Print

[Slack3er]

My setup is simple, one computer running Slackware, xbox 360(Latest Updates) & a D-link router. So no firewalls in my lan, only the D-link.

If you do a nmap scan of the 360, tcp port 1026 is open. The other udp & tcp ports are in a state of filtered. Theres three things, I'll like to point out.

1) Port 1026 is open. Does anyone have any idea, what service is running. My best guess would be something to do with xbox live. Maybe the messenger service, as you would need  that service open to recieve emails.

2) All other udp & tcp ports are filtered. Most of the time if you scan a host the ports are either open or closed. Being filtered tells me something is blocking my probes. Like a firewall. I'm guessing the xbox 360 has a firewall, what do you think. Just say for a minute it does, we know it blocks incoming traffic. What about outgoing? If we do exploit the xbox somehow, a firewall will make it harder to open a ftp/telnet server. If it filters outgoing traffic.

3) If you type http://ipaddressofxbox360here:1026/ into a web browser, it'll download a file called index.html(http server?). I edited the below file, to remove my serial number, etc.

<?xml version="1.0"?><root xmlns="urn:schemas-upnp-org:device-1-0" xmlns:ms=" urn:MS-com:wmc-1-0"><specVersion><major>1</major><minor>0</minor>
</specVersion><device ms:X_MS_SupportsWMDRM="true">
<deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType>
<manufacturer>MS Corporation</manufacturer><manufacturerURL>http://www.MS.com/
</manufacturerURL><modelName>Xbox 360</modelName><modelNumber></modelNumber>
<modelDescription>Xbox 360</modelDescription><modelURL>http://www.xbox.com/</modelURL>
<friendlyName>Xbox 360</friendlyName><serialNumber>REMOVEDINFORMATION</serialNumber>
<UDN>uuid:REMOVEDINFORMATION</UDN>
<serviceList><service>
<serviceType>urn:schemas-upnp-org:service:RenderingControl:1
</serviceType><serviceId>urn:upnp-org:serviceId:RenderingControl
</serviceId>
<SCPDURL>/Content/RenderingControl</SCPDURL><controlURL>
/Control/RenderingControl</controlURL><eventSubURL>
/Event/RenderingControl</eventSubURL></service>
<service><serviceType>urn:schemas-upnp-org:service:ConnectionManager:1
</serviceType><serviceId>urn:upnp-org:serviceId:ConnectionManager
</serviceId>
<SCPDURL>/Content/ConnectionManager</SCPDURL><controlURL>
/Control/ConnectionManager</controlURL><eventSubURL>
/Event/ConnectionManager</eventSubURL>
</service></serviceList></device></root>

Don't know if any of this is any good. But I though I'll past it along. Take it littlely, I'm not a coder, just a geek.

Just like to say thanks to Xbox-Scene, Xbox-Linux, etc. Been a long time reader.

Cheers;
Slack3er

This post has been edited by Slack3er: Nov 24 2005, 04:45 PM

[Tp21]

i think it's for the media center connection

[Tp21]

what happens if you go to the directory: http://XBOX360IP:1026/Content/ConnectionManager (for example)?
(i don't have an xbox 360 here (yet) i live in the netherlands... the 360 comes out here on 2 december )

[crystalgeek]

try using a program like intellitamper to scan the xbox directories in intellitamper type http://ipofxbox:1038/

This post has been edited by crystalgeek: Nov 24 2005, 07:09 PM

[Slack3er]

Thanks for everyones suggestions & replies.

crystalgeek:
I tried scanning my xbox with intellitamper. The only file it finds is called, _index_defaultpage.html. I tried different settings, like /Content/ConnectionManager or /event/. But thats all it finds, the file contains the same info as I posted above.

