Merge branch 'xfangfang:main' into main

Author: deviato

.github/workflows/ci.yaml

@@ -47,9 +47,9 @@ jobs:
           - { target: arm-linux-musleabi, os: ubuntu-latest, strip: "llvm-strip", upx: "upx --lzma",
               cmake: "-DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-mcpu=arm1176jzf_s'", name: "(pi_zero_w)" }
           - { target: mipsel-linux-musl,  os: ubuntu-latest, strip: "llvm-strip", upx: "upx --lzma",
-              cmake: "-DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float'" }
+              cmake: "-DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float;-ffunction-sections'" }
           - { target: mips-linux-musl,  os: ubuntu-latest, strip: "llvm-strip", upx: "upx --lzma",
-              cmake: "-DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float'" }
+              cmake: "-DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION='-msoft-float;-ffunction-sections'" }
     steps:
       - uses: actions/checkout@v4
 
@@ -66,7 +66,7 @@ jobs:
       - name: Download NPCAP SDK
         if: contains(matrix.target, 'windows')
         run: |
-          wget https://npcap.com/dist/npcap-sdk-1.13.zip -O /tmp/sdk.zip
+          wget https://github.com/xfangfang/PPPwn_cpp/releases/download/1.0.0/npcap-sdk-1.13.zip -O /tmp/sdk.zip
           unzip /tmp/sdk.zip -d /tmp/sdk
           mkdir -p /tmp/sdk/lib/x64
           mkdir -p /tmp/sdk86/lib
@@ -116,7 +116,7 @@ jobs:
           pacman -S --needed --noconfirm --noprogressbar \
             ${MINGW_PACKAGE_PREFIX}-gcc \
             ${MINGW_PACKAGE_PREFIX}-ninja unzip upx
-          wget https://npcap.com/dist/npcap-sdk-1.13.zip -O npcap-sdk.zip
+          wget https://github.com/xfangfang/PPPwn_cpp/releases/download/1.0.0/npcap-sdk-1.13.zip -O npcap-sdk.zip
           unzip npcap-sdk.zip -d sdk
 
       - name: Build

README.md

@@ -58,7 +58,7 @@ Supplement:
 
 1. For `--timeout`, waiting for `PADI` is not included, which allows you to start `pppwn_cpp` before the ps4 is launched.
 2. For `--no-wait-padi`, by default, `pppwn_cpp` will wait for two `PADI` request, according to [TheOfficialFloW/PPPwn/pull/48](https://github.com/TheOfficialFloW/PPPwn/pull/48) this helps to improve stability. You can turn off this feature with this parameter if you don't need it.
-3. For `--wait-after-pin`, according to [SiSTR0/PPPwn/pull/1](https://github.com/SiSTR0/PPPwn/pull/1) set this parameter to `20` helps to improve stability (not work for me).
+3. For `--wait-after-pin`, according to [SiSTR0/PPPwn/pull/1](https://github.com/SiSTR0/PPPwn/pull/1) set this parameter to `20` helps to improve stability (not work for me), this option not used in web interface.
 4. For `--groom-delay`, This is an empirical value. The Python version of pppwn does not set any wait at Heap grooming, but if the C++ version does not add some wait, there is a probability of kernel panic on my ps4. You can set any value within 1-4097 (4097 is equivalent to not doing any wait).
 5. For `--buffer-size`, When running on low-end devices, this value can be set to reduce memory usage. I tested that setting it to 10240 can run normally, and the memory usage is about 3MB. (Note: A value that is too small may cause some packets to not be captured properly)
 

include/exploit.h

@@ -100,7 +100,7 @@ class Exploit {
     int ipcp_negotiation() const;
 
     int ppp_negotiation(const std::function<std::vector<uint8_t>(Exploit *)> &cb = nullptr,
-                        bool ignore_initial_req = false);
+                        bool ignore_initial_req = false, bool always_wait_padi = false);
 
     void ppp_byebye();
 

src/exploit.cpp

@@ -330,23 +330,27 @@ int Exploit::ipcp_negotiation() const {
     return RETURN_SUCCESS;
 }
 
-int Exploit::ppp_negotiation(const std::function<std::vector<uint8_t>(Exploit *)> &cb, bool ignore_initial_req) {
+int Exploit::ppp_negotiation(const std::function<std::vector<uint8_t>(Exploit *)> &cb, bool ignore_initial_req,
+                             bool always_wait_padi) {
     int padi_count = ignore_initial_req ? 2 : 1;
 
     Cookie pkt;
     while (padi_count--) {
         std::cout << "[*] Waiting for PADI..." << std::endl;
-        dev->startCaptureBlockingMode(
+        if (dev->startCaptureBlockingMode(
                 [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool {
                     pcpp::Packet parsedPacket(packet, pcpp::PPPoEDiscovery);
                     auto *layer = PacketBuilder::getPPPoEDiscoveryLayer(parsedPacket,
                                                                         pcpp::PPPoELayer::PPPOE_CODE_PADI);
                     if (!layer) return false;
                     ((Cookie *) cookie)->packet = parsedPacket;
                     return true;
-                }, &pkt, 0);
+                }, &pkt, always_wait_padi ? 0 : this->timeout) != 1) {
+            return RETURN_FAIL;
+        } else if (!running) {
+            return RETURN_STOP;
+        }
     }
-    CHECK_RUNNING();
 
     auto *pppoeDiscoveryLayer = pkt.packet.getLayerOfType<pcpp::PPPoEDiscoveryLayer>();
     if (!pppoeDiscoveryLayer) {
@@ -695,7 +699,7 @@ std::vector<uint8_t> Exploit::build_second_rop(Exploit *self) {
 }
 
 int Exploit::stage0() {
-    CHECK_RET(this->ppp_negotiation(Exploit::build_fake_ifnet, this->wait_padi));
+    CHECK_RET(this->ppp_negotiation(Exploit::build_fake_ifnet, this->wait_padi, true));
     CHECK_RET(this->lcp_negotiation());
     CHECK_RET(this->ipcp_negotiation());
 
