1. carizard

    OP carizard GBAtemp Regular
    Member

    Joined:
    Dec 4, 2018
    Messages:
    108
    Country:
    Antarctica
    @XVMM has published a new privilege escalation exploit on his discord.

    The executables were published in a zip file named system os utilities, along with read me which contains a small tutorial

    this allows you to use the tool XRF to read the contents of nand.

    SUPERFUN

    Requirement:
    - USB
    - xboxunattend script

    Place a superfun.xboxunattend, or any *.xboxunattend script of your choice, on a USB and plug it into your console.
    After you place it onto console, connect over SSH and navigate to where you extracted
    the utilities and then run superfun.

    Note:
    The script provided will start a fun little telnet session.

    Enjoy :)

    // B

    sorry for any mistakes in this post I am quite exhausted.
     

    Attached Files:

  2. KiiWii

    KiiWii Reporter
    Reviewer

    Joined:
    Nov 17, 2008
    Messages:
    11,234
    Country:
    United Kingdom
    Quality :)
     
  3. DinohScene

    DinohScene Feed Dino to the Sharks
    Moderator

    Joined:
    Oct 11, 2011
    Messages:
    20,840
    Country:
    Antarctica
    Oh nice!
     
  4. wiired24

    wiired24 Developer
    Developer

    Joined:
    Sep 3, 2013
    Messages:
    1,090
    Country:
    United States
    Exciting stuff!
     
  5. NathanBrown

    NathanBrown GBAtemp Regular
    Member

    Joined:
    Jun 19, 2018
    Messages:
    151
    Country:
    India
    What will this lead us towards? Possibly backups?
     
  6. Seelbreaker

    Seelbreaker GBAtemp Regular
    Member

    Joined:
    Mar 22, 2010
    Messages:
    199
    Country:
    Gambia, The
    Hmmm so the XBOX One seems to be having something Windows-PE like running?... (i don't have a XBox One and don't have any clue about it).

    Atleast on Windows you can use sc stop, sc start and so on to control services... you can also use "sc query type= service type=" to get all services... Would be interesting to know how Xbox One differs from a current Windows 10 Installation ;-)

    Windows-PCs or the installation media also have an unattend.xml file which is used to predefine Setup-Options and Disk Format Stuff, Region and so on.
    You can actually create your own unattend.xml file - put it into the root of an usb-stick (the one with which you install windows) and start the windows setup without moving a finger after letting it load it up.

    Now i'm wondering, if with those unattend.xml files you can do other stuff if the XBox One has an reinstall feature, because you might be able to call a local cmd from within the setup and get access to the filesystem...

    Now i'm kinda curios and wanna buy an Xbox One myself :P

    Is this exploit working on all versions?
     
    Deleted User likes this.
  7. leon315

    leon315 POWERLIFTER
    Member

    Joined:
    Nov 27, 2013
    Messages:
    3,606
    Country:
    Italy
    i think the most interested thing is ''when can we play X1 games for free''??
     
  8. Deleted User

    Deleted User Newbie

    The tool will support any version past mid-late 2017. It's also not really possible to run the standard windows setup, it's not that simple. It's a very different beast but you can run a standard win32 console app and also, through hooking and all, attach and render standard programs.
    I don't intend to ever enable privacy. And it's not happening soon.
     
    Seelbreaker likes this.
  9. leon315

    leon315 POWERLIFTER
    Member

    Joined:
    Nov 27, 2013
    Messages:
    3,606
    Country:
    Italy
    What? privacy? honostly we don't care what u do under the shower :P
     
    gnmmarechal, Mazamin and NutymcNuty like this.
  10. Deleted User

    Deleted User Newbie

    Woops, completely overlooked it. Meant piracy.
     
  11. Carltrek

    Carltrek Member
    Newcomer

    Joined:
    Jun 15, 2019
    Messages:
    20
    Country:
    China
    Seems the Telnet session is not created successfully... both SSH and Telnet cannot connect to the console. Do you need to put *.xboxunattend in an empty USB drive, or any USB drive that Xbox One recognize is okay ?
    Edit: Okay, I made a mistake while putting the file and now SSH is on. But SSH session is asking for a password. What's the default password for this SSH session ? Leaving it empty and press enter doesn't work.
     
    Last edited by Carltrek, Jun 15, 2019
  12. Lemmingscanfly

    Newcomer

    Joined:
    Mar 1, 2018
    Messages:
    12
    Country:
    Canada
    My most interested thing is, "when can I emulate every other game I already own?"
     
    islender, Vorde and slaphappygamer like this.
  13. Deleted User

    Deleted User Newbie

    The password to DevToolsUser is available in the Windows Device Portal. You can access that through https://xboxone:11443 (replace xboxone with your IP). However, if you've formatted your USB as NTFS and put the script on the root of it then run superfun it'll be fine.
     
    Carltrek likes this.
  14. Deleted User

    Deleted User Newbie

    Additional note: the password for "DevToolsUser" might be the pin from the Visual Studio pin. I can't recall but in Dev Home hit Show Visual Studio Pin and use that for password.
     
    DefaultAccount likes this.
  15. Carltrek

    Carltrek Member
    Newcomer

    Joined:
    Jun 15, 2019
    Messages:
    20
    Country:
    China
    Doesn't mean to sound funny here, but after fiddling in the Xbox remote access webpage for a while, I still can't find the DevToolsUser password. I checked Microsoft's help webpage, and they didn't noticed this either. Visual Studio pairing key in Xbox Dev Home is not working.
     
    Last edited by Carltrek, Jun 15, 2019
  16. jammybudga777

    jammybudga777 GBAtemp Addict
    Member

    Joined:
    Aug 23, 2013
    Messages:
    2,236
    Country:
    what benefits are there to this?
     
  17. Deleted User

    Deleted User Newbie

    I'll double check for you. The pairing key should be working.

    — Posts automatically merged - Please don't double post! —

    Running as an elevated user allows the read and write functionality of flash, the ability to interact with pipes/drivers, read/write process memory and more. It's useful for many things if you're interested in digging around. It's been useful for a couple findings.
     
    jammybudga777 likes this.
  18. azoreseuropa

    azoreseuropa GBAtemp Legend
    Member

    Joined:
    Nov 6, 2002
    Messages:
    10,343
    Country:
    Portugal
    I will grab XBOX One for the first time if they are running backup games for all FW. :)
     
  19. Deleted User

    Deleted User Newbie

    I just logged in to DevToolsUser using the pairing key. Have you entered it correctly? There's a chance that it may have reset before you entered but I just did it again.
     
  20. wakabayashy

    wakabayashy GBAtemp Advanced Fan
    Member

    Joined:
    Dec 25, 2014
    Messages:
    635
    Country:
    France
    we have to hope that a CFW will be working on ~~
     
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - escalation, privilege, published