-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Console suddenly turns off when "Sending IPCP configure ACK..." #48
Comments
I have tried with different network cables and different USB flash drives, but the problem always repeats. |
@leonekwolfik Please use the Python version for testing. If the Python version has the same issue, then I don't know the reason, PPPwn_cpp is just a simple rewrite to make it easier to run on more platforms. |
I tried with Python version but I have the same problem. pc:~/Desktop/ps4/PPPwn$ sudo venv/bin/python3 pppwn.py --interface=enp0s31f6 --fw=1100
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s31f6 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffb04816271200
[+] Target MAC: c8:63:f1:f1:b4:5b
[+] Source MAC: 07:12:27:16:48:b0
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::ca63:f1ff:fef1:b45b
[+] Heap grooming...done
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK... |
I also wanted to report the problem on |
Then you need to adjust some parameters for your own ps4. Find these codes in the python script and adjust them up or down SPRAY_NUM = 0x1000
PIN_NUM = 0x1000
CORRUPT_NUM = 0x1
HOLE_START = 0x400
HOLE_SPACE = 0x10
sleep(0.001) When you find a suitable value, please leave me a message and I will add more parameters for everyone to customize. |
Ok, thanks you. With the values: class Exploit():
SPRAY_NUM = 0x2000 # 0x1000 -> 0x2000
PIN_NUM = 0x0800 # 0x1000 -> 0x0800
CORRUPT_NUM = 0x2 # 0x1 -> 0x2
HOLE_START = 0x800 # 0x400 -> 0x800
HOLE_SPACE = 0x20 # 0x10 -> 0x20
sleep(0.002) # 0.001 -> 0.002 I'm able to go to stage 2, but the script hangs on pc:~/Desktop/ps4/PPPwn$ sudo venv/bin/python3 pppwn.py --interface=enp0s31f6 --fw=1100
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s31f6 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
[*] Waiting for PADI...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffc6e040a01200
[+] Target MAC: c8:63:f1:f1:b4:5b
[+] Source MAC: 07:12:a0:40:e0:c6
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::ca63:f1ff:fef1:b45b
[+] Heap grooming...done
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure reject...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::1ff3:4141:4141:4141
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR... |
I'll try with ohter values. |
For clarification. PIN_NUM = 0x1000 # higher just increases just the likelihood of a corruption of on first run. But increases the freezing of the console. Most times after a minute the freezing stops and the process will finish. Lower numbers just lowers the possibility of the corruption. 0x800 should be enough in most cases. Both should absolutely not be higher 6ffff because higher cold be interpreter as negative numbers in some cases. CORRUPT_NUM = 0x1 # is just the last to tested number of corruption. cold be increased to 0xff or higher to speed up the corruption test because the corruption needs many packets to pin scheduling on CPU 0. What means that corruption is impossible on lower numbers sleep(0.001) can help in some cases but cold stop the network traffic in other cases. I don't see any reason for the |
The same thing happens with my PS4 PS4 Slim |
Yeah you are right , and time sleep(1) also do somethings |
With the last IPv6 address update the PPPwn work on my console. Thank you. |
When try to run PPPwn_cpp (revision 1.0.0) with PS4 PRO CUH-7216B with firmware 11.00 after a while the console turns off. This happens when it reach
Sending IPCP configure ACK...
command. Then, when I start the console again, a memory checking appears.I tried on Linux Mint and Windows 10, but both have the same problem.
The whole log:
The text was updated successfully, but these errors were encountered: