Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-21 03:23:04 -05:00
Code Issues Projects Releases Wiki Activity

fragattack: detect ath9k_htc for injection workaround

Browse Source
This commit is contained in:
Mathy 2020-03-27 12:49:33 -04:00
parent e3fc1987a0
commit c6a9274d4d
1 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
research/inject.py
View File

@ -9,8 +9,10 @@ from scapy.contrib.wpa_eapol import WPA_key
# However, this number is not incremented when the MoreFragments flag is set, # However, this number is not incremented when the MoreFragments flag is set,
# meaning we can inject fragmented frames (albeit with a different sequence # meaning we can inject fragmented frames (albeit with a different sequence
# number than then one we use for injection this this script). # number than then one we use for injection this this script).
# TODO: The above cannot be relied on when other frames and send between # - The above trick does not work when we want to inject other frames between
# the two fragments? # two fragmented frames (the chip will assign them difference sequence numbers).
# Even when the fragments use a unique QoS TID, sending frames between them
# will make the chip assign difference sequence numbers to both fragments.
# - Overwriting the sequence can be avoided by patching `ath_tgt_tx_seqno_normal` # - Overwriting the sequence can be avoided by patching `ath_tgt_tx_seqno_normal`
# and commenting out the two lines that modify `i_seq`. # and commenting out the two lines that modify `i_seq`.
# - See also the comment in Station.inject_next_frags to avoid other bugs with # - See also the comment in Station.inject_next_frags to avoid other bugs with
@ -48,7 +50,9 @@ def argv_pop_argument(argument):
class TestOptions(): class TestOptions():
def __init__(self): def __init__(self):
self.test = None # Workaround for ath9k_htc bugs
self.inject_workaround = False
self.interface = None self.interface = None
self.clientip = None self.clientip = None
self.routerip = None self.routerip = None
@ -348,7 +352,11 @@ class Station():
# includes beacons). Injecting a dummy packet like below avoid this, # includes beacons). Injecting a dummy packet like below avoid this,
# and assures packets keep being sent normally (when the last fragment # and assures packets keep being sent normally (when the last fragment
# had the MF flag set). # had the MF flag set).
if frag != None and frag.FCfield & 0x4 != 0: #
# Note: when the device is only operating in monitor mode, this does
# not seem to be a problem.
#
if self.options.inject_workaround and frag != None and frag.FCfield & 0x4 != 0:
self.daemon.inject_mon(Dot11(addr1="ff:ff:ff:ff:ff:ff")) self.daemon.inject_mon(Dot11(addr1="ff:ff:ff:ff:ff:ff"))
print("[Injected packet] Prevent ath9k_htc bug after fragment injection") print("[Injected packet] Prevent ath9k_htc bug after fragment injection")
@ -458,6 +466,15 @@ class Daemon():
subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"]) subprocess.check_output(["iw", self.nic_mon, "set", "type", "monitor"])
subprocess.check_output(["ifconfig", self.nic_mon, "up"]) subprocess.check_output(["ifconfig", self.nic_mon, "up"])
# 3. Remember whether to need to perform a workaround.
driver = get_device_driver(self.nic_iface)
if driver == None:
log(WARNING, "Unable to detect driver of interface!")
log(WARNING, "Injecting fragments may contains bugs.")
elif driver == "ath9k_htc":
options.inject_workaround = True
log(STATUS, "Detect ath9k_htc, using injection bug workarounds")
def inject_mon(self, p): def inject_mon(self, p):
self.sock_mon.send(p) self.sock_mon.send(p)
@ -752,7 +769,6 @@ if __name__ == "__main__":
options = TestOptions() options = TestOptions()
options.interface = sys.argv[1] options.interface = sys.argv[1]
# options.test = TestOptions.Inject_Ping
# Parse remaining options # Parse remaining options
start_ap = argv_pop_argument("--ap") start_ap = argv_pop_argument("--ap")