Hardware How to Make Your Own ESP8266 Host

[randy_w]

There are many different esp8266 bins around but people always have different needs, some people want one with linux loader, others want one with GTA mod menu, some want one for 6.72, others want one for 7.55, and it's impossible to please everyone. So I decided to make an arduino sketch so you can change the settings yourself and upload your own exploit host. Thanks to treyjazz for codes related to setting up AP/Client mode. Here are some main features:

• WiFi AP/Client mode: You can use your esp8266 as an access point or a client (esp8266 connects to your home WiFi network as an http/dns/ftp server)
• HTTP server
• FTP server: You can update payloads with FTP
• DNS server: All requests will be resolved to esp8266

Here's how to get it working:

• Setup arduino, install COM port driver for esp8266 and add esp8266 board manager. I won't go into details here as there are many other good guides you can find on google
• Install all required libraries and copy tools folder to your arduino folder. This is the esp8266 sketch data upload too
• Open the arduino sketch and change settings such as AP/Client mode, IP address, password etc
• Select correct board type and COM port, upload sketch

Now we need to prepare the exploit web page. Grab a copy of your favorite exploit host on github. Here I'm using the wolf game's host as an example. Download the whole repo and extract the zip. Now open an exploit page and analyze it (this one loads goldhen):

<html><head>
<meta http-equiv="content-type" content="text/html; charset=windows-1256">
<style>
body{color: white; background-image:url(WOLF.jpg); background-attachment:fixed; background-size:100%; background-repeat:no-repeat;}
}</style>
        <title>THE WOLF HACK</title>           
        <script src="utils.js"></script>
        <script src="int64.js"></script>
        <script src="rop.js"></script>
        <script src="goldhen.js"></script>
        <script src="userland.js"></script>
        <script src="ps4.js"></script>
    </head>
    <body onload="go()">
<button id="input1" onfocus="handle2()"></button>
<button id="input2"></button>
<button id="input3" onfocus="handle2()"></button>
<select id="select1">
<option value="value1">Value1</option>
</select>
</body>
</html>

We don't have to actually modify anything here, but I'll remove css (delete <style>...</style>)and change html title (<title>...</title>). Now pay attention to all javascript files it loads:

        <script src="utils.js"></script>
        <script src="int64.js"></script>
        <script src="rop.js"></script>
        <script src="goldhen.js"></script>
        <script src="userland.js"></script>
        <script src="ps4.js"></script>

These javascript files should be in the same directory as the html file (ESP8266 SPIFFS doesn't support directories), if they are in a subfolder (folder/xxx.js), move the javascript file out of the folder and change its path in html file.
Now move the html file and all javascript files it loads to a new folder. Repeat the same process for all other payloads you want to have on your esp8266.
Finally we need to make a main menu to load different payload html pages, here's an example:

<html>
<head>
<meta charset="utf-8" />
<title>ESP8266 Exploit Host</title>
</head>   
<body>
    <div>
    <h1>PS4 JAILBREAK</h1>
    <p><b>Payload Selection</b></p>
    <a href="goldhen.html"><button><b>goldhen</b></button></a>
    <a href="payload1.html"><button><b>payload1</b></button></a>
    <a href="payload2.html"><button><b>payload2</b></button></a>
    </div>
</body>
</html>

I like to keep things simple. You can make it fancy and add offline cache manifest.

Next step is optional. You can compress the html and javascript files to save a lot of space. This is useful if you want to have a lot of payloads on your esp8266 as total usable space is only 2-3MB. I use 7zip to compress the html and javascript file, just right click on the file and select add to archive, choose gzip as archive format and click ok.

Now put all compressed files (or original files if they are small and don't need to be compressed) to the data folder in sketch folder, then go back to arduino, select tools-esp8266 sketch data upload. Wait for it to finish and hit reset. You can open terminal to see the progress and its ip address (WiFi client mode). Congratulations, now you have your very own esp8266 exploit host.

Get the arduino sketch here:
https://gofile.io/d/qdYbvo

 

[AlegoF]

Hi, ino file is no longer available. It is possible to reupload him?
Thank You Very Much.

 

[randy_w]

Hi, ino file is no longer available. It is possible to reupload him?
Thank You Very Much.

I'll just put those files on github, link here:
https://github.com/stanleyws/arduino

 

[Thugnificent]

I'll just put those files on github, link here:
https://github.com/stanleyws/arduino

Thanks a lot Randy but i am getting this error when compiling ( i am not even trying to upload at this point, just trying to export the bin):

"
Arduino: 1.8.15 (Windows 10), Board: "Generic ESP8266 Module, 80 MHz, Flash, Disabled (new aborts on oom), Disabled, All SSL ciphers (most compatible), 32KB cache + 32KB IRAM (balanced), Use pgm_read macros for IRAM/PROGMEM, dtr (aka nodemcu), 26 MHz, 40MHz, DOUT (compatible), 1MB (FS:64KB OTA:~470KB), 2, nonos-sdk 2.2.1+100 (190703), v2 Lower Memory, Disabled, None, Only Sketch, 115200"
c:/users/arslan/appdata/local/arduino15/packages/esp8266/tools/xtensa-lx106-elf-gcc/3.0.3-gcc10.3-9bcba0b/bin/../lib/gcc/xtensa-lx106-elf/10.3.0/../../../../xtensa-lx106-elf/bin/ld.exe: sketch\ESP8266.ino.cpp.o.text.setup+0x7c): undefined reference to `_ZN9FtpServer5beginE6StringS0_'
c:/users/arslan/appdata/local/arduino15/packages/esp8266/tools/xtensa-lx106-elf-gcc/3.0.3-gcc10.3-9bcba0b/bin/../lib/gcc/xtensa-lx106-elf/10.3.0/../../../../xtensa-lx106-elf/bin/ld.exe: sketch\ESP8266.ino.cpp.o: in function `setup':
C:\Users\Arslan\Downloads\ExploitHost\ExploitHost\ESP8266/ESP8266.ino:96: undefined reference to `_ZN9FtpServer5beginE6StringS0_'
c:/users/arslan/appdata/local/arduino15/packages/esp8266/tools/xtensa-lx106-elf-gcc/3.0.3-gcc10.3-9bcba0b/bin/../lib/gcc/xtensa-lx106-elf/10.3.0/../../../../xtensa-lx106-elf/bin/ld.exe: sketch\ESP8266.ino.cpp.o: in function `_ZN10WiFiClient4stopEv':
C:\Users\Arslan\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\3.0.1\libraries\ESP8266WiFi\src/WiFiClient.h:75: undefined reference to `_ZN9FtpServer9handleFTPEv'
c:/users/arslan/appdata/local/arduino15/packages/esp8266/tools/xtensa-lx106-elf-gcc/3.0.3-gcc10.3-9bcba0b/bin/../lib/gcc/xtensa-lx106-elf/10.3.0/../../../../xtensa-lx106-elf/bin/ld.exe: sketch\ESP8266.ino.cpp.o: in function `_ZN16esp8266webserver24ESP8266WebServerTemplateI10WiFiServerE12handleClientEv':
C:\Users\Arslan\AppData\Local\Arduino15\packages\esp8266\hardware\esp8266\3.0.1\libraries\ESP8266WebServer\src/ESP8266WebServer-impl.h:338: undefined reference to `_ZN9FtpServer9handleFTPEv'
collect2.exe: error: ld returned 1 exit status
exit status 1
Error compiling for board NodeMCU 1.0 (ESP-12E Module).
This report would have more information with
"Show verbose output during compilation"
option enabled in File -> Preferences.
"

Any suggestions?

 

[randy_w]

Thanks a lot Randy but i am getting this error when compiling ( i am not even trying to upload at this point, just trying to export the bin):

I'd say there's something wrong with your libraries based on error messages.
Here's the ftp library I used: https://github.com/nailbuster/esp8266FTPServer
Also here's the board manager URL I used: http://arduino.esp8266.com/stable/package_esp8266com_index.json
Other libraries should come with board manager so check yours in case you are using an unofficial one.
Also I'm using esp-12e variant since it has the largest flash size available, so I used NodeMCU1.0(ESP-12E) in boards menu, not sure if this will make any difference.
BTW I've never tried generating a bin file yet, but I'm pretty sure you need to figure out the partition scheme of the flash memory, manually create a SPIFF image file, add exploit host files and merge it with the generated bin file, or just use FTP to upload them.

 

[Thugnificent]

I'd say there's something wrong with your libraries based on error messages.
Here's the ftp library I used: https://github.com/nailbuster/esp8266FTPServer
Also here's the board manager URL I used: http://arduino.esp8266.com/stable/package_esp8266com_index.json
Other libraries should come with board manager so check yours in case you are using an unofficial one.
Also I'm using esp-12e variant since it has the largest flash size available, so I used NodeMCU1.0(ESP-12E) in boards menu, not sure if this will make any difference.
BTW I've never tried generating a bin file yet, but I'm pretty sure you need to figure out the partition scheme of the flash memory, manually create a SPIFF image file, add exploit host files and merge it with the generated bin file, or just use FTP to upload them.

Thank you so much, appreciate it!

I will give those libraries a go. The one i am using is a generic one i bought for 6 bucks off amazon, but i tried selecting different boards from the ide as well. I was actually thinking to make the bin and flashing it with NodeMCU flasher.

EDIT: It was the libraries, so when i was first trying to compile it gave an error that the ftp.h library is missing so i googled and found one. I am pretty sure that was the culprit and the link you provided fixed the issue and i was able to compile successfully.

Thank you so much! Appreciated!

EDIT 2: This worked so well, you rock man! I was succesfully able to upload and host an exploit for my 7.02 with Goldhen! Cheers!!!!!!!

 

[protivakid]

Hey, dumb question but if the host's source you want to use isn't on gitHub then you probably can't make a .bin file for an ESP8266 right?

 

[randy_w]

Hey, dumb question but if the host's source you want to use isn't on gitHub then you probably can't make a .bin file for an ESP8266 right?

Well you still can, but you need to download the whole site with those website downloader tools or manually download every single file that the html page loads.

For example on karo's host:

You can see the javascript within the html file refers to many other js files for different payloads. You need to download all of them and put them in the same directory as the index.html file (or in subfolders, depending on how the js file is loaded). There are also .bin format payloads so you need to get them too. If there are other .html pages you also need to get them. Just skim through the javasctipt label in the main html file and you should get the idea.

You can simply take the address from the address bar, change the index.html to the payload name and you should be able to download the file.

 

[protivakid]

Well you still can, but you need to download the whole site with those website downloader tools or manually download every single file that the html page loads.

For example on karo's host:
View attachment 331784
You can see the javascript within the html file refers to many other js files for different payloads. You need to download all of them and put them in the same directory as the index.html file (or in subfolders, depending on how the js file is loaded). There are also .bin format payloads so you need to get them too. If there are other .html pages you also need to get them. Just skim through the javasctipt label in the main html file and you should get the idea.
View attachment 331785
You can simply take the address from the address bar, change the index.html to the payload name and you should be able to download the file.

Thank you!