Closed Barrytoo closed 6 months ago
xfangfang
commented
6 months ago @Barrytoo Have you try the latest build?
https://github.com/xfangfang/PPPwn_cpp/actions/runs/9246663223 https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip
MIPS has two versions, try them both if you don't know which one you should use:
mips-linux-musl
mipsel-linux-musl
Barrytoo
commented
6 months ago Yep, I'm aware of this and have already tried all the up-to-date builds around an hour ago
One thing that I can't explain is that @MODDEDWARFARE 's at least runs and triggers the syntax error, whereas yours doesn't even entertain the idea! They throw the permission error and don't even run. Understandable for non-compatible builds like arm, x86, etc., but I can't make sense of it for the mips builds,
The reason I'm bringing up @MODDEDWARFARE 's build is that, if I understand correctly, his files are based on yours. The only difference is that yours are updated daily, and his are a week old, if this info helps.
xfangfang
commented
6 months ago Let me ask again, have you tried this content?
https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip
If you have tried, please send the complete log (starting from download: https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip)
Barrytoo
commented
6 months ago I have tried every mips-linux-musl and mipsel-linux-musl build that was released in the past week.
Regarding the log, is it just copying console's lines or is there something else you want me to do?
xfangfang
commented
6 months ago Because I don't think it might raise an error (if the device model you provided is correct), I think the error may be due to your actions, so I need to look at what you have done.
I don't speak English, so some vocabulary expressions may not be very accurate (because through translation software), but logs can clearly display everything
xfangfang
commented
6 months ago If you are sure that mips or mipsel are not working well (reporting the same error: syntax error: unexpected word ...), then try arm
do the followings:
cat /proc/cpuinfowget -q https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip
unzip mips-linux-musl.zip
tar -xzvf pppwn.tar.gz
./pppwnBecause I don't think it might raise an error (if the device model you provided is correct), I think the error may be due to your actions, so I need to look at what you have done.
I don't speak English, so some vocabulary expressions may not be very accurate (because through translation software), but logs can clearly display everything
Sure, I'll provide more details shortly. As for the device, this is its page on OpenWRT: https://openwrt.org/toh/netgear/dgnd3700_v2
It's exactly what I have, and it's architecture is mips, doubly confirmed by running "uname -m" in the console.
I appreciate your hussle, and I'll be as easy to deal with as possible.
Barrytoo
commented
6 months ago If you are sure that mips or mipsel are not working well (reporting the same error: syntax error: unexpected word ...), then try arm
do the followings:
cat /proc/cpuinfowget https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip unzip mips-linux-musl.zip tar -xzvf pppwn.tar.gz ./pppwn
Regarding ARM, I have tried all your builds including the following: aarch64-linux-musl aarch64-macos-none aarch64-windows-gnu arm-linux-musleabi(cortex_a7) arm-linux-musleabi(mpcorenovfp) arm-linux-musleabi(pi_zero_w) mips-linux-musl mipsel-linux-musl x86-windows-gnu x86-windows-gnu(win7) x86_64-linux-musl x86_64-macos-none x86_64-windows-gnu x86_64-windows-gnu(win7)
They all give the same permission denied error.
I have run "cat /proc/cpuinfo", and here's the outcome:
root@OpenWrt:~# cat /proc/cpuinfo system type : bcm63xx/96362ADVN2xh (0x6362/0xB0) machine : Netgear DGND3700v2 processor : 0 cpu model : Broadcom BMIPS4350 V7.0 BogoMIPS : 398.13 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : no isa : mips1 mips2 mips32r1 ASEs implemented : Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available
processor : 1 cpu model : Broadcom BMIPS4350 V7.0 BogoMIPS : 398.13 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : no isa : mips1 mips2 mips32r1 ASEs implemented : Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available
xfangfang
commented
6 months ago Could you run the following in your router, and show me the log:
wget -q https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip
unzip mips-linux-musl.zip
tar -xzvf pppwn.tar.gz
./pppwnI believe your judgment, I just want to confirm again
Barrytoo
commented
6 months ago I've run your commands and the output is attached.
Of course, I have skipped the part that includes installing OpenWRT on the router, and placing MODDEDWARFARE's files on the router.
