leonekwolfik
commented
3 months ago I have tried with different network cables and different USB flash drives, but the problem always repeats.
Open leonekwolfik opened 3 months ago
leonekwolfik
commented
3 months ago I have tried with different network cables and different USB flash drives, but the problem always repeats.
xfangfang
commented
3 months ago @leonekwolfik Please use the Python version for testing. If the Python version has the same issue, then I don't know the reason, PPPwn_cpp is just a simple rewrite to make it easier to run on more platforms.
leonekwolfik
commented
3 months ago I tried with Python version but I have the same problem.
pc:~/Desktop/ps4/PPPwn$ sudo venv/bin/python3 pppwn.py --interface=enp0s31f6 --fw=1100
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s31f6 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffb04816271200
[+] Target MAC: c8:63:f1:f1:b4:5b
[+] Source MAC: 07:12:27:16:48:b0
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::ca63:f1ff:fef1:b45b
[+] Heap grooming...done
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...I also wanted to report the problem on https://github.com/TheOfficialFloW/PPPwn but there is no Issues tab.
xfangfang
commented
3 months ago Then you need to adjust some parameters for your own ps4.
Find these codes in the python script and adjust them up or down
SPRAY_NUM = 0x1000
PIN_NUM = 0x1000
CORRUPT_NUM = 0x1
HOLE_START = 0x400
HOLE_SPACE = 0x10
sleep(0.001)When you find a suitable value, please leave me a message and I will add more parameters for everyone to customize.
leonekwolfik
commented
3 months ago Ok, thanks you. With the values:
class Exploit():
SPRAY_NUM = 0x2000 # 0x1000 -> 0x2000
PIN_NUM = 0x0800 # 0x1000 -> 0x0800
CORRUPT_NUM = 0x2 # 0x1 -> 0x2
HOLE_START = 0x800 # 0x400 -> 0x800
HOLE_SPACE = 0x20 # 0x10 -> 0x20
sleep(0.002) # 0.001 -> 0.002I'm able to go to stage 2, but the script hangs on [*] Defeating KASLR...
pc:~/Desktop/ps4/PPPwn$ sudo venv/bin/python3 pppwn.py --interface=enp0s31f6 --fw=1100
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s31f6 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffc6e040a01200
[+] Target MAC: c8:63:f1:f1:b4:5b
[+] Source MAC: 07:12:a0:40:e0:c6
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::ca63:f1ff:fef1:b45b
[+] Heap grooming...done
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::1ff3:4141:4141:4141
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...I'll try with ohter values.
annahana
commented
3 months ago For clarification. SPRAY_NUM = 0x1000 # higher just increases just the likelihood of a corruption on first run. But increases the freezing of the console. Most times after a minute the freezing stops and the process will finish. Lower numbers just lowers the possibility of the corruption. 0x800 should be enough in most cases.
PIN_NUM = 0x1000 # higher just increases just the likelihood of a corruption of on first run. But increases the freezing of the console. Most times after a minute the freezing stops and the process will finish. Lower numbers just lowers the possibility of the corruption. 0x800 should be enough in most cases.
Both should absolutely not be higher 6ffff because higher cold be interpreter as negative numbers in some cases.
CORRUPT_NUM = 0x1 # is just the last to tested number of corruption. cold be increased to 0xff or higher to speed up the corruption test because the corruption needs many packets to pin scheduling on CPU 0. What means that corruption is impossible on lower numbers
sleep(0.001) can help in some cases but cold stop the network traffic in other cases.
I don't see any reason for the HOLE_START & HOLE_SPAC to be changed for what it is. See if (i >= HOLE_START && i % HOLE_SPACE == 0) { continue;
JeffersonLupinacci
commented
3 months ago The same thing happens with my PS4 Could it be something related to the device's network card?
PS4 Slim CUH-2216B Fiware 11.00 Purchased in Spain Installed firmware 11.00 from scratch
Dark-life944
commented
3 months ago For clarification. SPRAY_NUM = 0x1000 # higher just increases just the likelihood of a corruption on first run. But increases the freezing of the console. Most times after a minute the freezing stops and the process will finish. Lower numbers just lowers the possibility of the corruption. 0x800 should be enough in most cases.
PIN_NUM = 0x1000 # higher just increases just the likelihood of a corruption of on first run. But increases the freezing of the console. Most times after a minute the freezing stops and the process will finish. Lower numbers just lowers the possibility of the corruption. 0x800 should be enough in most cases.
Both should absolutely not be higher 6ffff because higher cold be interpreter as negative numbers in some cases.
CORRUPT_NUM = 0x1 # is just the last to tested number of corruption. cold be increased to 0xff or higher to speed up the corruption test because the corruption needs many packets to pin scheduling on CPU 0. What means that corruption is impossible on lower numbers
sleep(0.001) can help in some cases but cold stop the network traffic in other cases.
I don't see any reason for the HOLE_START & HOLE_SPAC to be changed for what it is. See if (i >= HOLE_START && i % HOLE_SPACE == 0) { continue;
Yeah you are right , and time sleep(1) also do somethings And spray_num =0x2500 this well make it show NS on Wireshark And corrupt_num =0x5 well find corrupted object on almost time mostly and this values is the nice one for it , and PIN_NUM =0x1200 well Pinning cpu fast and helpful on Heap grooming too , I made tool for try these values you can find it on my repo
leonekwolfik
commented
2 months ago With the last IPv6 address update the PPPwn work on my console. Thank you.
When try to run PPPwn_cpp (revision 1.0.0) with PS4 PRO CUH-7216B with firmware 11.00 after a while the console turns off. This happens when it reach
Sending IPCP configure ACK...command. Then, when I start the console again, a memory checking appears.I tried on Linux Mint and Windows 10, but both have the same problem.
The whole log: