+---------------------------------------+
| Header |
|---------------------------------------|
| #!/usr/bin/env python3 |
| # Copyright and License |
+---------------------------------------+
| Import Libraries | ## Explantation 1
|---------------------------------------|
| from argparse import ArgumentParser |
| from scapy.all import * |
| from scapy.layers.ppp import * |
| from struct import pack, unpack |
| from sys import exit |
| from time import sleep |
| from offsets import * |
+---------------------------------------+
|
v
+---------------------------------------+
| Constants |
|---------------------------------------|
| PPPoE Constants | ## Explanation 2
|---------------------------------------|
| PPPOE_TAG_HUNIQUE, PPPOE_TAG_ACOOKIE, |
| PPPOE_CODE_PADI, ... |
|---------------------------------------|
| FreeBSD Constants |
|---------------------------------------|
| NULL, PAGE_SIZE, ... |
|---------------------------------------|
| FreeBSD Offsets |
|---------------------------------------|
| TARGET_SIZE, PPPOE_SOFTC_SC_DEST, ... |
+---------------------------------------+
|
v
+---------------------------------------+
| Helper Functions |
|---------------------------------------| # Explanation 3
| p8, p16, p16be, p32, p32be, p64, p64be|
+---------------------------------------+
|
v v---------------------------------------------------------------|
+-----------------------+ +---------------------------------------+ |
| LcpEchoHandler | | Exploit Class | v
|-----------------------| |---------------------------------------| # Explanation 4
| __init__ | | __init__(self, offs, iface, stage1, |
| handler | | stage2, stage3, stage4) |
| | | kdlsym(self, ksym) |
+-----------------------+ | lcp_negotiation(self) |
| ipcp_negotiation(self) |
| | ppp_negotation(self) |
v | build_fake_ifnet(self, fake_ifnet_ptr)|
Uses AsyncSniffer | build_overflow_lle(self) |
| build_fake_lle(self, lleak) |
| build_first_rop(self, overflow_ifnet, |
| lleak) |
| build_second_rop(self, kernel_leak, |
| lleak) |
| | execute(self) |
v | send_padi(self) |
| send_padr(self, source) | # Explanation 5
| send_lcp(self, lcp_pkt) |
| send_ipcp(self, ipcp_pkt) |
| recv_lcp(self) |
| recv_ipcp(self) |
| ppp_auth(self) |
| do_exploit(self) |
+---------------------------------------+
| | |
v v v
+----------------------------------------------------------+
| Relationships |
|----------------------------------------------------------|
| Exploit <-----------------------------------> Constants | # Explanation 6
| Exploit <-----------------------------------> Functions |
| LcpEchoHandler <----------------------------> scapy |
| Exploit <-----------------------------------> offsets |
+----------------------------------------------------------+
|
v
+---------------------------------------+
| Stage 1: Initial Setup |
|---------------------------------------|
| Send and receive PADI and PADO packets| # Explanation 7
| Send and receive PADR and PADS packets|
| Setup PPP connections |
+---------------------------------------+
|
v
+---------------------------------------+
| Stage 2: Defeat KASLR |
|---------------------------------------|
| Defeat KASLR using leak techniques | # Explanation 8
| Use leaked address information |
| to build ROP chains |
+---------------------------------------+
|
v
+---------------------------------------+
| Stage 3: Build First ROP |
|---------------------------------------|
| Build first ROP chain |
| Build Second Rop chain | # Explanation 9
| Exploit memory leaks |
| Create fake data structures |
+---------------------------------------+
|
v
+---------------------------------------+
| Stage 4: Final Exploitation |
|---------------------------------------|
| Execute second ROP chain | # Explanation 10
| Run malicious instructions |
| Complete the exploit |
+---------------------------------------+
This section imports the necessary libraries and defines the environment for the script.
This section defines constants related to PPPoE and FreeBSD that are used throughout the exploit.
These functions assist with data manipulation and packing/unpacking of values for network communication and memory operations.
This class handles LCP echo requests and responses using an asynchronous sniffer from the scapy library.
This class manages the core exploit functionality, including network packet exchanges and memory exploitation processes.
This section illustrates the interconnections between different components and classes within the script.
This stage establishes initial PPPoE connections by exchanging discovery packets (PADI, PADO, PADR, PADS) to set up a valid PPP session.
This stage defeats Kernel Address Space Layout Randomization (KASLR) by using information leaks to discover kernel addresses, which are essential for building return-oriented programming (ROP) chains.
This stage constructs the initial ROP chain, leveraging memory leaks to manipulate kernel structures and set up the exploit environment.
The final stage executes the second ROP chain to perform the intended malicious actions, thereby completing the exploit.