Tp21:
When I tried that(http://XBOX360IP:1026/Content/ConnectionManager) it finds a new file called, ConnectionManager.xml

I also tried different combations, but no more luck.
/Content/ConnectionManager
/Control/ConnectionManager
/Event/ConnectionManager
/Content/
/Control/
/Event/

Thanks again;
Slack3er

================New file contains=====================

 <?xml version="1.0" ?>
- <scpd xmlns="urn:schemas-upnp-org:service-1-0">
- <specVersion>
  <major>1</major>
  <minor>0</minor>
  </specVersion>
- <actionList>
- <action>
  <name>GetCurrentConnectionIDs</name>
- <argumentList>
- <argument>
  <name>ConnectionIDs</name>
  <direction>out</direction>
  <relatedStateVariable>CurrentConnectionIDs</relatedStateVariable>
  </argument>
  </argumentList>
  </action>
- <action>
  <name>GetCurrentConnectionInfo</name>
- <argumentList>
- <argument>
  <name>ConnectionID</name>
  <direction>in</direction>
  <relatedStateVariable>A_ARG_TYPE_ConnectionID</relatedStateVariable>
  </argument>
- <argument>
  <name>RcsID</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_RcsID</relatedStateVariable>
  </argument>
- <argument>
  <name>AVTransportID</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_AVTransportID</relatedStateVariable>
  </argument>
- <argument>
  <name>ProtocolInfo</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_ProtocolInfo</relatedStateVariable>
  </argument>
- <argument>
  <name>PeerConnectionManager</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_ConnectionManager</relatedStateVariable>
  </argument>
- <argument>
  <name>PeerConnectionID</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_ConnectionID</relatedStateVariable>
  </argument>
- <argument>
  <name>Direction</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_Direction</relatedStateVariable>
  </argument>
- <argument>
  <name>Status</name>
  <direction>out</direction>
  <relatedStateVariable>A_ARG_TYPE_ConnectionStatus</relatedStateVariable>
  </argument>
  </argumentList>
  </action>
- <action>
  <name>GetProtocolInfo</name>
- <argumentList>
- <argument>
  <name>Source</name>
  <direction>out</direction>
  <relatedStateVariable>SourceProtocolInfo</relatedStateVariable>
  </argument>
- <argument>
  <name>Sink</name>
  <direction>out</direction>
  <relatedStateVariable>SinkProtocolInfo</relatedStateVariable>
  </argument>
  </argumentList>
  </action>
  </actionList>
- <serviceStateTable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_ProtocolInfo</name>
  <dataType>string</dataType>
  </stateVariable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_ConnectionStatus</name>
  <dataType>string</dataType>
- <allowedValueList>
  <allowedValue>OK</allowedValue>
  <allowedValue>ContentFormatMismatch</allowedValue>
  <allowedValue>InsufficientBandwidth</allowedValue>
  <allowedValue>UnreliableChannel</allowedValue>
  <allowedValue>Unknown</allowedValue>
  </allowedValueList>
  </stateVariable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_AVTransportID</name>
  <dataType>i4</dataType>
  </stateVariable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_RcsID</name>
  <dataType>i4</dataType>
  </stateVariable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_ConnectionID</name>
  <dataType>i4</dataType>
  </stateVariable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_ConnectionManager</name>
  <dataType>string</dataType>
  </stateVariable>
- <stateVariable sendEvents="yes">
  <name>SourceProtocolInfo</name>
  <dataType>string</dataType>
  </stateVariable>
- <stateVariable sendEvents="yes">
  <name>SinkProtocolInfo</name>
  <dataType>string</dataType>
  </stateVariable>
- <stateVariable sendEvents="no">
  <name>A_ARG_TYPE_Direction</name>
  <dataType>string</dataType>
- <allowedValueList>
  <allowedValue>Input</allowedValue>
  <allowedValue>Output</allowedValue>
  </allowedValueList>
  </stateVariable>
- <stateVariable sendEvents="yes">
  <name>CurrentConnectionIDs</name>
  <dataType>string</dataType>
  </stateVariable>
  </serviceStateTable>
  </scpd>

[Dameon]

The original Xbox had some support for this to automatically forward ports for LIVE, but that was outgoing. It would connect to your router and use the UPnP protocol for an Internet Gateway Device to open ports.