@@ -771,19 +775,24 @@ int Exploit::stage1() {
      * and the PS4 unilaterally ends the PPPoE session.
      * To avoid this situation, respond to the PPPoE ECHO_REQ here
      */
-    dev->startCapture([](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) {
-        pcpp::Packet parsedPacket(packet, pcpp::PPPoESession);
-        auto *pppLayer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_LCP);
-        if (!pppLayer) return;
-        if (pppLayer->getLayerPayload()[0] != ECHO_REQ) return;
-        auto *etherLayer = parsedPacket.getLayerOfType<pcpp::EthLayer>();
-        if (!etherLayer) return;
-        auto &&echoReply = PacketBuilder::lcpEchoReply(etherLayer->getDestMac(), etherLayer->getSourceMac(),
-                                                       pppLayer->getPPPoEHeader()->sessionId,
-                                                       pppLayer->getLayerPayload()[1], // id
-                                                       htole32(*(uint32_t * ) & pppLayer->getLayerPayload()[4])); // magic number
-        device->sendPacket(&echoReply);
-    }, nullptr);
+    try {
+        dev->startCapture([](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) {
+            pcpp::Packet parsedPacket(packet, pcpp::PPPoESession);
+            auto *pppLayer = PacketBuilder::getPPPoESessionLayer(parsedPacket, PCPP_PPP_LCP);
+            if (!pppLayer) return;
+            if (pppLayer->getLayerPayload()[0] != ECHO_REQ) return;
+            auto *etherLayer = parsedPacket.getLayerOfType<pcpp::EthLayer>();
+            if (!etherLayer) return;
+            auto &&echoReply = PacketBuilder::lcpEchoReply(etherLayer->getDestMac(), etherLayer->getSourceMac(),
+                                                           pppLayer->getPPPoEHeader()->sessionId,
+                                                           pppLayer->getLayerPayload()[1], // id
+                                                           htole32(*(uint32_t * ) &
+                                                                   pppLayer->getLayerPayload()[4])); // magic number
+            device->sendPacket(&echoReply);
+        }, nullptr);
+    } catch (const std::system_error &e) {
+        std::cout << "Cannot create new thread" << e.what() << std::endl;
+    }
 
     /**
      * Send invalid packet to trigger a printf in the kernel. For some
@@ -805,7 +814,7 @@ int Exploit::stage1() {
         TIME_END_PERIOD();
     }
 
-    dev->stopCapture();
+    if (dev->captureActive()) dev->stopCapture();
     std::cout << "\r[+] Pinning to CPU 0...done" << std::endl;
 
     // LCP fails sometimes without the wait
@@ -1026,10 +1035,10 @@ int Exploit::stage4() {
 
             // Calculate checksum
             std::vector<uint8_t> temp(udpLayer.getHeaderLen());
-            (*(uint16_t *) &(temp)[0]) = udpHeader->portSrc;
-            (*(uint16_t *) &(temp)[2]) = udpHeader->portDst;
-            (*(uint16_t *) &(temp)[4]) = udpHeader->length;
-            (*(uint16_t *) &(temp)[6]) = 0;
+            (*(uint16_t * ) & (temp)[0]) = udpHeader->portSrc;
+            (*(uint16_t * ) & (temp)[2]) = udpHeader->portDst;
+            (*(uint16_t * ) & (temp)[4]) = udpHeader->length;
+            (*(uint16_t * ) & (temp)[6]) = 0;
             temp.insert(temp.end(), this->stage2_bin.begin(), this->stage2_bin.end());
             uint16_t checksumRes = pcpp::computePseudoHdrChecksum(temp.data(),
                                                                   temp.size(),
@@ -1108,6 +1117,7 @@ struct Tunnel<M, N> {
     friend T &stopThread(U &u) {
         return u.*M;
     }
+
     friend Q &pcapHandle(V &u) {
         return u.*N;
     }
@@ -1117,6 +1127,7 @@ template
 struct Tunnel<&pcpp::PcapLiveDevice::m_StopThread, &pcpp::IPcapDevice::m_PcapDescriptor>;
 
 std::atomic<bool> &stopThread(pcpp::PcapLiveDevice &);
+
 pcap_t *&pcapHandle(pcpp::IPcapDevice &);
 
 void Exploit::stop() {

src/main.cpp

@@ -145,7 +145,7 @@ int main(int argc, char *argv[]) {
             "Use CPU for more precise sleep time (Only used when execution speed is too slow)" %
             option("-rs", "--real-sleep").set(real_sleep), \
             "start a web page" % option("--web").set(web_page), \
-            "url" % option("--url") & value("url", web_url)
+            "custom web page url (default: 0.0.0.0:7796)" % option("--url") & value("url", web_url)
             ) | \
             "list interfaces" % command("list").call(listInterfaces)
     );

src/web.cpp

@@ -104,6 +104,7 @@ void WebPage::startExploit() {
     exploit->stop();
     if (exploitThread.joinable())
         exploitThread.join();
+    exploit->setWaitAfterPin(1);
     exploitThread = std::thread([this]() {
         return exploit->run();
     });