base on C++ rewrite of PPPwn (PlayStation 4 PPPoE RCE) # PPPwn c++ This is the C++ rewrite of [PPPwn](https://github.com/TheOfficialFloW/PPPwn) # Features - Smaller binary size - A wide range of CPU architectures and systems are supported - Run faster under Windows (more accurate sleep time) - Restart automatically when failing - Can be compiled as a library integrated into your application # Nightly build You can download the latest build from [nightly.link](https://nightly.link/xfangfang/PPPwn_cpp/workflows/ci.yaml/main?status=completed). For Windows users, you need to install [npcap](https://npcap.com) before run this program. There are lots of GUI wrapper for pppwn_cpp, it's better to use them if you are not familiar with command line. For macOS users, you need to run `sudo xattr -rd com.apple.quarantine <path-to-pppwn>` after download. Please refer to [#10](https://github.com/xfangfang/PPPwn_cpp/issues/10) for more information. # Usage ### show help ```shell pppwn ``` ### list interfaces ```shell pppwn list ``` ### run the exploit ```shell pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --timeout 10 --auto-retry ``` - `-i` `--interface`: the network interface which connected to ps4 - `--fw`: the firmware version of the target ps4 (default: `1100`) - `-s1` `--stage1`: the path to the stage1 payload (default: `stage1/stage1.bin`) - `-s2` `--stage2`: the path to the stage2 payload (default: `stage2/stage2.bin`) - `-t` `--timeout`: the timeout in seconds for ps4 response, 0 means always wait (default: `0`) - `-wap` `--wait-after-pin`: the waiting time in seconds after first round CPU pinning (default: `1`) - `-gd` `--groom-delay`: wait for 1ms every `groom-delay` rounds during Heap grooming (default: `4`) - `-bs` `--buffer-size`: PCAP buffer size in bytes, less than 100 indicates default value (usually 2MB) (default: `0`) - `-a` `--auto-retry`: automatically retry when fails or timeout - `-nw` `--no-wait-padi`: don't wait one more [PADI](https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#Client_to_server:_Initiation_(PADI)) before starting the exploit - `-rs` `--real-sleep`: use CPU for more precise sleep time (Only used when execution speed is too slow) - `-old` `--old-ipv6`: use previous IPv6 address to exploit (Only used when the exploit fails) - `--web`: use the web interface - `--url`: the url of the web interface (default: `0.0.0.0:7796`) Supplement: 1. For `--timeout`, waiting for `PADI` is not included, which allows you to start `pppwn_cpp` before the ps4 is launched. 2. For `--no-wait-padi`, by default, `pppwn_cpp` will wait for two `PADI` request, according to [TheOfficialFloW/PPPwn/pull/48](https://github.com/TheOfficialFloW/PPPwn/pull/48) this helps to improve stability. You can turn off this feature with this parameter if you don't need it. 3. For `--wait-after-pin`, according to [SiSTR0/PPPwn/pull/1](https://github.com/SiSTR0/PPPwn/pull/1) set this parameter to `20` helps to improve stability (not work for me), this option not used in web interface. 4. For `--groom-delay`, This is an empirical value. The Python version of pppwn does not set any wait at Heap grooming, but if the C++ version does not add some wait, there is a probability of kernel panic on my ps4. You can set any value within 1-4097 (4097 is equivalent to not doing any wait). 5. For `--buffer-size`, When running on low-end devices, this value can be set to reduce memory usage. I tested that setting it to 10240 can run normally, and the memory usage is about 3MB. (Note: A value that is too small may cause some packets to not be captured properly) # Development This project depends on [pcap](https://github.com/the-tcpdump-group/libpcap), cmake will search for it in the system path by default. You can also add cmake option `-DUSE_SYSTEM_PCAP=OFF` to compile pcap from source (can be used when cross-compiling). Please refer to the workflow file [.github/workflows/ci.yaml](.github/workflows/ci.yaml) for more information. ```shell # native build (macOS, Linux) cmake -B build cmake --build build -t pppwn # cross compile for mipsel linux (soft float) cmake -B build -DZIG_TARGET=mipsel-linux-musl -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION="-msoft-float" cmake --build build -t pppwn # cross compile for arm linux (armv7 cortex-a7) cmake -B build -DZIG_TARGET=arm-linux-musleabi -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION="-mcpu=cortex_a7" cmake --build build -t pppwn # cross compile for Windows # https://npcap.com/dist/npcap-sdk-1.13.zip cmake -B build -DZIG_TARGET=x86_64-windows-gnu -DUSE_SYSTEM_PCAP=OFF -DPacket_ROOT=<path to npcap sdk> cmake --build build -t pppwn ``` # Credits Big thanks to FloW's magical work, you are my hero. ", Assign "at most 3 tags" to the expected json: {"id":"10093","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"