Check out the specs at http://www.upnp.org/

Unlike the old Xbox, the 360 appears to have support for being a device rather than just a client. Some of the names match up to the UPnP spec for MediaServer and MediaRenderer. (Such as MediaServer, MediaRenderer, ConnectionManager, and RenderingControl). I'm going to read the PDF and see what kind of features. This looks like a good point of attack for buffer overflows or even HD access (If the Xbox can serve the media).

http://www.upnp.org/...mediaserver.asp

As Tp21 guessed, this is likely to allow communications with Media Center. Amazingly enough, MS used a standard protocol on this one.

As a further experiment, try poking around using the name ContentDirectory. That was the only of the components listed on the upnp mediaserver page to not be referenced in the index file.

[Slack3er]

Thanks Dameon for your reply.

I tried ContentDirectory, but couldn't find anything. But for some reason I missed  RenderingControl. It returns a file called RenderingControl.xml

http://192.168.0.102:1026/Content/RenderingControl

If theres anything else you'll like me to try feel free. I'm all out of ideas, but will check out those links you recommended. If I find anything else, I'll post.

Regards;

===============File Contains==================
<scpd>
-
   <specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
-
   <actionList>
-
   <action>
<name>ListPresets</name>
-
   <argumentList>
-
   <argument>
<name>InstanceID</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_InstanceID</relatedStateVariable>
</argument>
-
   <argument>
<name>CurrentPresetNameList</name>
<direction>out</direction>
<relatedStateVariable>PresetNameList</relatedStateVariable>
</argument>
</argumentList>
</action>
-
   <action>
<name>SelectPreset</name>
-
   <argumentList>
-
   <argument>
<name>InstanceID</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_InstanceID</relatedStateVariable>
</argument>
-
   <argument>
<name>PresetName</name>
<direction>in</direction>
<relatedStateVariable>A_ARG_TYPE_PresetName</relatedStateVariable>
</argument>
</argumentList>
</action>
</actionList>
-
   <serviceStateTable>
-
   <stateVariable sendEvents="yes">
<name>LastChange</name>
<dataType>string</dataType>
</stateVariable>
-
   <stateVariable sendEvents="no">
<name>PresetNameList</name>
<dataType>string</dataType>
</stateVariable>
-
   <stateVariable sendEvents="no">
<name>A_ARG_TYPE_PresetName</name>
<dataType>string</dataType>
-
   <allowedValueList>
<allowedValue>FactoryDefaults</allowedValue>
<allowedValue>InstallationDefaults</allowedValue>
<allowedValue>Vendor defined</allowedValue>
</allowedValueList>
</stateVariable>
-
   <stateVariable sendEvents="no">
<name>A_ARG_TYPE_InstanceID</name>
<dataType>ui4</dataType>
</stateVariable>
</serviceStateTable>
</scpd>

This post has been edited by Slack3er: Nov 25 2005, 01:55 AM

[meawoppl]

wow that means the xbox 360 should be able to traverse routers for local link play . . . M$ never ceases to amaze me whenever they actully go with a standard

[Tp21]

and for the firewall, (all ports are filtered) they probebly included one.
there's a hell lot more security in the 360 so why not

[blerik]

Standard TCP/IP stacks return RST to a SYN trying to connect to an unbound socket. This TCP/IP stack doesn't return anything to those queries. Not a firewall per se, just a truncated TCP/IP stack.

--Blerik

[Tp21]

ah ok
but, can we exploit the 360 using this?
(if not, can we build an "media center replacer"?

[Slack3er]

Cool, learn something new everyday. (IMG:style_emoticons/default/smile.gif)

Thanks for the input.

Regards;
Slack3er

[BlueCELL]

Hey,

Yeah, its a uPnP port.  Basically what they use to connect to Windows Media Connect or whatever its called.  Basically it tells all uPnP devices that the Xbox 360 can play "media".

Exploitable? Probably yes.  I've worked w/ Windows Media Connect before and there are alot of bugs inside of it.  So lets hope that MS screwed something up this time .

BlueCELL

[xbox7387]

i tried this same thing with mine and it didnt do anything(server timed out) is there possibly something i have to turn on first? im running windows xp and im linked to the box through a linksys network hub, no firewalls? id really like to figure out what this port is for thanx

Jay-Rod

[SilentWatcher]

Doesn't work for me either. In fact, I can't even ping my Xbox (even though I can connect to my PC and stream media just fine.