Hacking New dev mode privilege escalation exploit published

carizard · Jun 12, 2019

@XVMM has published a new privilege escalation exploit on his discord.

The executables were published in a zip file named system os utilities, along with read me which contains a small tutorial

this allows you to use the tool XRF to read the contents of nand.

SUPERFUN

Requirement:
- USB
- xboxunattend script

Place a superfun.xboxunattend, or any *.xboxunattend script of your choice, on a USB and plug it into your console.
After you place it onto console, connect over SSH and navigate to where you extracted
the utilities and then run superfun.

Note:
The script provided will start a fun little telnet session.

Enjoy

// B

sorry for any mistakes in this post I am quite exhausted.

KiiWii · Jun 12, 2019

Quality

DinohScene · Jun 12, 2019

Oh nice!

wiired24 · Jun 12, 2019

Exciting stuff!

NathanBrown · Jun 14, 2019

What will this lead us towards? Possibly backups?

Seelbreaker · Jun 14, 2019

Hmmm so the XBOX One seems to be having something Windows-PE like running?... (i don't have a XBox One and don't have any clue about it).

Atleast on Windows you can use sc stop, sc start and so on to control services... you can also use "sc query type= service type=" to get all services... Would be interesting to know how Xbox One differs from a current Windows 10 Installation ;-)

Windows-PCs or the installation media also have an unattend.xml file which is used to predefine Setup-Options and Disk Format Stuff, Region and so on.
You can actually create your own unattend.xml file - put it into the root of an usb-stick (the one with which you install windows) and start the windows setup without moving a finger after letting it load it up.

Now i'm wondering, if with those unattend.xml files you can do other stuff if the XBox One has an reinstall feature, because you might be able to call a local cmd from within the setup and get access to the filesystem...

Now i'm kinda curios and wanna buy an Xbox One myself

Is this exploit working on all versions?

leon315 · Jun 14, 2019

i think the most interested thing is ''when can we play X1 games for free''??

Deleted User · Jun 14, 2019

Seelbreaker said:
Hmmm so the XBOX One seems to be having something Windows-PE like running?... (i don't have a XBox One and don't have any clue about it).

Atleast on Windows you can use sc stop, sc start and so on to control services... you can also use "sc query type= service type=" to get all services... Would be interesting to know how Xbox One differs from a current Windows 10 Installation ;-)

Windows-PCs or the installation media also have an unattend.xml file which is used to predefine Setup-Options and Disk Format Stuff, Region and so on.
You can actually create your own unattend.xml file - put it into the root of an usb-stick (the one with which you install windows) and start the windows setup without moving a finger after letting it load it up.

Now i'm wondering, if with those unattend.xml files you can do other stuff if the XBox One has an reinstall feature, because you might be able to call a local cmd from within the setup and get access to the filesystem...

Now i'm kinda curios and wanna buy an Xbox One myself

Is this exploit working on all versions?

The tool will support any version past mid-late 2017. It's also not really possible to run the standard windows setup, it's not that simple. It's a very different beast but you can run a standard win32 console app and also, through hooking and all, attach and render standard programs.

leon315 said:
i think the most interested thing is ''when can we play X1 games for free''??

I don't intend to ever enable privacy. And it's not happening soon.

leon315 · Jun 14, 2019

XVMM said:
privacy

What? privacy? honostly we don't care what u do under the shower

Deleted User · Jun 14, 2019

leon315 said:
What? privacy? honostly we don't care what u do under the shower

Woops, completely overlooked it. Meant piracy.

Carltrek · Jun 15, 2019

Seems the Telnet session is not created successfully... both SSH and Telnet cannot connect to the console. Do you need to put *.xboxunattend in an empty USB drive, or any USB drive that Xbox One recognize is okay ?
Edit: Okay, I made a mistake while putting the file and now SSH is on. But SSH session is asking for a password. What's the default password for this SSH session ? Leaving it empty and press enter doesn't work.

Lemmingscanfly · Jun 15, 2019

leon315 said:
i think the most interested thing is ''when can we play X1 games for free''??

My most interested thing is, "when can I emulate every other game I already own?"

Deleted User · Jun 15, 2019

Carltrek said:
Seems the Telnet session is not created successfully... both SSH and Telnet cannot connect to the console. Do you need to put *.xboxunattend in an empty USB drive, or any USB drive that Xbox One recognize is okay ?
Edit: Okay, I made a mistake while putting the file and now SSH is on. But SSH session is asking for a password. What's the default password for this SSH session ? Leaving it empty and press enter doesn't work.

The password to DevToolsUser is available in the Windows Device Portal. You can access that through https://xboxone:11443 (replace xboxone with your IP). However, if you've formatted your USB as NTFS and put the script on the root of it then run superfun it'll be fine.

Deleted User · Jun 15, 2019

Additional note: the password for "DevToolsUser" might be the pin from the Visual Studio pin. I can't recall but in Dev Home hit Show Visual Studio Pin and use that for password.

Carltrek · Jun 15, 2019

XVMM said:
The password to DevToolsUser is available in the Windows Device Portal.

Doesn't mean to sound funny here, but after fiddling in the Xbox remote access webpage for a while, I still can't find the DevToolsUser password. I checked Microsoft's help webpage, and they didn't noticed this either. Visual Studio pairing key in Xbox Dev Home is not working.

jammybudga777 · Jun 15, 2019

what benefits are there to this?

Deleted User · Jun 15, 2019

Carltrek said:
Doesn't mean to sound funny here, but after fiddling in the Xbox remote access webpage for a while, I still can't find the DevToolsUser password. I checked Microsoft's help webpage, and they didn't noticed this either. Visual Studio pairing key in Xbox Dev Home is not working.

I'll double check for you. The pairing key should be working.

--------------------- MERGED ---------------------------

jammybudga777 said:
what benefits are there to this?

Running as an elevated user allows the read and write functionality of flash, the ability to interact with pipes/drivers, read/write process memory and more. It's useful for many things if you're interested in digging around. It's been useful for a couple findings.

spotanjo3 · Jun 15, 2019

I will grab XBOX One for the first time if they are running backup games for all FW.

Deleted User · Jun 15, 2019

Carltrek said:
Doesn't mean to sound funny here, but after fiddling in the Xbox remote access webpage for a while, I still can't find the DevToolsUser password. I checked Microsoft's help webpage, and they didn't noticed this either. Visual Studio pairing key in Xbox Dev Home is not working.

I just logged in to DevToolsUser using the pairing key. Have you entered it correctly? There's a chance that it may have reset before you entered but I just did it again.

wakabayashy · Jun 15, 2019

azoreseuropa said:
I will grab XBOX One for the first time if they are running backup games for all FW.

we have to hope that a CFW will be working on ~~

Hacking New dev mode privilege escalation exploit published

Well-Known Member

Attachments

Editorial Team

Gay twink catboy

Developer

Well-Known Member

Well-Known Member

POWERLIFTER

Deleted User

Guest

POWERLIFTER

Deleted User

Guest

Active Member

Member

Deleted User

Guest

Deleted User

Guest

Active Member

Well-Known Member

Deleted User

Guest

Well-Known Member

Deleted User

Guest

Well-Known Member

Similar threads

Popular threads in this forum