Stuck on [+] STAGE 3: Remote code execution > Last step > Waiting for IPCP configure ACK...

[pmgcosta]

I have an NEXX WT3020F

I have installed pppwn from https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main?status=completed but i can't pass stage3 to stage4 on the router, if i try using a PPPwn on windows all works but that is not practical to me.

[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off

[+] STAGE 0: Initialization
[] Waiting for PADI...
[] Waiting for PADI...
[+] pppoe_softc: 0xffff954d40659800
[+] Target MAC: f8:46:1c:f4:2c:03
[+] Source MAC: 07:98:65:40:4d:95
[+] AC cookie length: 4e0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[] Waiting for interface to be ready...
[+] Generate target IPv6 from MAC address
[+] Target IPv6: fe80::fa46:1cff:fef4:2c03
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure reject...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0268:4141:4141:4141

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff9be6e578
[+] kaslr_offset: 0x1798c000

[+] STAGE 3: Remote code execution
[] Sending LCP terminate request...
[] Waiting for PADI...
[+] pppoe_softc: 0xffff954d40659800
[+] Target MAC: f8:46:1c:f4:2c:03
[+] Source MAC: 97:df:83:9a:ff:ff
[+] AC cookie length: 514
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Triggering code execution...
[] Waiting for stage1 to resume...
[] Sending PADT...
[] Waiting for PADI...
[+] pppoe_softc: 0xffff954d40659800
[+] Target MAC: f8:46:1c:f4:2c:03
[+] AC cookie length: 0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...

HANG.....

I have tried with this options

[+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off

and

[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=on real_sleep=on

I'm trying to install tcpdump on the router but i don't figure how.

[pmgcosta]

I'm strugle with the capture,

It's possible to start a tcpdump before the pppwn without the -a option and stop the dump after ?

I'm strugle with the sintaxe.

I have tried both methods

#28
https://forum.openwrt.org/t/tcpdump-sniffing-piped-directly-to-wireshark/99729

without success, i will keep trying but someone can help

So far i have tried in this way

tcpdump -i br-lan -w /ps4/br-lan.pcap
pppwn ............
kill $(ps -e | pgrep tcpdump);

But i got an empty file

[xfangfang]

If your router has enough space, you can indeed only use tcpdump on the router and then pass the dump content back to the PC.

You may need to use two ssh, you don't need to limit your requirements to only enabling one ssh connection.

If your router doesn't have enough space, as I mentioned in the comment, sending traffic directly back to your PC through SSH. Wireshark is not necessary, but it can allow you to see content in real-time.

[xfangfang]

https://forum.openwrt.org/t/tcpdump-sniffing-piped-directly-to-wireshark/99729/6

I haven't done it yet, but this method looks very simple

[pmgcosta]

dump.zip

Dump done using:

echo > /tmp/dump
exec tcpdump -i eth0.1 -w /tmp/dump & /ps4/pppwn -i eth0.1 --fw 1100 -s1 /ps4/stage1.bin -s2 /ps4/stage2.bin -t 4 -wap 1 -gd 4 -bs 0 -nw -rs
kill $(ps -e | pgrep tcpdump);

[xfangfang]

@pmgcosta
I looked at this dump and the problem lies in:

PPPwn_cpp/src/exploit.cpp

Line 967 in ae5c324

std::cout << "[*] Sending PADT..." << std::endl;

After pppwn_cpp sends the PADT, the previous PPP session should end immediately, but your PS4 has not ended yet.

I don't know the specific reason, but maybe you can check if stage1.bin is correct ?

---

your ps4:

correct behavior:

[pmgcosta]

i got them from:

https://github.com/MODDEDWARFARE/PPPwn_WRT/blob/main/stage1_1100.bin
https://github.com/MODDEDWARFARE/PPPwn_WRT/blob/main/stage2_1100.bin

[xfangfang]

What I mean is to use tools like sha256sum or md5sum to confirm that stage1.bin on the router is correct

[pmgcosta]

Yes they are. checked via md5sum

[xfangfang]

Then I don't know why, but you can check if there is any firewall filtering or other differences. This doesn't seem like a problem with pppwn_cpp.

