run.sh raising an unexpected error when using the mips variant of the pppwn exploit

maephisto666 commented 1 month ago

root@openwrt:~/PPPwn_WRT-main# ./run.sh
---
/root/PPPwn_WRT-main/pppwn_mips: line 1: syntax error: unexpected "("
root@openwrt:~/PPPwn_WRT-main#

Since pppwn_mips is compiled I cannot really understand where that error is coming from. Any help would be appreciated.

Miaush commented 1 month ago

I got the same error when I set it up a few hours ago. I opened run.sh in nano and it seems like this error happens, when you don't have the right CPU architecture. My router (Fritz!Box 7362 SL) for example doesn't use ARM or x86

DzikiSzogun commented 1 month ago

@MODDEDWARFARE

Same here.

Specs:

Hardware: TP-Link Arch A6 V2 (EU) -> CPU: Qualcomm Atheros QCA9563 (Architecture MIPS_24KC)
OpenWRT: openwrt-23.05.3 (Used firmware from C6 firmware as well)

I install it manually because this router (sadly) doesn't have enough memory for 4 .bin files :(

Create "PPPwn_WRT-main" in root catalog via ftp
go inside created catalog and put inside them files: install.sh + kill.sh + run.sh + pppwn_mips + stage1_1100.bin + stage2_1100.bin
Everyone created ok but wont start with ")" error

btw... Same error when try to start it manually

ERROR CODE

_root@OpenWrt:~/PPPwn_WRT-main# ./pppwn_mips --interface br-lan --fw 1100 --stage1 /root/PPPwn_WRT-main/stage1_1100.bin --stage2 /root/PPPwn_WRT-main/stage2_1100.bin --auto-ret ry ./pppwnmips: line 1: syntax error: unexpected "("

My files -> DzikiSzogun-PPPwn_WRT-main.zip

Or code below:

========== [ My shortened "install.sh" ] ==========

_#!/bin/sh opkg install nano luci-app-commands chmod +x pppwn_mips chmod +x run.sh chmod +x kill.sh echo -e "\nconfig command\n option name 'PPPwn PS4'\n option command '/root/PPPwn_WRT-main/run.sh'" | tee -a /etc/config/luci > /dev/null echo "br-lan" > settings.cfg echo "1100" >> settings.cfg echo "cd /root/PPPwnWRT-main && ./run.sh" > /etc/rc.local

========== [ My shortened "kill.sh" ] ==========

#!/bin/sh pids=$(ps | grep '[./]pppwn' | grep -v grep | awk '{print $1}') if [ -z "$pids" ]; then echo "---" else echo "$pids" | xargs kill echo "Killed the following PIDs: $pids" fi

========== [ My shortened "run.sh" ] ==========

_#!/bin/sh /root/PPPwn_WRT-main/kill.sh /root/PPPwn_WRT-main/pppwn_mips --interface br-lan --fw 1100 --stage1 /root/PPPwn_WRT-main/stage1_1100.bin --stage2 /root/PPPwn_WRT-main/stage21100.bin --auto-retry

wagnnercunha commented 1 month ago

Check this:

https://github.com/xfangfang/PPPwn_cpp/issues/28

maephisto666 commented 1 month ago

Yeah I found the same myself and i forgot to update this thread.

I have the feeling this will take some time to be solved but it's good that the cause has been already found.

On Mon, 20 May 2024, 6:51 pm Wagnner Cunha, @.***> wrote:

Check this:

xfangfang/PPPwn_cpp#28 https://github.com/xfangfang/PPPwn_cpp/issues/28

— Reply to this email directly, view it on GitHub https://github.com/MODDEDWARFARE/PPPwn_WRT/issues/2#issuecomment-2120827716, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB7PNWJQZKPBJ2LW4KYRHN3ZDIS2FAVCNFSM6AAAAABH7UN7AKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRQHAZDONZRGY . You are receiving this because you authored the thread.Message ID: @.***>

ekush commented 1 month ago

For this one, I tried the following for a TP-Link TL-WR941HP v2 router.

