Skip to content

Commit

Permalink
Use IPv6 address that works on all devices. Thanks to Borris-ta. (#74)
Browse files Browse the repository at this point in the history 
Updated exploit.cpp according to original PPPwn repository to make the exploit working on some previously non-working PS4-slim.

Thanks to TheOfficialFlow and Borris-ta for their findings.
  • Loading branch information
@maxou2600
maxou2600 committed Jun 16, 2024
1 parent cbc09a3 commit ed5f907
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions src/exploit.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@

const static std::string SOURCE_MAC = "41:41:41:41:41:41";
const static std::string SOURCE_IPV4 = "41.41.41.41";
const static std::string SOURCE_IPV6 = "fe80::4141:4141:4141:4141";
const static std::string SOURCE_IPV6 = "fe80::9f9f:41ff:9f9f:41ff";

const static std::string TARGET_IPV4 = "42.42.42.42";

Expand Down Expand Up @@ -550,7 +550,7 @@ std::vector<uint8_t> Exploit::build_fake_lle(Exploit *self) {
V32(fake_lle, 0xC4, 0); // sin6_flowinfo
// sin6_addr
V64BE(fake_lle, 0xC8, 0xfe80000100000000);
V64BE(fake_lle, 0xD0, 0x4141414141414141);
V64BE(fake_lle, 0xD0, 0x9f9f41ff9f9f41ff);
V32(fake_lle, 0xD8, 0); // sin6_scope_id

// pad
Expand Down Expand Up @@ -737,7 +737,7 @@ int Exploit::stage0() {
}

std::stringstream sourceIpv6;
sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << ":4141:4141:4141";
sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << ":41ff:9f9f:41ff";
{
auto &&packet = PacketBuilder::icmpv6Echo(this->source_mac, this->target_mac,
pcpp::IPv6Address(sourceIpv6.str()), this->target_ipv6);
Expand Down Expand Up @@ -860,7 +860,7 @@ int Exploit::stage1() {

sourceIpv6.clear();
sourceIpv6.str("");
sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << ":4141:4141:4141";
sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << ":41ff:9f9f:41ff";

{
auto &&packet = PacketBuilder::icmpv6Echo(this->source_mac, this->target_mac,
Expand Down Expand Up @@ -1137,4 +1137,4 @@ void Exploit::stop() {
// Force stop capture even if blocking mode is enabled
pcap_breakloop(pcapHandle(*dev));
stopThread(*dev) = true;
}
}

2 comments on commit ed5f907

@stooged
Copy link

@stooged stooged commented on ed5f907 Jun 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i have had a couple of people come to me in regards to the change to fe80::9f9f:41ff:9f9f:41ff for the source ipv6 address causing it to almost be impossible to find the corrupted object and step into stage 2.

after a fair bit of testing on a few consoles and different raspberry pi devices using pi-pwn it does cause an issue for some of my consoles.

i have made changes in a fork of pppwn_cpp that i use for pi-pwn and added an arg (--ipv) to input the source ipv6 address on the command line.

pppwn --interface "eth0" --fw "1100" --ipv "fe80::4141:4141:4141:4141"
pppwn --interface "eth0" --fw "1100" --ipv "fe80::9f9f:41ff:9f9f:41ff"

this has solved the issue on my end for the people that reported it to me.

obviously you would be able to implement it better than i have but here is the commit i made for pi-pwn to address the issue.

there are also other changes i have made like removing the stage bin files so its not something that could be updated by simply updating the cpp/h files from my repo as it would break things but the changes in this commit are just the ones for the input arg change

stooged@ec254a6

@xfangfang
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stooged Thank you. I will try to add similar content on the weekend : )

Please sign in to comment.