Developer unknownv2 has released a proof of concept exploit for the Xbox One. The exploit leverages a series of known vulnerabilities in the Microsoft Edge Browser (CVE-2016-7200 and CVE-2016-7241).
This is an exploit of the ridiculously rebranded Interenet explorer browser dubbed Microsoft Edge.
In November last year, several critical vulnerabilities were found in the Edge browser, and disclosed by Microsoft as they patched them. A proof of concept was released for these vulnerabilities by developer Brian Pak, demonstrating how to use them in an exploit. This is known as the Chakra exploit, and a good read on the topic can be found here.
Hacker unknownv2 has built his Xbox One exploit on top of Brian Pak’s proof of concept. In the developer’s words:
The POC itself was mostly complete, but the first bug (CVE-2016-7200) it used was patched on the console. I used Json.Parse bug (CVE-2016-7241) to leak addresses instead and after a bit of tweaking with the values, I was able to get the correct address for the chakra.dll. From there, I modified the POC by changing the code addresses for the gadgets and the VirtualProtect function call to make the shellcode executable.
Currently the Xbox One has a sandboxed AppContainer protection just like Windows 10. Therefore, the Edge app and its code has restricted access to the file’s resources and further work is needed to escalate the process’s privileges. This could be in the form of a kernel exploit.
The sandbox is similar to the PS4 in the sense that it is limited in what you can do, but its the same thing as getting RCE on Edge on Windows 10 essentially.
Unknownv2’s exploit works on XBox One’s firmware 10.0.14393.2152 (released in December last year), according to the developer. Note that a new firmware update for Xbox One was released earlier this week, it is not clear of that firmware patches the vulnerabilities involved here.
Download Chakra exploit for XBox
You can get the necessary files from the developer’s github here.
- Qwertyoruiop claims PS4 is pwned on f... — Qwertyoruiop is in the news again now claiming to have cracked the PS4 on firmware 4.50 – 4.55 4.50, should work on 4.55 too pic.twitter.com/zWvshihocp — qwertyoruiop (@qwertyoruiopz) April 19, 2017 This comes days after qwertyoruiop publicly released a webkit exploit for firmwares below 4.07 . qwertyoruiop has confirmed that the both the webkit and 4.50 [...]
- Hackers make progress on cracking the... — Since the webkit vulnerability and Pegaswitch were released on the Nintendo Switch a few day after the console’s launch, several hackers have been digging into the internals of the console to learn about its system. Hacker Plutoo of 3DS/Wii U Fame confirmed yesterday that he has been able to grab what appears to be data/API [...]
- PS4 Webkit hack: SpecterDev explains ... — A few days ago, hacker qwertyoruiop released a Webkit exploit for the PS4, compatible up to firmware 4.07 included. He has since then improved the exploit to include a ROP Chain and basic syscalls, but providing only compatibility for 4.06, the firmware on which he is personally working. SpecterDev, self described as a programmer interested [...]
- PSvita Adrenaline-2 and Easy installe... — Adrenaline version 2 is finally out after being promised by TheFlow in February. Of course, that doesn’t mean that TheFlow wasn’t busy with the Vita as he added USB mass storage device support for easy file transfer and the ability to use a pen drive or external S/HDD via VitaShell. Changelog Allowing you to [...]
- PS4 Jailbreak: qwertyoruiop states he... — A lot seems to be happening on the PS4 homebrew scene since Qwertyoruiop released a webkit exploit for the PS4 on firmwares below 4.07 Quertyoruiop has been busy updated the exploit to provide a few basic system calls so other devs can start to peek and poke at the system. More importantly Quertyoruiop has stated [...]