A multi-stage PE loader for @carrot_c4k3's CollateralDamage Xbox One exploit.
There are four main crates:
shellcode_stage1/
is the stage 1 shellcode that is embedded directly in the GameScript exploit. This is intended to be as small as possible so that less typing is required from a rubber ducky/Flipper if that appraoch is used.shellcode_stage2/
is read byshellcode_stage1/
from disk, made executable, and executed. It reads a PE file from disk, specified atAppData\Local\Packages\27878ConstantineTarasenko.458004FD2C47C_c8b3w9r5va522\LocalState\run.exe
, and manually loads the PE using rspe. This shellcode can be arbitrarily large.shellcode_utils/
contains common functionality shared between the shellcode stages including function definitions and helpers to retrieve functions at runtime.src/
(shellcode_gen
) reads the resulting exe files fromshellcode_stage1/
andshellcode_stage2/
, applies some patches, and generates a flattened .bin file.
shellcode_stage1/
and shellcode_stage2/
have a special .cargo/config.toml
that merges all PE sections into just a single .text
section, and ensures there are no external dependencies (i.e. no runtime linkage required). They are #![no_std]
, #![no_main]
binaries that resolve every platform function at runtime itself.
shellcode_gen/
's main job is to read the .text
section and do some patches to make it position-independent. This idea
was from hasherezade's project masm_shc. It has also been modified to output a new GameScript exploit file with the latest shellcode_stage1/
automatically embedded in it, placed in outputs/
.
This repo is a heavily modified version of b1nhack/rust-shellcode
. Thank you to b1nhack for their work.
Unfortunately this project is not a proper cargo workspace because Cargo does not allow you to specify a different profile per-crate in a workspace. See: rust-lang/cargo#8264
This project has only been built and tested using x86_64-pc-windows-msvc
on Windows 11. It will likely build on any 64-bit Windows, but has not been tested across different versions.
- Clone this repo and its dependencies:
git clone https://github.com/landaire/solstice.git
cd solstice
- Ensure rust nightly is installed:
rust toolchain install nightly
- Install
just
: https://github.com/casey/just - Run:
just build-exploit
All necessary outputs will be in the outputs/
directory.
If you would like to test on the PC version of GameScript, running the following command will build execute build-exploit
, but will copy the artifacts to the GameScript directory and overwrite its autosave state so all you have to do is click "run code":
just generate
Currently the stage2 shellcode attempts to open and run run.exe
out of GameScript's LocalState
directory.
- @carrot_c4k3 for the GameScript and ntkernel exploits.
- This repo is a heavily modified version of
b1nhack/rust-shellcode
. Thank you to b1nhack for their work. - Thoxy67 for their original rspe lib which was modified.
- monoxgas/sRDI polycone/pe-loader for their PE loaders which served as a reference to double-check I was doing things right
- horsicq/XPEViewer which was useful for viewing data from PEs I was having trouble loading.