/* Fuzzes AuthResp static elements */ #include #include #include #include #include #include "../frameDefinitions.h" //Creates Probe response frame u_char *Authstatic(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC, int step) { #define AuthstaticIES (1) //number of information elements infoElem challenge = { 15, //id 0, //len -1, //real length of data "" //data }; //create array of information elements infoElem taggedParams[AuthstaticIES] = {challenge}; //length of all info elements, including id and len field int len_taggedParams = 0; for(int i = 0; i < AuthstaticIES; i++) { if (taggedParams[i].len_data != -1) //do not include when len_data == -1 { //+2 to include id and len field size len_taggedParams = len_taggedParams + taggedParams[i].len_data+2; } } //fill in struct authResponse authResp = { 36, radioTapHeader, //RadioTap hdr 1, "\xb0", //Type 1, "\x00", //Subtype 2, "\x3a\x01", //Duration 6, dstAddress, //DST addr 6, myMAC, //Source addr 6, myMAC, //BSS addr 2, "\x00\x00", //Seq nr (overwritten by firmware) 2, "\x00\x00", //Auth alg 2, "\x02\x00", //Auth seq 2, "\x00\x00", //Status code len_taggedParams, taggedParams, //Information elements 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware) }; if (step == 0) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 1; } if (step == 1) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 0; } if (step == 2) { authResp.len_authAlg = 2; authResp.len_authSeq = 1; authResp.len_status = 0; } if (step == 3) { authResp.len_authAlg = 2; authResp.len_authSeq = 0; authResp.len_status = 0; } if (step == 4) { authResp.len_authAlg = 1; authResp.len_authSeq = 0; authResp.len_status = 0; } if (step == 5) { authResp.len_authAlg = 0; authResp.len_authSeq = 0; authResp.len_status = 0; } if (step == 6) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x00\x00"; authResp.authSeq = "\x00\x00"; } if (step == 7) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x01\x00"; authResp.authSeq = "\x01\x00"; } if (step == 8) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x02\x00"; authResp.authSeq = "\x02\x00"; } if (step == 9) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x03\x00"; authResp.authSeq = "\x03\x00"; } if (step == 10) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x04\x00"; authResp.authSeq = "\x04\x00"; } if (step == 11) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x05\x00"; authResp.authSeq = "\x05\x00"; } if (step == 12) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\x06\x00"; authResp.authSeq = "\x06\x00"; } if (step == 13) { authResp.len_authAlg = 2; authResp.len_authSeq = 2; authResp.len_status = 2; authResp.authAlg = "\xFF\xFF"; authResp.authSeq = "\xFF\xFF"; } //calculate size of final packet *packetSize = authResp.len_radioTapHdr + authResp.len_type + authResp.len_flags + authResp.len_duration + authResp.len_destAddr + authResp.len_sourceAddr + authResp.len_bssAddr + authResp.len_seqNr + authResp.len_authAlg + authResp.len_authSeq + authResp.len_status + authResp.len_taggedParams + authResp.len_fsc; //define packet u_char *authRespPacket = malloc(*packetSize); if(!authRespPacket) { printf("Memory allocation error!\n"); exit(-1); } //copy all struct fields into packet int copyOffset = 0; memcpy(authRespPacket + copyOffset, authResp.radioTapHdr, authResp.len_radioTapHdr); copyOffset = copyOffset + authResp.len_radioTapHdr; memcpy(authRespPacket + copyOffset, authResp.type, authResp.len_type); copyOffset = copyOffset + authResp.len_type; memcpy(authRespPacket + copyOffset, authResp.flags, authResp.len_flags); copyOffset = copyOffset + authResp.len_flags; memcpy(authRespPacket + copyOffset, authResp.duration, authResp.len_duration); copyOffset = copyOffset + authResp.len_duration; memcpy(authRespPacket + copyOffset, authResp.destAddr, authResp.len_destAddr); copyOffset = copyOffset + authResp.len_destAddr; memcpy(authRespPacket + copyOffset, authResp.sourceAddr, authResp.len_sourceAddr); copyOffset = copyOffset + authResp.len_sourceAddr; memcpy(authRespPacket + copyOffset, authResp.bssAddr, authResp.len_bssAddr); copyOffset = copyOffset + authResp.len_bssAddr; memcpy(authRespPacket + copyOffset, authResp.seqNr, authResp.len_seqNr); copyOffset = copyOffset + authResp.len_seqNr; memcpy(authRespPacket + copyOffset, authResp.authAlg, authResp.len_authAlg); copyOffset = copyOffset + authResp.len_authAlg; memcpy(authRespPacket + copyOffset, authResp.authSeq, authResp.len_authSeq); copyOffset = copyOffset + authResp.len_authSeq; memcpy(authRespPacket + copyOffset, authResp.status, authResp.len_status); copyOffset = copyOffset + authResp.len_status; //copy all information elements for(int i = 0; i < AuthstaticIES; i++) { if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element { memcpy(authRespPacket + copyOffset, &taggedParams[i].id, 1); copyOffset = copyOffset + 1; memcpy(authRespPacket + copyOffset, &taggedParams[i].len, 1); copyOffset = copyOffset + 1; memcpy(authRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data); copyOffset = copyOffset + taggedParams[i].len_data; } } memcpy(authRespPacket + copyOffset, authResp.fsc, authResp.len_fsc); copyOffset = copyOffset + authResp.len_fsc; //send packet return authRespPacket; }