Skip to content

Releases: DjPopol/EzPPPwn

EzPPPwn v1.22

28 Sep 20:42
190ddf1
Compare
Choose a tag to compare

Change Log

Fix pppwn link.

EzPPPwn V1.21

17 Jun 13:17
Compare
Choose a tag to compare

Change Log

  • Fix Show/Hid Console.
  • Fix Version finder
  • Use DpMessageBox instead of Standard
  • Update stage1.bin with latest TheOfficialFloW update.

Note :

If you update from the last version, you must update PPPwn C++.
stage1.bin for all supported firmware withTheOfficialFloW Update
stage2.bin :
for 9.00 9.50 9.51 9.60 10.00 10.01 & 11.00 :
from SISTR0 with TheOfficialFloW Update (GoldenHEN)

Ez PPPwn v1.20

15 Jun 23:39
b642631
Compare
Choose a tag to compare

FormPPPwn

Supported versions are:

  • FW 7.00 / 7.01 / 7.02
  • FW 7.50 / 7.51 / 7.55
  • FW 8.00 / 8.01 / 8.03
  • FW 8.50 / 8.52
  • FW 9.00
  • FW 9.03 / 9.04
  • FW 9.50 / 9.51 / 9.60
  • FW 10.00 / 10.01
  • FW 10.50 / 10.70 / 10.71
  • FW 11.00
    more can be added (PRs are welcome)

Requirements

- A computer with an Ethernet port  USB adapter also works.
- Ethernet cable.
- .Net 8.0.
- Npcap.

FormConfig (Config PPPwn) :

FormConfig

FormConfig2

FormPPPwn (Exploit):

FormPPPwn

  • Add Update Button.
  • Restyle Form.

FormUpdate

EzPPPwnUpdate

EzPPPwnUpdate2

EzPPPwnUpdate3

If you don't have requirements it could help you to install it (Npcap, PPPwn C++, stage1.bin (Embedded resource)):

image

  • If you don't accept installation, Application will close.

FormRequired (Install requirements) :

image

  • If you canceled installation, Application will close.

Usage

On your PS4:

  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter anything for PPPoE User ID and PPPoE Password
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server
  • Click Test Internet Connection to communicate with your computer

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on Test Internet Connection. If the pppwn.exe is stuck waiting for a request/response, cancel it and run it again on your computer, and then click on Test Internet Connection on your PS4.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.

Example run

image

EzPPPwn V1.11 with PPPwn C++

08 Jun 22:21
8c2ea51
Compare
Choose a tag to compare

Supported versions are:

  • FW 7.00 / 7.01 / 7.02
  • FW 7.50 / 7.51 / 7.55
  • FW 8.00 / 8.01 / 8.03
  • FW 8.50 / 8.52
  • FW 9.00
  • FW 9.03 / 9.04
  • FW 9.50 / 9.51 / 9.60
  • FW 10.00 / 10.01
  • FW 10.50 / 10.70 / 10.71
  • FW 11.00
    more can be added (PRs are welcome)

Requirements

- A computer with an Ethernet port  USB adapter also works.
- Ethernet cable.
- .Net 8.0.
- Npcap.

FormConfig (Config PPPwn) :

image

  • Remove Browse stage1.bin (Embedded resource now).
  • Add options of PPPwn C++.
  • Add Set Default (Use Default values for PPPwn options.
  • Restyle Form.

FormPPPwn (Exploit):

image

  • Add Show/Hide Console.
  • Add Update PPPwn C++.
  • Add Cancel button.
  • Restyle Form.

If you don't have requirements it could help you to install it (Npcap, PPPwn C++, stage1.bin (Embedded resource)):

image
If you don't accept installation, Application will close.

FormRequired (Install requirements) :

image

  • Add Cancel button
  • If you canceld installation, Application will close.

Usage

On your PS4:

  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter anything for PPPoE User ID and PPPoE Password
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server
  • Click Test Internet Connection to communicate with your computer

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on Test Internet Connection. If the pppwn.exe is stuck waiting for a request/response, cancel it and run it again on your computer, and then click on Test Internet Connection on your PS4.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.

Example run

image

EZ PPPwn-Bin-Loader v1.00

05 May 10:41
Compare
Choose a tag to compare

Ez PPPwn PlayStation 4 PPPoE RCE bin loader

image

PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation.

Supported versions are:

FW 800/ 8.01 / 8.03
FW 8.50 / 8.52
FW 9.00
FW 9.03 / 9.04
FW 9.50 / 9.51 / 9.60
FW 10.00 / 10.01
FW 10.50 / 10.70 / 10.71
FW 11.00
more can be added (PRs are welcome)

The exploit only prints PPPwned on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the stage2.bin payload needs to be adapted.

Requirements

- A computer with an Ethernet port  USB adapter also works.
- Ethernet cable.
- Python3.

Usage

Main :
[ Script ]
- button "Browse pppwn"    : Browse pppwn.py
- button "Browse offsets"  : Browse offsets.py
- button "Save Pythons"    : Save Python's scripts (pppwn.py, offsets.py) to Directory as
                             pppwn.py and offsets.py must be on the same directory.

[ Network PC ]             : Select your NetworkInterface (connected to Playstation 4)

[ Firmware Playstation ]   : Choose Firmware version

[ Stage1 ]
- button "Browse"          : Browse stage1.bin

[ Stage2 ]
- button "Browse"          : Browse stage2.bin

[ Command ]
- button "Save Batch"      : Save Execute Batch script (.sh) as
- button "Save All To"     : Save Python's script and stage's to Directory as
- button "Execute"         : Execute POC in new window "Console"
- button "Save Config"     : Save Config and it load at start up.

Console :
- button "Save Log"        : Save log as

On your PS4:

  • Go to Settings and then Network
  • Select Set Up Internet connection and choose Use a LAN Cable
  • Choose Custom setup and choose PPPoE for IP Address Settings
  • Enter anything for PPPoE User ID and PPPoE Password
  • Choose Automatic for DNS Settings and MTU Settings
  • Choose Do Not Use for Proxy Server
  • Click Test Internet Connection to communicate with your computer

If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on Test Internet Connection. If the pppwn.py script is stuck waiting for a request/response, abort it and run it again on your computer, and then click on Test Internet Connection on your PS4.

If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.

Example run

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 07:ba:be:34:d6:ab
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::2d9:d1ff:febc:83e4
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141

[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff884de578
[+] kaslr_offset: 0x3ffc000

[+] STAGE 3: Remote code execution
[*] Sending LCP terminate request...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 97:df:ea:86:ff:ff
[+] AC cookie length: 0x511
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Triggering code execution...
[*] Waiting for stage1 to resume...
[*] Sending PADT...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634be9200
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] AC cookie length: 0x0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...

[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!