[heryandp]

i have same problem here. I use Bolt BL201

[kusokpnz]

Similar problem on nexx3020. Tried different versions of openwrt (14,19,21,23), different versions of suitable pppwn bins. Exact same behaviour = Stage(3): [*] Waiting for IPCP configure ACK.... .
I'm trying for version 10.01 (on a PC with the right versions of stage the hack happens immediately and without problems)

Maybe needs to install some packages on openwrt, for example libpcap or other packages ?

[kusokpnz]

I managed with some settings on nexx3020 to get it to stage4 (didn't fix the settings, but it's something like multicast enable). But the result is as follows:
After receiving the log:
[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!
PS4 reboots and goes into memory recovery mode. It always does this

I tried another router, which has no problems with all stages. It also reaches Stage4-done and restarts the PS4.
There is a suspicion that the implementation of the MIPSEL binary (MIPS does not run on my routers) with some error. At the same time if I take x86_64-macos or linux binaries (from mac or PC) (release or nightly) my PS4 hacks without any problems or restarts

Please check releases (and nightly) for MIPSEL implementation
My hardware that reboots my PS4 on stage4:

MediaTek MT7621 SoC MIPS 1004Kc V2.15
MediaTek MT7620n MIPS 24KEc V5.0 (ramips)

[xfangfang]

@kusokpnz I have a router with an MT7621A, and pppwn_cpp can run normally on it

[kusokpnz]

@pmgcosta, NEXX WT3020F for openwrt 21+:
Options must be enabled:

1. Enable IGMP snoping
2. Enable promiscuous mode
3. Accept local
   in the device settings: br-lan and use interface br-lan for pppwn
   And then Stage 3 goes perfectly

@xfangfang Mipsel binary works on MediaTek MT7621 and MediaTek MT7620n. Above I in a lot of tests and made looping stupid mistakes

[bambizlu]

I carefully read the message above,then I learned how to use Wireshark. I save Wireshark log and screenshot here：

Wireshark ssh log.zip

I don't know if these are useful or not.

I also followed the suggestions above and modified the settings,enable IGMP snoping,enable multicast,and enable promiscuous mode,I also adjust LAN(br-lan) and WAN(eth0.2),But the result is still the same.

[bambizlu]

I've fixed the problem. The result is that the openwrt firmware mismatch. The openwrt official did not provide firmware for 5K-W20, so I can only find some similar models. For example, Asus N14U and Lenovo Y1、Y1S...etc. I found a lot of firmware and tested them, List below:

5K_3.4.3.9-099.trx
7620ahaizhizhu.trx
Buffalo WHR-300HP2 ddwrt.uimage
ikuai1.2.1.bin
lede-17.01.7-ramips-mt7620-y1-squashfs-sysupgrade.bin
lede-17.01.7-ramips-mt7620-y1s-squashfs-sysupgrade.bin
lianxiang xiaoyun.bin
openwrt-14.07-mtk-ramips-mt7620-5k-w20-squashfs-sysupgrade.bin
openwrt-15.05-5k-w20-hbc-zhengshi3-fix-sysupgrade.bin
openwrt-15.05-mt7620-5k-w20-hbc-16M-sysupgrade.bin
openwrt-15.05-ramips-mt7620-5k-w20-squashfs-sysupgrade.bin
openwrt-18.06.9-ramips-mt7620-y1-squashfs-sysupgrade.bin
openwrt-18.06.9-ramips-mt7620-y1s-squashfs-sysupgrade.bin
openwrt-19.07.10-ramips-mt7620-y1-initramfs-kernel.bin
openwrt-19.07.10-ramips-mt7620-y1s-initramfs-kernel.bin
openwrt-19.07.10-ramips-mt7620-y1-squashfs-sysupgrade.bin
openwrt-19.07.10-ramips-mt7620-y1s-squashfs-sysupgrade.bin
openwrt-22.03.6-ramips-mt7620-lenovo_newifi-y1-initramfs-kernel.bin
openwrt-22.03.6-ramips-mt7620-lenovo_newifi-y1-squashfs-sysupgrade.bin
openwrt-23.05.3-ramips-mt7620-lenovo_newifi-y1-squashfs-sysupgrade.bin
openwrt-23.05.3-ramips-mt7620-lenovo_newifi-y1s-squashfs-sysupgrade.bin
openwrt-19.07.10-ramips-mt7620-RT-N14U-initramfs-kernel.bin
openwrt-19.07.10-ramips-mt7620-RT-N14U-squashfs-sysupgrade.bin
openwrt-22.03.6-ramips-mt7620-RT-N14U-initramfs-kernel.bin
openwrt-22.03.6-ramips-mt7620-RT-N14U-squashfs-sysupgrade.bin
openwrt-23.05.3-ramips-mt7620-RT-N14U-initramfs-kernel.bin
openwrt-23.05.3-ramips-mt7620-RT-N14U-squashfs-sysupgrade.bin
PandoraBox 14.09 r1018.bin
PandoraBox-14.09-ralink-mt7620-mt7620a-evb-squashfs-sysupgrade-r1024-20150608.bin
RT-N14U_3.0.0.4_380_8497-g179ec32.trx

