exploits-forsale/solstice

PE loader for @carrot_c4k3's GameScript Xbox One exploit

Solstice

A multi-stage PE loader for @carrot_c4k3's CollateralDamage Xbox One exploit.

Project overview

There are four main crates:

1. shellcode_stage1/ is the stage 1 shellcode that is embedded directly in the GameScript exploit. This is intended to be as small as possible so that less typing is required from a rubber ducky/Flipper if that appraoch is used.
2. shellcode_stage2/ is read by shellcode_stage1/ from disk, made executable, and executed. It reads a PE file from disk, specified at AppData\Local\Packages\27878ConstantineTarasenko.458004FD2C47C_c8b3w9r5va522\LocalState\run.exe, and manually loads the PE using rspe. This shellcode can be arbitrarily large.
3. shellcode_utils/ contains common functionality shared between the shellcode stages including function definitions and helpers to retrieve functions at runtime.
4. src/ (shellcode_gen) reads the resulting exe files from shellcode_stage1/ and shellcode_stage2/, applies some patches, and generates a flattened .bin file.

shellcode_stage1/ and shellcode_stage2/ have a special .cargo/config.toml that merges all PE sections into just a single .text section, and ensures there are no external dependencies (i.e. no runtime linkage required). They are #![no_std], #![no_main] binaries that resolve every platform function at runtime itself.

shellcode_gen/'s main job is to read the .text section and do some patches to make it position-independent. This idea was from hasherezade's project masm_shc. It has also been modified to output a new GameScript exploit file with the latest shellcode_stage1/ automatically embedded in it, placed in outputs/.

This repo is a heavily modified version of b1nhack/rust-shellcode. Thank you to b1nhack for their work.

Unfortunately this project is not a proper cargo workspace because Cargo does not allow you to specify a different profile per-crate in a workspace. See: rust-lang/cargo#8264

How to build it

This project has only been built and tested using x86_64-pc-windows-msvc on Windows 11. It will likely build on any 64-bit Windows, but has not been tested across different versions.

1. Clone this repo and its dependencies:

git clone https://github.com/landaire/solstice.git
cd solstice

2. Ensure rust nightly is installed: rust toolchain install nightly
3. Install just: https://github.com/casey/just
4. Run:

just build-exploit

All necessary outputs will be in the outputs/ directory.

If you would like to test on the PC version of GameScript, running the following command will build execute build-exploit, but will copy the artifacts to the GameScript directory and overwrite its autosave state so all you have to do is click "run code":

just generate

Currently the stage2 shellcode attempts to open and run run.exe out of GameScript's LocalState directory.

Credits

• @carrot_c4k3 for the GameScript and ntkernel exploits.
• This repo is a heavily modified version of b1nhack/rust-shellcode. Thank you to b1nhack for their work.
• Thoxy67 for their original rspe lib which was modified.
• monoxgas/sRDI polycone/pe-loader for their PE loaders which served as a reference to double-check I was doing things right
• horsicq/XPEViewer which was useful for viewing data from PEs I was having trouble loading.