To make it short, here are his commands that I ran successfully: opkg update wget https://github.com/MODDEDWARFARE/PPPwn_WRT/raw/main/install.sh chmod +x install.sh && . ./install.sh
Then, running "./run.sh" throw's the syntax error using his pppwn_mips, and the permission error using yours.
The log doesn't really cover much beyond that, but if you still want the full log for his commands as well, then please lemme know and I'll reset the router, again, do it from scratch, and provide the log for his commands.
xfangfang
commented
6 months ago This is what I want to know, your issue has nothing to do with pppwn_cpp.
root@OpenWrt:~# ./pppwn
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
...This means that pppwn_cpp can run normally on your router.
This is what I did on my own router:
./pppwn --interface lan1 --stage1 stage1.bin --stage2 stage2_9.00.bin --fw 900 -t 10 -bs 10240 -a --web -rs &Then, pick up your phone, open browser and access 192.168.1.1:7796 (192.168.1.1 is my router address)
see the readme for more information
Barrytoo
commented
6 months ago I've run your command with some modifications to fit what I have. Here it is: Log.txt
Then I tried to follow your address, it returned this:
I usually connect to my router in PuTTY using port 22, so I tried 192.168.1.1:22 and here's the outcome:
Let me know what else do you need me to provide.
Thanks mate
xfangfang
commented
6 months ago Do you really know how to use Linux ?
wget -q https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip
unzip mips-linux-musl.zip
tar -xzvf pppwn.tar.gz
./pppwnIf the above command can successfully run ./pppwn, you need to find out why it appears here now: root@OpenWrt:~# -ash: ./pppwn: Permission denied
After all, these are the same command.
pmgcosta
commented
6 months ago @Barrytoo Have you try the latest build?
https://github.com/xfangfang/PPPwn_cpp/actions/runs/9246663223 https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip
MIPS has two versions, try them both if you don't know which one you should use:
mips-linux-muslmipsel-linux-musl
I have try both version but i got this.
root@OpenWrt:~/PPPwn_WRT-main# cat /proc/cpuinfo system type : MediaTek MT7620N ver:2 eco:6 machine : Nexx WT3020 (8M) processor : 0 cpu model : MIPS 24KEc V5.0 BogoMIPS : 385.84 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb] isa : mips1 mips2 mips32r1 mips32r2 ASEs implemented : mips16 dsp Options implemented : tlb 4kex 4k_cache prefetch mcheck ejtag llsc pindexed_dcache userlocal vint perf_cntr_intr_bit nan_legacy nan_2008 perf shadow register sets : 1 kscratch registers : 0 package : 0 core : 0 VCED exceptions : not available VCEI exceptions : not available
root@OpenWrt:~/PPPwn_WRT-main# ls
install.sh kill.sh pppwn pppwn_mips run.sh settings.cfg stage1_1100.bin stage2_1100.bin
root@OpenWrt:~/PPPwn_WRT-main# ./pppwn
root@OpenWrt:~/PPPwn_WRT-main# ./pppwn_mips
In the previous version i can run int without issue, but allways stuck on Stage 3 last line, never got to stage4
[] Sending LCP configure ACK... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Sending IPCP configure request... [*] Waiting for IPCP configure ACK... > stuck.........
[+] STAGE 4: Arbitrary payload execution > never got stage4 only be able to do it on a windows machine [*] Sending stage2 payload... [+] Done! > never got stage4 only be able to do it on a windows machine
pi-three
commented
6 months ago Hi @Barrytoo,
Could you enter this then try to run it again?
chmod +x /root/PPPwn_WRT-main/pppwn
chmod +x /root/PPPwn_WRT-main/pppwn_mips@Barrytoo Because the content discussed in this issue is no longer related to pppwnd_cpp, I will close this issue.
@pi-three As long as pppwn is downloaded from the current repository, there should not be a need to manually adjust permissions, as we used tar to package the pppwn, which will retain execution permissions.
@pmgcosta If stuck at any stage, please provide a complete PCAP monitoring file for analysis as stated in the comment below. I can't do anything else besides that because everyone else is fine, so I think this may be due to other reasons. feel welcome to open another issue.
https://github.com/xfangfang/PPPwn_cpp/issues/28#issuecomment-2128033406
pmgcosta
commented
6 months ago Thanks for the reply, but the stuck are for the old release available, that that new, i got
root@OpenWrt:~/PPPwn_WRT-main# ./pppwn
./pppwn: line 1: syntax error: unterminated quoted string
root@OpenWrt:~/PPPwn_WRT-main# ./pppwn_mips
./pppwn_mips: line 2: syntax error: unexpected newline
The two version of mips give me strange errors without more detail the old, "runs ok" but i keeps hang on the last line of stage 3
xfangfang
commented
6 months ago @pmgcosta Can you report the issue only with this repo? What you are talking about is executable files provided by other repo, and I am not aware of them.
