Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

makes the exploit runs 100x100 of times and also ON BOOT! #1

Closed
wants to merge 3 commits into from
Closed

makes the exploit runs 100x100 of times and also ON BOOT! #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5e1f2e4
ON BOOT HACK PATCH
canariaslink May 10, 2024
afab28c
Update README.md
canariaslink May 10, 2024
1c2cdaf
start of a new era
canariaslink May 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# PPPwn - PlayStation 4 PPPoE RCE
# PPPwn - PlayStation 4 PPPoE RCE ON BOOT WORKING! ,
PPPwn is a kernel remote code execution exploit for PlayStation 4 up to FW 11.00. This is a proof-of-concept exploit for [CVE-2006-4304](https://hackerone.com/reports/2177925) that was reported responsibly to PlayStation.

Supported versions are:
Expand Down Expand Up @@ -172,4 +172,4 @@ This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.
## Notes for GoldHEN version
This loader only supports payloads with a kernel entrypoint.
The custom version of stage2 first looks for the payload in the root directory of the USB drive, and if found, it is copied to the internal HDD at this path: /data/GoldHEN/payloads/goldhen.bin. The internal payload is then loaded and is no longer needed on the external USB drive.
At the moment, only firmware versions 9.00 and 11.00 are supported. Soon, versions 10.00/10.01 will also be supported.
At the moment, only firmware versions 9.00 and 11.00 are supported. Soon, versions 10.00/10.01 will also be supported.
6 changes: 3 additions & 3 deletions pppwn.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -667,7 +667,7 @@ def run(self):
# reason, this causes scheduling on CPU 0 at some point, which makes
# the next allocation use the same per-CPU cache.
for i in range(self.PIN_NUM):
if i % 0x100 == 0:
if i % 0x200 == 0: # make the target more busy
print('[*] Pinning to CPU 0...{}%'.format(100 * i //
self.PIN_NUM),
end='\r',
Expand All @@ -681,8 +681,8 @@ def run(self):

print('[+] Pinning to CPU 0...done')

# LCP fails sometimes without the wait
sleep(1)
# wait 20 secs to continue the pppoe hack because the system not loaded all modules
sleep(20)

# Corrupt in6_llentry object
overflow_lle = self.build_overflow_lle()
Expand Down
7 changes: 4 additions & 3 deletions stage2/stage2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,10 @@
#define PS4_PAGE_SIZE 0x4000
#define ROUND_PG(x) (((x) + (PS4_PAGE_SIZE - 1)) & ~(PS4_PAGE_SIZE - 1))

#define PAYLOAD_NAME "goldhen.bin"
#define PAYLOAD_EXT_PATH "/mnt/usb0/" PAYLOAD_NAME
#define PAYLOAD_INT_PATH "/data/GoldHEN/payloads/" PAYLOAD_NAME
//not only goldhen will exist , making my one
#define PAYLOAD_NAME "payload.bin"
#define PAYLOAD_EXT_PATH "/mnt/usb0/payload.bin" PAYLOAD_NAME
#define PAYLOAD_INT_PATH "/data/payloads/" PAYLOAD_NAME

// by OSM-Made
typedef struct {
Expand Down