I need to test each firmware for over an hour. After many failures, I succeeded once, The firmware used this time is"openwrt-14.07-mtk-ramips-mt7620-5k-w20-squashfs-sysupgrade.bin". After I finished testing, Only two firmware can be used. List below:
openwrt-14.07-mtk-ramips-mt7620-5k-w20-squashfs-sysupgrade.bin(Memory corruption 3 to 8 times)
PandoraBox-14.09-ralink-mt7620-mt7620a-evb-squashfs-sysupgrade-r1024-20150608.bin(Memory corruption 1 to 5 times)

During the process of searching for firmware, I learned that openwrt firmware requires DTS matching. I think this may be the reason for the failure. I don't know how to make DTS(Device Tree Source) and build openwrt Image, So I can only find very old opwnwrt version mach DTS of 5K-W20.

[s33k3rs]

i have same problem here. I use Bolt BL201

Did you solved problem?

[dddddddddddddddddd946]

@pmgcosta, NEXX WT3020F for openwrt 21+: Options must be enabled:

1. Enable IGMP snoping

2. Enable promiscuous mode

3. Accept local
   in the device settings: br-lan and use interface br-lan for pppwn
   And then Stage 3 goes perfectly

@xfangfang Mipsel binary works on MediaTek MT7621 and MediaTek MT7620n. Above I in a lot of tests and made looping stupid mistakes

I have tried to run this on the wt3020 and I get stuck on stage 3 IPCP config ack every time.
I have tried openwrt 19, 21 and 23 with these settings and the firewall disabled but it still gets stuck.
Did you do anything else in particular to get it to run successfully?
Using pppwn-lite it passes stage 3 every time without fail, so I feel like I am missing something obvious.
I will try on mirouter 4a gigabit later on, but would prefer to have it running on the smaller wt3020

[kusokpnz]

@pmgcosta, NEXX WT3020F for openwrt 21+: Options must be enabled:

1. Enable IGMP snoping

2. Enable promiscuous mode

3. Accept local
   in the device settings: br-lan and use interface br-lan for pppwn
   And then Stage 3 goes perfectly

@xfangfang Mipsel binary works on MediaTek MT7621 and MediaTek MT7620n. Above I in a lot of tests and made looping stupid mistakes

I have tried to run this on the wt3020 and I get stuck on stage 3 IPCP config ack every time. I have tried openwrt 19, 21 and 23 with these settings and the firewall disabled but it still gets stuck. Did you do anything else in particular to get it to run successfully? Using pppwn-lite it passes stage 3 every time without fail, so I feel like I am missing something obvious. I will try on mirouter 4a gigabit later on, but would prefer to have it running on the smaller wt3020

hi, i tried to do everything on versions <19 (since they load faster), but to no avail. on versions 21 and 23 (original, not forks), from a clean installation i did the above and point 3 - set the settings exclusively for br-lan and everything worked right away, without any other actions. i checked it several times before i wrote the method. (fyi i have a breed bootloader. don't think it makes any differences)