PPPwn_cpp
PPPwn_cpp copied to clipboard
xfangfang
Stuck on [+] STAGE 3: Remote code execution > Last step > Waiting for IPCP configure ACK...
I have an NEXX WT3020F
I have installed pppwn from https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main?status=completed but i can't pass stage3 to stage4 on the router, if i try using a PPPwn on windows all works but that is not practical to me.
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off
[+] STAGE 0: Initialization [] Waiting for PADI... [] Waiting for PADI... [+] pppoe_softc: 0xffff954d40659800 [+] Target MAC: f8:46:1c:f4:2c:03 [+] Source MAC: 07:98:65:40:4d:95 [+] AC cookie length: 4e0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [] Waiting for interface to be ready... [+] Generate target IPv6 from MAC address [+] Target IPv6: fe80::fa46:1cff:fef4:2c03 [+] Heap grooming...done
[+] STAGE 1: Memory corruption [+] Pinning to CPU 0...done [] Sending malicious LCP configure request... [] Waiting for LCP configure reject... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK... [] Waiting for IPCP configure request... [] Sending IPCP configure NAK... [] Waiting for IPCP configure request... [] Sending IPCP configure ACK... [+] Scanning for corrupted object...found fe80::0268:4141:4141:4141
[+] STAGE 2: KASLR defeat
[*] Defeating KASLR... [+] pppoe_softc_list: 0xffffffff9be6e578 [+] kaslr_offset: 0x1798c000
[+] STAGE 3: Remote code execution [] Sending LCP terminate request... [] Waiting for PADI... [+] pppoe_softc: 0xffff954d40659800 [+] Target MAC: f8:46:1c:f4:2c:03 [+] Source MAC: 97:df:83:9a:ff:ff [+] AC cookie length: 514 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Triggering code execution... [] Waiting for stage1 to resume... [] Sending PADT... [] Waiting for PADI... [+] pppoe_softc: 0xffff954d40659800 [+] Target MAC: f8:46:1c:f4:2c:03 [+] AC cookie length: 0 [] Sending PADO... [] Waiting for PADR... [] Sending PADS... [] Sending LCP configure request... [] Waiting for LCP configure ACK... [] Waiting for LCP configure request... [] Sending LCP configure ACK... [] Sending IPCP configure request... [] Waiting for IPCP configure ACK...
HANG.....
I have tried with this options
[+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=off real_sleep=off
and
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow [+] args: interface=br-lan fw=1100 stage1=/ppp/stage1.bin stage2=/ppp/stage2.bin timeout=0 wait-after-pin=1 groom-delay=4 auto-retry=on no-wait-padi=on real_sleep=on
I'm trying to install tcpdump on the router but i don't figure how.
