post by: xbox7387 on November 26, 2005, 06:21:00 PM
Jay-Rod
Post by: SilentWatcher on November 26, 2005, 06:28:00 PM
Post by: Slack3er on November 26, 2005, 07:51:00 PM
This XML file does not appear to have any style information associated with it. The document tree is shown below. ......etc
BTW, I also can't ping my xbox. For a test, try doing a port scan on the 360. What ports do you see open?
PS: I'm using the premium system, do you have the core? Maybe the file is being served from the harddrive.
Cheers;
This post has been edited by Slack3er: Nov 27 2005, 04:11 AM
Post by: wolrahnaes on November 26, 2005, 09:06:00 PM
The 360 has a very locked down IP networking system by default. It silently rejects all IP (TCP, UDP, and ICMP) traffic other than TCP on port 1026.
Investigation of TCP 1026 discovered a basic HTTP service running on that port. It is a UPnP service description, showing the 360 as a UPnP Media Renderer. This is undoubtedly for the 360's functionality as a Media Center Extender.
Post by: DonkeyBeliever on November 27, 2005, 05:08:00 AM
Let me know if I can help in anyway testing stuff out etc... Thanks!
Post by: Dameon on November 27, 2005, 10:36:00 AM
Post by: Slack3er on November 27, 2005, 05:43:00 PM
Here's a packet dump of WMC to Xbox 360. I used ethereal, just open the file with it. I don't have media center, so I used media connect instead. What I did was left ethereal sniffing, start xbox & mc, mc found the 360. I shared some folders. Then just viewed them onto my 360.
Just a though, the first file that I posted above. Looks like its for idenifying, the 360 to media connect. You were right that port 1026 is used for MC, if you look at the dump. 192.168.0.101 is my computer running XP + MC & 102 is the 360.
Cheers;
Slack3er
Post by: unspoiledpuma on November 27, 2005, 08:52:00 PM
http://adressxbox360...enderingControl
http://adressxbox360...nnectionManager
Post by: Slack3er on November 28, 2005, 08:28:00 AM
This post has been edited by Slack3er: Nov 28 2005, 04:29 PM
Post by: DonkeyBeliever on November 29, 2005, 02:51:00 AM
If you could walk me though using Ethereal to get a dump from connecting a Media Center PC I wouldn't mind helping the cause let me explain my setup here.
I have 2 Boxes up and running right now 1 Running Windows XP SP2 with XP Media Center Edition running in a Virtual Machine and on the second box I have Ubuntu loaded with nmap and Ethereal (I am a total noob with Ethereal but Im a quick learn) I can be contacted via any Major IM Services, but im on Hawaii Standard Time so my hours might seem a bit odd, Im off on friday though drop me a PM.
Post by: Slack3er on November 29, 2005, 08:30:00 AM
No problem, I don't mind helping. Can we just use email, this board or pm's. I really don't like IM, with work or some answers may require me to search around abit. With the other ways, I can take my time & give you better answers.
To start, I'm going to post some general tips, if anyone else is interested.
Using Ethereal to acquire TCP/IP Traffic between a computer and Xbox 360:
I have never setup Windows XP MCE before, so your going to have to read that yourself: Here's a link to help you get started.
http://www.xbox.com/...-media-mcpc.htm
One thing you should know, that dump will contain your 360 Serial Number, MAC address, etc. If you post it online, its there for anyone to view, yes even MS. Could they use that info to ban you for xbox live, maybe, I don't really know. But warning you its a chance you must understand. Also running a sniffer like ethereal on you network, if passwords or other personal data is sent across your network. It could be picked up & then if you post it online, bad things could happen.
Also I have used VM software like VMWare before, but I'm no expert with it. As long as you can get MCE working with your xbox you'll get a dump.
Ethereal is cross-plateform, so it works on Linux/BSD/Windows. I would install ethereal, onto the VM that is running MCE. I don't think ethereal will see the traffic, if you run it from your second box. Also I would temp disable UPNP on your router, it will make your results in ethereal easlier to read. Turn it back on when your done, if you wish.
First step would be make sure MCE & the 360 is correctly working. Try viewing images, just to make sure it works. Then turn off your xbox, just to make sure your kill the connection.