Router

root@OpenWrt:~# uname -m
mips
root@OpenWrt:~# cat /proc/cpuinfo
system type     : Qualcomm Atheros TP9343 rev 0
machine         : TP-Link TL-WR941HP v2
processor       : 0
cpu model       : MIPS 74Kc V5.0
BogoMIPS        : 373.55
wait instruction    : yes
microsecond timers  : yes
tlb_entries     : 32
extra interrupt vector  : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa         : mips1 mips2 mips32r1 mips32r2
ASEs implemented    : mips16 dsp dsp2
Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit cdmm contextconfig perf mm_full
shadow register sets    : 1
kscratch registers  : 0
package         : 0
core            : 0
VCED exceptions     : not available
VCEI exceptions     : not available

root@OpenWrt:~#

I have cloned this repo (https://github.com/xfangfang/PPPwn_cpp), and run

cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel -DZIG_TARGET=mips-linux-musl -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float'
cmake --build build -t pppwn
strip build/pppwn
upx --lzma build/pppwn

Then transferred the pppwn file from the build folder to the router, and tried running it. from there. In this case the error disappeared and the process started, but it's stuck at [*] Heap grooming...0% for quite a while. Not sure if this is because of the tiny processor of the router or not.

Output from router:

---
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=br-lan fw=1100 stage1=/root/PPPwn_WRT-main/stage1_1100.bin stage2=/root/PPPwn_WRT-main/stage2_1100.bin auto-retry=on

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0x42241670d2ffff
[+] Target MAC: 2c:cc:44:a8:eb:8c
[+] Source MAC: 00:00:24:16:70:d3
[+] AC cookie length: 4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: fe80::2ecc:44ff:fea8:eb8c
[*] Heap grooming...0%

You can try out my build and let me know if this works for your router or not.

MODDEDWARFARE commented 1 month ago

No matter how you recompile It will not work, because it uses big endian and PPPwn_cpp was built with only little endian in mind. As a result some of the data is reversed and causes it to get stuck at 0% heap grooming.

See for details: https://github.com/xfangfang/PPPwn_cpp/issues/28

On Thu, May 23, 2024 at 8:28 PM Rashedul Kabir @.***> wrote:

For this one, I tried the following for a TP-Link TL-WR941HP v2 router. Router

@.:~# uname -m mips @.:~# cat /proc/cpuinfo system type : Qualcomm Atheros TP9343 rev 0 machine : TP-Link TL-WR941HP v2 processor : 0 cpu model : MIPS 74Kc V5.0 BogoMIPS : 373.55wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 dsp dsp2 Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit cdmm contextconfig perf mm_full shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available

@.***:~#

I have cloned this repo (https://github.com/xfangfang/PPPwn_cpp), and run

cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel -DZIG_TARGET=mips-linux-musl -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float' cmake --build build -t pppwn strip build/pppwn upx --lzma build/pppwn

Then transferred the pppwn file from the build folder to the router, and tried running it. from there. In this case the error disappeared and the process started, but it's stuck at [*] Heap grooming...0% for quite a while. Not sure if this is because of the tiny processor of the router or not.

Output from router:

[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/root/PPPwn_WRT-main/stage1_1100.bin stage2=/root/PPPwn_WRT-main/stage2_1100.bin auto-retry=on

[+] STAGE 0: Initialization [] Waiting for PADI... [] Waiting for PADI... [+] pppoe_softc: 0x42241670d2ffff [+] Target MAC: 2c:cc:44:a8:eb:8c [+] Source MAC: 00:00:24:16:70:d3 [+] AC cookie length: 4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Waiting for interface to be ready... [+] Generate target IPv6 from MAC address [+] Target IPv6: fe80::2ecc:44ff:fea8:eb8c [*] Heap grooming...0%

You can try out my build https://github.com/ekush/pppwn-mips/raw/main/pppwn_mips and let me know if this works for your router or not.

— Reply to this email directly, view it on GitHub https://github.com/MODDEDWARFARE/PPPwn_WRT/issues/2#issuecomment-2127878745, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR4F4ZYJV4FSITJ2MSH3WKLZDY7MTAVCNFSM6AAAAABH7UN7AKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRXHA3TQNZUGU . You are receiving this because you were mentioned.Message ID: @.***>

AndreStarTrek commented 1 month ago

It looks like a solution is been found. How would i go about this to get my router updated?

Barrytoo commented 1 month ago

@MODDEDWARFARE

Same here.

