RCE exploit found in Call of Duty Black Ops Declassified

[pedrom]

Hello community,

I'm a guy who is into reverse engineering and networking a lot. I'm a bit known in the Call of Duty modding scene for emulating DemonWare (the backend master server used in every recent CoD title) and basically modifying the game's core by giving it extra features that were not planned in the game.

Anyway, I know of a remote code execution exploit that is existent in every single CoD title, and was patched by Activision a few years back. The Vita version, however, seems to be unpatched. With a little bit of DemonWare emulation on the Vita by changing the DNS address and running the emulator on my computer, I was able to send a command to the client (Vita running CoD) and the RCE was "successful" (I didn't actually execute any CPU instructions, I just filled the buffer with random stuff and it crashed, but I know this is a RCE since it's the same one that was also present in the PC version).

Now here's the thing: Since I'm a newbie when it comes to Vita modding and whatnot, I'm not sure if this exploit will be useful for hackers to attack the latest Vita 3.67 firmware. So that is exactly my question, if I shared the exploit, would it even be useful for hackers? If it is, let me know who the right people are for me to send them everything they need to know about this.

Edited February 8, 2018 by pedrom

[Djdragon44]

Very interesting.. But I suppose more importantly, what can this "RCE" command do, exactly? Does it allow you to run commands remotely on the vita? Write information to the memory?

In theory, if it works, could one write an exploit to cause a memory overflow and write into unallocated memory to trigger an exploit chain? Or is this more of a "Cheat online" kind of exploit?

I'm not super well versed in the world of Exploiting and what-not, but it seems very interesting.

[pedrom]

3 hours ago, Djdragon44 said:

Very interesting.. But I suppose more importantly, what can this "RCE" command do, exactly? Does it allow you to run commands remotely on the vita? Write information to the memory?

In theory, if it works, could one write an exploit to cause a memory overflow and write into unallocated memory to trigger an exploit chain? Or is this more of a "Cheat online" kind of exploit?

I'm not super well versed in the world of Exploiting and what-not, but it seems very interesting.

It basically means you can remotely execute any machine code you'd like from your computer. Here's a good explanation:

It's a stack overflow exploit basically. The game uses a static allocated buffer to store the received packet, but the developers forgot to add a size/length check to make sure the data won't overflow before memcpy'ing it into the static buffer and so it will memcpy it using the received packet's length, instead of the static buffer's length, hence overflowing the remaining data into the stack. This exploit can be used to make the stack's return address point to our custom code (what I call "exploit buffer"), and this is where I'm a bit lost. I don't know how much freedom our "custom code" can have in terms of exploiting the actual Vita firmware.

Since the game is ran in user mode, I assume this exploit might not be of much help, but maybe it can be used to run Vita homebrews, or even boot other Vita titles? I'm totally not sure, hence why I'm willing to hand this exploit over to someone who knows what to make of it better than I.

Edited February 8, 2018 by pedrom

[Djdragon44]

@pedrom Very Interesting! I might know someone, who might know someone lol

@TheRadziu You aware of this/think you know anyone who might be interested in such an exploit?

[pedrom]

Thank you @Djdragon44. Let's all pray for 3.67 "customizability". I hope I don't sound like I'm dreaming

[Super X]

@pedrom, sounds very nice!

@Djdragon44 , I think ENSO team would be the best to send the exploit to?

@TheRadziu , What do you say?