vanhoefm

From b2393237de31be1799cb9026e30a5bf7b611f6e7 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Date: Fri, 17 Feb 2023 21:38:06 +0100
Subject: [PATCH] Make hostap vulnerable to PTK key reinstallation

Apply this patch to hostap_2_10 to make it vulnerable to PTK key
reinstallations.
---
 src/rsn_supp/wpa.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

vanhoefm

/** Comp128 version 2 and 3 overview by Mathy Vanhoef (based on other contributions mentioned inline) */
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <time.h>


static uint8_t table0[] = {
	197, 235,  60, 151,  98,  96,   3, 100, 248, 118,  42, 117, 172, 211, 181, 203,

vanhoefm

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
index d441045..84359c3 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -147,21 +147,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
 	struct ath9k_vif_iter_data *iter_data = data;
 	int i;
 
-	for (i = 0; i < ETH_ALEN; i++)
-		iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);

vanhoefm

#!/usr/bin/python
from scapy.all import *
import random

# number of times to inject probe for one bit (combat packet loss)
ATTEMPTS_PER_BIT = 3
# time to wait for ACK in seconds
SNIFFTIME = 0.1

vanhoefm

#!/usr/bin/env python3
from selenium.webdriver import Firefox
from selenium.webdriver.firefox.options import Options
import subprocess, time

def reset_router(browser):
	browser.execute_script('javascript:CheckHTMLStatus("System");')
	time.sleep(0.13)
	browser.execute_script('javascript:SetFactory_Default();')
	time.sleep(0.01)

vanhoefm

#!/usr/bin/env python3
from scapy.all import *

# MAC address of our own interface
MYMACADDR = "11:22:33:44:55:66"

def wait_router(iface, ip):
	s = L2Socket(type=ETH_P_ALL, iface=iface)
	arp = Ether(dst="ff:ff:ff:ff:ff:ff", src=MYMACADDR)
	arp = arp/ARP(hwsrc=MYMACADDR, pdst=ip, psrc="192.168.0.100")

vanhoefm

-- Wireshark LUA script to handle Gamespy Packets
trivial_proto = Proto("gamespy","Gamespy Protocol")
-- XOR Cipher:
local tab = {  -- tab[i][j] = xor(i-1, j-1)
  {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, },
  {1, 0, 3, 2, 5, 4, 7, 6, 9, 8, 11, 10, 13, 12, 15, 14, },
  {2, 3, 0, 1, 6, 7, 4, 5, 10, 11, 8, 9, 14, 15, 12, 13, },
  {3, 2, 1, 0, 7, 6, 5, 4, 11, 10, 9, 8, 15, 14, 13, 12, },
  {4, 5, 6, 7, 0, 1, 2, 3, 12, 13, 14, 15, 8, 9, 10, 11, },
  {5, 4, 7, 6, 1, 0, 3, 2, 13, 12, 15, 14, 9, 8, 11, 10, },

vanhoefm

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
  char *buf1 = malloc(256);
	char *buf2 = malloc(512);
	char *buf3 = malloc(1024);
	char *top, *aftertop;

vanhoefm

# -------------- netcatlib.py -----------------------------------
import socket

class Netcat:
  # TODO: ip and port should be optionaly, and an open() method should be added
	# TODO: specify a timeout argument as well?
	def __init__(self, ip, port):
		self.buff = ""
		self.soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		self.soc.connect((ip, port))

vanhoefm

  call   0x80486d0 <printf@plt>
  movl   $0x8049f3a,(%esp)
  call   0x8048750 <puts@plt>
  mov    -0xc(%ebp),%eax
  leave     ; equivalent to movl %ebp, %esp
            ;               popl %ebp
  ret