Specs:
* Hardware: **TP-Link Arch A6 V2 (EU)** -> CPU: [Qualcomm Atheros QCA9563 (Architecture MIPS_24KC](https://openwrt.org/toh/hwdata/tp-link/tp-link_archer_c6_v2_eu))

* OpenWRT: **openwrt-23.05.3** ([Used firmware from  C6 firmware as well](https://www.reddit.com/r/openwrt/comments/rk5rfy/tplink_archer_a6_v2_euru_installation_gui/))
I install it manually because this router (sadly) doesn't have enough memory for 4 .bin files :(
1. Create "PPPwn_WRT-main" in root catalog via ftp

2. go inside created catalog and put inside them files: install.sh + kill.sh + run.sh + pppwn_mips + stage1_1100.bin + stage2_1100.bin

3. Everyone created ok but wont start with ")" error
btw... Same error when try to start it manually

ERROR CODE

_root@OpenWrt:~/PPPwn_WRT-main# ./pppwn_mips --interface br-lan --fw 1100 --stage1 /root/PPPwn_WRT-main/stage1_1100.bin --stage2 /root/PPPwn_WRT-main/stage2_1100.bin --auto-ret ry ./pppwnmips: line 1: syntax error: unexpected "("

My files -> DzikiSzogun-PPPwn_WRT-main.zip

Or code below:

========== [ My shortened "install.sh" ] ==========

_#!/bin/sh opkg install nano luci-app-commands chmod +x pppwn_mips chmod +x run.sh chmod +x kill.sh echo -e "\nconfig command\n option name 'PPPwn PS4'\n option command '/root/PPPwn_WRT-main/run.sh'" | tee -a /etc/config/luci > /dev/null echo "br-lan" > settings.cfg echo "1100" >> settings.cfg echo "cd /root/PPPwnWRT-main && ./run.sh" > /etc/rc.local

========== [ My shortened "kill.sh" ] ==========

#!/bin/sh pids=$(ps | grep '[./]pppwn' | grep -v grep | awk '{print $1}') if [ -z "$pids" ]; then echo "---" else echo "$pids" | xargs kill echo "Killed the following PIDs: $pids" fi

========== [ My shortened "run.sh" ] ==========

_#!/bin/sh /root/PPPwn_WRT-main/kill.sh /root/PPPwn_WRT-main/pppwn_mips --interface br-lan --fw 1100 --stage1 /root/PPPwn_WRT-main/stage1_1100.bin --stage2 /root/PPPwn_WRT-main/stage21100.bin --auto-retry

Hey,

I've been struggling with this error, have a look: https://github.com/xfangfang/PPPwn_cpp/issues/53#issue-2318080430

If I may ask, how did you manage to avoid the issue?

Thank you

ekush commented 1 month ago

This issue is solved. For details have a look here. Meanwhile, this is what I did and was successful.

Get mips-linux-musl
Rename the file to pppwn_mips and replace inside PPPwn_WRT-main
chmod +x pppwn_mips
Added --real-sleep --buffer-size 10240 at the end of /root/PPPwn_WRT-main/${script_name} --interface $interface --fw $firmware --stage1 /root/PPPwn_WRT-main/stage1_$firmware.bin --stage2 /root/PPPwn_WRT-main/stage2_$firmware.bin --auto-retry
Then ./run.sh

This way everything worked on the first attempt.

AndreStarTrek commented 1 month ago

This issue is solved. For details have a look here. Meanwhile, this is what I did and was successful.

Get mips-linux-musl

Rename the file to pppwn_mips and replace inside PPPwn_WRT-main

chmod +x pppwn_mips

Added --real-sleep --buffer-size 10240 at the end of /root/PPPwn_WRT-main/${script_name} --interface $interface --fw $firmware --stage1 /root/PPPwn_WRT-main/stage1_$firmware.bin --stage2 /root/PPPwn_WRT-main/stage2_$firmware.bin --auto-retry

Then ./run.sh

This way everything worked on the first attempt.

I been trying to donwload it to my router with wget, but I dont seem to download anything. I dont know what i am doing wrong.

ekush commented 1 month ago

@AndreStarTrek if you do just wget https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip it might give you a file with a random name and extension. something like 928f6c6ce64687649c5988bf66216c612bfe2c0d3a......

Try wget -O mips-linux-musl.zip https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip

You can also try ftp from local machine (try). I started having sever lag and unresponsiveness from the router after enabling ftp though. Another tip, in every step, if you are unzipping, remove the original file to save space and keep only the extracted one, otherwise you might run into not enough space.

MODDEDWARFARE commented 1 month ago

The project has been updated to include the new misps versions.

AndreStarTrek commented 1 month ago

@AndreStarTrek if you do just wget https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip it might give you a file with a random name and extension. something like 928f6c6ce64687649c5988bf66216c612bfe2c0d3a......

Try wget -O mips-linux-musl.zip https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip

You can also try ftp from local machine (try). I started having sever lag and unresponsiveness from the router after enabling ftp though. Another tip, in every step, if you are unzipping, remove the original file to save space and keep only the extracted one, otherwise you might run into not enough space.

It been a bit, but i still would like to say thanks. Your sugestion help ;)

MODDEDWARFARE / PPPwn_WRT