Only when you download the executable file from this repository and clearly tell me which link you downloaded it from can I solve your problem.
Barrytoo
commented
6 months ago wget -q https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main/mips-linux-musl.zip unzip mips-linux-musl.zip tar -xzvf pppwn.tar.gz ./pppwnIf the above command can successfully run
./pppwn, you need to find out why it appears here now:root@OpenWrt:~# -ash: ./pppwn: Permission deniedAfter all, these are the same command.
Hi @Barrytoo,
Could you enter this then try to run it again?
chmod +x /root/PPPwn_WRT-main/pppwn chmod +x /root/PPPwn_WRT-main/pppwn_mips
Sorry for the absence, and thanks for your input.
Unfortunately, this experiment has come to an end as my router might have been bricked. Until further notice, I won't be able to provide useful feedback here.
Thanks again, and you may close this issue if no one else is facing it.
pmgcosta
commented
6 months ago @pmgcosta Can you report the issue only with this repo? What you are talking about is executable files provided by other repo, and I am not aware of them.
Only when you download the executable file from this repository and clearly tell me which link you downloaded it from can I solve your problem.
My bad, fixed with right files but i kept the same issue:
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off
[+] STAGE 0: Initialization [] Waiting for PADI... [] Waiting for PADI... [+] pppoe_softc: 0xffff954d40659800 [+] Target MAC: f8:46:1c:f4:2c:03 [+] Source MAC: 07:98:65:40:4d:95 [+] AC cookie length: 4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Waiting for interface to be ready... [+] Generate target IPv6 from MAC address [+] Target IPv6: fe80::fa46:1cff:fef4:2c03 [+] Heap grooming...done
[+] STAGE 1: Memory corruption [+] Pinning to CPU 0...done [] Sending malicious LCP configure request... [] Waiting for LCP configure reject... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [+] Scanning for corrupted object...found fe80::0268:4141:4141:4141
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR... [+] pppoe_softc_list: 0xffffffff9be6e578 [+] kaslr_offset: 0x1798c000
[+] STAGE 3: Remote code execution [] Sending LCP terminate request... [] Waiting for PADI... [+] pppoe_softc: 0xffff954d40659800 [+] Target MAC: f8:46:1c:f4:2c:03 [+] Source MAC: 97:df:83:9a:ff:ff [+] AC cookie length: 514 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Triggering code execution... [] Waiting for stage1 to resume... [] Sending PADT... [] Waiting for PADI... [+] pppoe_softc: 0xffff954d40659800 [+] Target MAC: f8:46:1c:f4:2c:03 [+] AC cookie length: 0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK...
HANG.....
I have tried with this options
[+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off
and
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=on real_sleep=on
xfangfang
commented
6 months ago @pmgcosta
If stuck at any stage, please provide a complete PCAP monitoring file for analysis as stated in the comment below. I can't do anything else besides that because everyone else is fine, so I think this may be due to other reasons. feel welcome to open another issue. https://github.com/xfangfang/PPPwn_cpp/issues/28#issuecomment-2128033406
Hey all,
So, after implementing MODDEDWARFARE's PPPwn_WRT on NETGEAR DGND3700 v2, which has mips as the architecture, I get this error:
root@OpenWrt:~/PPPwn_WRT-main# ./run.sh
/root/PPPwn_WRT-main/pppwn_mips: line 1: syntax error: unexpected "("
I saw that @xfangfang adviced using his nightly builds, and have tried all of them up until today's commit, but the error changes to this for every single replaced pppwn file:
root@OpenWrt:~/PPPwn_WRT-main# ./run.sh
./run.sh: line 28: /root/PPPwn_WRT-main/pppwn_mips: Permission denied
I have exhausted every possible attempt as of now. Is there anything else to be done?
Thank you
_Originally posted by @kondratovicz in https://github.com/xfangfang/PPPwn_cpp/issues/28#issuecomment-2112888207_