1
0

AUTHoversize.c 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155
  1. /*
  2. Fuzzes AuthResp by testing overflow
  3. */
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <stdint.h>
  7. #include <string.h>
  8. #include <math.h>
  9. #include "../frameDefinitions.h"
  10. //Creates Probe response frame
  11. u_char *Authoversize(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC, int step)
  12. {
  13. #define AuthoversizeIES (6) //number of information elements
  14. //definition of all info elements
  15. infoElem base255;
  16. base255.id = 1;
  17. base255.len = 255;
  18. base255.len_data = 255;
  19. u_char *data = malloc(255);
  20. memset(data, 0xff, 255);
  21. base255.data = data;
  22. infoElem lastBit;
  23. lastBit.id = 127;
  24. lastBit.len = 151-step;
  25. lastBit.len_data = 151-step;
  26. u_char *data2 = malloc(151-step);
  27. memset(data2, 0xff, 151-step);
  28. lastBit.data = data2;
  29. //create array of information elements
  30. infoElem taggedParams[AuthoversizeIES] = {
  31. base255, base255, base255, base255, base255, lastBit
  32. };
  33. //length of all info elements, including id and len field
  34. int len_taggedParams = 0;
  35. for(int i = 0; i < AuthoversizeIES; i++)
  36. {
  37. if (taggedParams[i].len_data != -1) //do not include when len_data == -1
  38. {
  39. //+2 to include id and len field size
  40. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  41. }
  42. }
  43. //fill in struct
  44. authResponse authResp = {
  45. 36, radioTapHeader, //RadioTap hdr
  46. 1, "\xb0", //Type
  47. 1, "\x00", //Subtype
  48. 2, "\x3a\x01", //Duration
  49. 6, dstAddress, //DST addr
  50. 6, myMAC, //Source addr
  51. 6, myMAC, //BSS addr
  52. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  53. 2, "\x00\x00", //Auth alg
  54. 2, "\x02\x00", //Auth seq
  55. 2, "\x00\x00", //Status code
  56. len_taggedParams,
  57. taggedParams, //Information elements
  58. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  59. };
  60. //calculate size of final packet
  61. *packetSize = authResp.len_radioTapHdr
  62. + authResp.len_type
  63. + authResp.len_flags
  64. + authResp.len_duration
  65. + authResp.len_destAddr
  66. + authResp.len_sourceAddr
  67. + authResp.len_bssAddr
  68. + authResp.len_seqNr
  69. + authResp.len_authAlg
  70. + authResp.len_authSeq
  71. + authResp.len_status
  72. + authResp.len_taggedParams
  73. + authResp.len_fsc;
  74. //define packet
  75. u_char *authRespPacket = malloc(*packetSize);
  76. if(!authRespPacket)
  77. {
  78. printf("Memory allocation error!\n");
  79. exit(-1);
  80. }
  81. //copy all struct fields into packet
  82. int copyOffset = 0;
  83. memcpy(authRespPacket + copyOffset, authResp.radioTapHdr, authResp.len_radioTapHdr);
  84. copyOffset = copyOffset + authResp.len_radioTapHdr;
  85. memcpy(authRespPacket + copyOffset, authResp.type, authResp.len_type);
  86. copyOffset = copyOffset + authResp.len_type;
  87. memcpy(authRespPacket + copyOffset, authResp.flags, authResp.len_flags);
  88. copyOffset = copyOffset + authResp.len_flags;
  89. memcpy(authRespPacket + copyOffset, authResp.duration, authResp.len_duration);
  90. copyOffset = copyOffset + authResp.len_duration;
  91. memcpy(authRespPacket + copyOffset, authResp.destAddr, authResp.len_destAddr);
  92. copyOffset = copyOffset + authResp.len_destAddr;
  93. memcpy(authRespPacket + copyOffset, authResp.sourceAddr, authResp.len_sourceAddr);
  94. copyOffset = copyOffset + authResp.len_sourceAddr;
  95. memcpy(authRespPacket + copyOffset, authResp.bssAddr, authResp.len_bssAddr);
  96. copyOffset = copyOffset + authResp.len_bssAddr;
  97. memcpy(authRespPacket + copyOffset, authResp.seqNr, authResp.len_seqNr);
  98. copyOffset = copyOffset + authResp.len_seqNr;
  99. memcpy(authRespPacket + copyOffset, authResp.authAlg, authResp.len_authAlg);
  100. copyOffset = copyOffset + authResp.len_authAlg;
  101. memcpy(authRespPacket + copyOffset, authResp.authSeq, authResp.len_authSeq);
  102. copyOffset = copyOffset + authResp.len_authSeq;
  103. memcpy(authRespPacket + copyOffset, authResp.status, authResp.len_status);
  104. copyOffset = copyOffset + authResp.len_status;
  105. //copy all information elements
  106. for(int i = 0; i < AuthoversizeIES; i++)
  107. {
  108. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  109. {
  110. memcpy(authRespPacket + copyOffset, &taggedParams[i].id, 1);
  111. copyOffset = copyOffset + 1;
  112. memcpy(authRespPacket + copyOffset, &taggedParams[i].len, 1);
  113. copyOffset = copyOffset + 1;
  114. memcpy(authRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  115. copyOffset = copyOffset + taggedParams[i].len_data;
  116. }
  117. }
  118. memcpy(authRespPacket + copyOffset, authResp.fsc, authResp.len_fsc);
  119. copyOffset = copyOffset + authResp.len_fsc;
  120. //send packet
  121. return authRespPacket;
  122. }