Closed magpte closed 5 months ago
The PS4 initially sends a broadcast frame PADI, to seek out the PPPoE server. PPPwn responds to this with PADO, with a fake MAC address, to which the PS4 subsequently dispatches PADR.
Hence, when the device running PPPwn fails to receive PADR, such a predicament arises.
Possible causes could be that the PS4 is not directly connected to the device, or the failure in setting the network card's promiscuous mode (although this is quite unlikely).
ps4 会先发一个广播帧 PADI 用来寻找 PPPoE服务端,PPPwn 使用一个伪造的MAC地址来回复 PADO,ps4向这个MAC发送 PADR。
所以当运行 PPPwn 的设备收不到 PADR 的时候就会出现这样的问题。
比如 PS4 没有直连设备,或者网卡的混杂模式设置失败(这个应该不太可能会发生)等等
PPPwn responds to this with PADO, with a fake MAC address, to which the PS4 subsequently dispatches PADR.
Does the PADO/PADS need to have 41:41...etc
as MAC address?
I think this was just to write the python script fast and it doesn't have to do anything with the exploit itself, so maybe setting the MAC address to the actual address of the device running the exploit would solve this issue?
@Chimecho No, The MAC address sended by PPPwn changes 3 times at different stages, and 41:...41 is just the last one.
If it's just for writing programs faster, then scapy should automatically set it without specifying the MAC address, which would be faster.
@xfangfang I mean, 41:41...
is just "AAAAAA"
, I didn't dive too much into the inner workings of the exploit/overflow, just skimmed over it, but I think those fixed addresses have to do with how the rest of the code is written (eg. the b'A' * len
on the fake packets), which in turn is faster to code than filling the fields of each packet properly with the actual addresses.
Yup, also read https://hackerone.com/reports/2177925, and that's why I think the addresses don't necessarily have to be those for the exploit to work since it doesn't rely on the addresses.
Implementing the protocol properly with the actual addresses would also mean not having to plug a direct cable between the PS4 and the host, since PPPoE (the protocol per se) is thought so the server can be somewhere in the network.
To be honest, I don't fully understand the details of the code yet, which may require careful study of freebsd's code. However, if you can provide a python example, I should be able to quickly implement the corresponding c++ version .
I wish I have the time to do it 😥
I know I have to read this too: https://man.freebsd.org/cgi/man.cgi?ifnet, which is the forged fake packet somewhere in the code and maaaay have something to do with the address, maybe not. Maybe just changing the source_mac to another one would work also, but don't have the time to try it.
So far I didn't even run the exploit yet, just have been reading the source here and there and the hackerone report, and kinda understand what it does.
openwrt路由安装好PPPOE服务器插件后,请问下一步路由里再需要注入什么
openwrt 用的 IPQ807X, aarch64-linux-musl的版本能启动,但是卡[*] Waiting for PADR... PS4一直显示IP address failed