Start ethereal on the VM, go to Capture & options. Change interface, to your Nic card. Check the option to update packets in real time. Then hit start. Now leave it.
Now turn on your xbox, connect it to MCE. View some images/video. That will make some traffic, if you look at ethereal you'll see its collecting packets.
Turn off your xbox. Hit stop on ethereal & save the dump.
As for analyzing the dump, The top window contains the packets, inorder they were recorded. The bottom windows, is what the packets contains.
And that's about it, try it & see what happens. If you run into problems, I'll be around.
Regards;
Slack3er
Post by: xbox7387 on November 30, 2005, 07:37:00 PM
Post by: SilentWatcher on December 01, 2005, 06:31:00 PM
Post by: Monoxboogie on December 01, 2005, 09:35:00 PM
QUOTE(SilentWatcher @ Dec 2 2005, 02:38 AM) 
Who whoa wait. Are you sure it's your Xbox? 25 is SMTP and 110 is POP3. Xbox 360 is a mail server?
Assuming it wasn't an error on the behalf of the person doing the scanning, I wouldn't put it by MS to run services on non-standard ports in order to further obscure the exact service running on them. I used to run a terminal server on port 110, because 110 outbound wasn't blocked by the firewall at work. I could then browse the web or do anything I wanted using my home box as a proxy. Point is, anybody with half a brain can configure a service to run on a different port; standard does not mean "etched in stone."
...but I'd be quicker to assume that it was an error on Mr(s?) Xbox's behalf.
Post by: scotty2hotty1124 on December 01, 2005, 09:51:00 PM
QUOTE
Who whoa wait. Are you sure it's your Xbox? 25 is SMTP and 110 is POP3. Xbox 360 is a mail server?
This may be a stupid idea...but the 360 can send and recieve messages back and forth right? so... although xbox live uses a port to play games and download and such...maybe it could use these ports to send the messages back and forth.....just an idea...
Post by: xbox7387 on December 02, 2005, 02:10:00 AM
Jay-Rod
Post by: DonkeyBeliever on December 02, 2005, 06:44:00 PM
Post by: ShadowElitePro on December 02, 2005, 06:46:00 PM
Post by: xblinkxkidx on December 04, 2005, 06:29:00 AM
some one has talked about the xbox360 not being able to ping ....well it might have ping off..on some pc'/s u can do shit 2 turn off so it will act in stealth mode.
Post by: zerosignal0 on December 07, 2005, 12:41:00 PM
Sorry for the long post Im just dumping my brain out to see if someone might take this somewhere.
zer0
Post by: reagor on December 10, 2005, 06:28:00 PM
QUOTE(zerosignal0 @ Dec 7 2005, 02:48 PM)
Just to mention as well I have been doing port scans and have come up with some funny ports too... like 21, you know I had to laugh to myself getting this one (for those who dont know port 21 is FTP) I knew right off the bat there wasnt a ftp server running but being as thats how all us modders get back and forth in our xbox 1... but anyways I also got the port 110 mailserver port open and thought to myself hmmm... you know maybe it is the live thing and noticed it was already mentioned earlier but then it really did occur to me.... Just my own opinion but I think its going to take the modchip guys a long time to get around all this hardware security so the only way were gonna get into this thing is via network and for the most obvious reasons MS SUCKS AT NETWORK SECURITY! Lets face it even if they do hide these services on different ports thats going to be a hell of alot easier to exploit than hardware so whats next? We need to really focus on probing these ports for as much info as we can and really try to take the path of exploiting with MCE exploits. That makes the most sense to me... I know someone else had already mentioned that earlier but I am going to attempt the next couple of days to buffer overflow this thing... If I can do it the only thing Ill need help with is working on a file to upload to create a true FTP server. Now heres one other question for ya.. If someone is able to overflow and start a ftp server... what port? If this machine is almost randomly snagging ports than how do you even know if you reach that point what port to connect with?
