This is a remote Stack Based Buffer Overflow exploit for Black Ops 3 on the Xbox 360 that gives the attacker full memory and execution manipulation ability on every client's xbox.
This epxloit relies on a buffer overflow vulnerability when receiving voice chat data from other people in the game lobby.
Voice Data is processed by the game though "voice packets" that contains, among other things, the voice data and the size of the voice data. The handling code looks something like this:
voiceData->dataSize = readPacketUnsignedShort(packetPtr);
voiceData->data = readPacketArray(packetPtr, voiceData->dataSize);
Key points:
- The data's size is only defined by what value the packet has
- There is no check on the data size to prevent a buffer overflow
- The location of the voiceData structure is on the stack
- The voiceData structure is at the end of the stack
Internally the maximum voice data size is 1198 bytes, but dataSize is an unsigned short so we can write up to 65535 bytes. This means that we can write up to 64337 bytes into the stack.
As the expliot allows the stack to be corrupted, we can manipulate the return address and other saved registers to perform a Return-Oriented-Programming (ROP) chain exploit. Through both exploits, it is possible to control the memory and execution flow of any client connected to the current game lobby remotely.
The attacker doesn't need to be host and just needs to connect to the game lobby for the exploit to work. Thus commands like "fast_restart" can be executed as if it was the host that used the command.
This section is a writeup of how the exploit packet is crafted to send a malicious server command. My aim for the ROP chain was to execute the command and return execution flow back to the game without any exceptions or errors being produced. The parameters of the server command are:
- the client number of which the command is executed on behalf of
- the command string to execute
The malicious voice data structure is first loaded with the command string being executed by the attacker.
The entry point for the ROP chain is when the exploitable function returns to the caller function:
addi r1, r1, 0x540
b __restgprlr_29
- It adds 0x540 to the stack
- __restgprlr_29 loads the registers 29-31 and return value saved on to the stack back into the original registers.
The malicious voice packet uses the buffer overflow to overwrite the saved return address with the address of gadget 1 and uses __restgprlr_29 to jump to gadget 1.
Gaget 1:
addi r1, r1, 0x80
b __restgprlr_28
- It adds 0x80 to the stack
- __restgprlr_28 loads the registers 28-31 and return value saved on to the stack back into the original registers.
The saved values of r28-r31 are overwritten by the buffer overflow which contain the client index (r29), the command to execute (r31), and the command execution function address (r28). These values are used in gadget 2. The return address is overwritten with the address of gadget 2.
Gaget 2:
mr r4, r31
mr r3, r29
mtctr r28
bctrl
addi r1, r1, 0x90
b __restgprlr_25
- It loads r31 into r4, r29 into r3, and execution jumps to the value in r28
- It adds 0x90 to the stack
- __restgprlr_25 loads the registers 25-31 and return value saved on to the stack back into the original registers.
This gadget uses the registers from gadget 1 to execute the command execution function (r3 is the client, r4 is the command string).
Once gadget 2 is executed, the total stack size used by the exploit is 0x110. This is the exact size of the stack used by the exploitable function's caller, so when gadget 2 returns, execution flow will be returned to how it was before the exploit was executed.
This PoC was only written to work on the zombies version of the game and will NOT work on multiplayer.
- Load the DLL into Black Ops 3.
- Open the executable and connect to your xbox 360.
- Load into a game with other people.
- Fill in the data needed for a command and press the send button.
- The commands will be executed on every client's xbox apart from yourself.