Sorry for the long post Im just dumping my brain out to see if someone might take this somewhere.
wouldnt it be funny if the 360 Os is a linux based
correct me if i am wrong
exploiting the MCE on the network, isnt the media extender only a streaming vidoe, pictures, etc... not for executable info, even on a core level... using this as an exploit doesnt seam feasable as the internal os has security in place not alowing it to run executable code, maybe somehow attacking the image viewer app and passing it a fake .jpg which contains the code for an exploit it seams this is an open door for MS wants you to attack...
sorry flame blast me do as you will im probaabily just wasting your time
Post by: xblinkxkidx on December 11, 2005, 07:17:00 AM
Post by: mrRobinson on December 13, 2005, 02:09:00 PM
CODE
[Connect 16:28:44] Remote Port: 25 Local Port: 2674
Local Socket: 484 Standard Service: Simple Mail Transfer :: [Incoming Data 16:29:06]
Remote Port: 25 Local Port: 2674
421 Cannot connect to SMTP server, connect error 10060
[Session Closed 16:29:06] Remote Port: 25 Local Port: 2674
[Connect 16:29:30] Remote Port: 110 Local Port: 2762
Local Socket: 508 Standard Service: Post Office protocol - Version 3 ::
[Connect 16:29:35] Remote Port: 119 Local Port: 2772
Local Socket: 492 Standard Service: Network News Transfer Protocol ::
[Connect 16:29:50] Remote Port: 143 Local Port: 2797
Local Socket: 456 Standard Service: Internet Message Access Protocol/Interactive Mail Access Protocol
v2
[Incoming Data 16:29:51]Remote Port: 110 Local Port: 2762
-ERR Cannot connect to POP server, connect error 10060
[Session Closed 16:29:51] Remote Port: 110 Local Port: 2762
[Incoming Data 16:29:56]Remote Port: 119 Local Port: 2772
502 Cannot connect to NNTP server, connect error 10060
[Session Closed 16:29:56] Remote Port: 119 Local Port: 2772
[Incoming Data 16:30:11] Remote Port: 143 Local Port: 2797
* BYE [ALERT] Cannot connect to IMAP server, connect error 10060
[Session Closed 16:30:11] Remote Port: 143 Local Port: 2797
This post has been edited by mrRobinson: Dec 13 2005, 10:10 PM
Post by: mrRobinson on December 13, 2005, 02:29:00 PM
These broadcasts from the 360 show up when on live or testing the live or media connections.
It seems to be a msft network load balancer hearbeat. They have adjusted it to about every 2 seconds.
Check this site for info http://www.MS.com/te...ing/nlbfaq.mspx
you'll have to change the ms.com to the full msft name.
So this is what they are using to keep you on various live servers as efficiently as possible.
I would think their live servers are clusters of win2k3 and the 360 itself could be running an embedded 2k3 server OS of some sort.
Post by: modthebox.tk on December 15, 2005, 08:22:00 AM
QUOTE(reagor @ Dec 11 2005, 03:35 AM) 
wouldnt it be funny if the 360 Os is a linux based
correct me if i am wrong
exploiting the MCE on the network, isnt the media extender only a streaming vidoe, pictures, etc... not for executable info, even on a core level... using this as an exploit doesnt seam feasable as the internal os has security in place not alowing it to run executable code, maybe somehow attacking the image viewer app and passing it a fake .jpg which contains the code for an exploit it seams this is an open door for MS wants you to attack...
sorry flame blast me do as you will im probaabily just wasting your time
nope. built off a beta version of vista -- Code name Longhorn --. I think. of course I mean built off the kernel because we all know it runs off the same kernel as Xbox1-- execute one app at a time. It has multiple operating systems that are supervised by the hypervisor.
Post by: ssj4android on December 21, 2005, 04:25:00 PM
Post by: mrRobinson on December 22, 2005, 08:13:00 AM
Post by: sami9999 on January 02, 2006, 11:46:00 AM
I don't know if this is the right place but a few posts ago there was a discussion about a hack over the network.
I don't know the WMC and I don't have a XboX360 (yet). But if the dashboard has not been written from scratch (very unlikely IMHO) and xbox360 can show WMF (windows meta file) format pictures, then there exist a hole in all windows OS'es which lead to execution of arbitrary code. I think maybe it is possible to inject some code in to a WMF file and try to execute it.
Just a thought. But of course you guys know better
Post by: ssj4android on January 03, 2006, 05:23:00 PM
Post by: ben1989 on November 02, 2006, 12:47:00 PM