AUTHstatic.c 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
  1. /*
  2. Fuzzes AuthResp static elements
  3. */
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <stdint.h>
  7. #include <string.h>
  8. #include <math.h>
  9. #include "../frameDefinitions.h"
  10. //Creates Probe response frame
  11. u_char *Authstatic(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC, int step)
  12. {
  13. #define AuthstaticIES (1) //number of information elements
  14. infoElem challenge = {
  15. 15, //id
  16. 0, //len
  17. -1, //real length of data
  18. "" //data
  19. };
  20. //create array of information elements
  21. infoElem taggedParams[AuthstaticIES] = {challenge};
  22. //length of all info elements, including id and len field
  23. int len_taggedParams = 0;
  24. for(int i = 0; i < AuthstaticIES; i++)
  25. {
  26. if (taggedParams[i].len_data != -1) //do not include when len_data == -1
  27. {
  28. //+2 to include id and len field size
  29. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  30. }
  31. }
  32. //fill in struct
  33. authResponse authResp = {
  34. 36, radioTapHeader, //RadioTap hdr
  35. 1, "\xb0", //Type
  36. 1, "\x00", //Subtype
  37. 2, "\x3a\x01", //Duration
  38. 6, dstAddress, //DST addr
  39. 6, myMAC, //Source addr
  40. 6, myMAC, //BSS addr
  41. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  42. 2, "\x00\x00", //Auth alg
  43. 2, "\x02\x00", //Auth seq
  44. 2, "\x00\x00", //Status code
  45. len_taggedParams,
  46. taggedParams, //Information elements
  47. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  48. };
  49. if (step == 0)
  50. {
  51. authResp.len_authAlg = 2;
  52. authResp.len_authSeq = 2;
  53. authResp.len_status = 1;
  54. }
  55. if (step == 1)
  56. {
  57. authResp.len_authAlg = 2;
  58. authResp.len_authSeq = 2;
  59. authResp.len_status = 0;
  60. }
  61. if (step == 2)
  62. {
  63. authResp.len_authAlg = 2;
  64. authResp.len_authSeq = 1;
  65. authResp.len_status = 0;
  66. }
  67. if (step == 3)
  68. {
  69. authResp.len_authAlg = 2;
  70. authResp.len_authSeq = 0;
  71. authResp.len_status = 0;
  72. }
  73. if (step == 4)
  74. {
  75. authResp.len_authAlg = 1;
  76. authResp.len_authSeq = 0;
  77. authResp.len_status = 0;
  78. }
  79. if (step == 5)
  80. {
  81. authResp.len_authAlg = 0;
  82. authResp.len_authSeq = 0;
  83. authResp.len_status = 0;
  84. }
  85. if (step == 6)
  86. {
  87. authResp.len_authAlg = 2;
  88. authResp.len_authSeq = 2;
  89. authResp.len_status = 2;
  90. authResp.authAlg = "\x00\x00";
  91. authResp.authSeq = "\x00\x00";
  92. }
  93. if (step == 7)
  94. {
  95. authResp.len_authAlg = 2;
  96. authResp.len_authSeq = 2;
  97. authResp.len_status = 2;
  98. authResp.authAlg = "\x01\x00";
  99. authResp.authSeq = "\x01\x00";
  100. }
  101. if (step == 8)
  102. {
  103. authResp.len_authAlg = 2;
  104. authResp.len_authSeq = 2;
  105. authResp.len_status = 2;
  106. authResp.authAlg = "\x02\x00";
  107. authResp.authSeq = "\x02\x00";
  108. }
  109. if (step == 9)
  110. {
  111. authResp.len_authAlg = 2;
  112. authResp.len_authSeq = 2;
  113. authResp.len_status = 2;
  114. authResp.authAlg = "\x03\x00";
  115. authResp.authSeq = "\x03\x00";
  116. }
  117. if (step == 10)
  118. {
  119. authResp.len_authAlg = 2;
  120. authResp.len_authSeq = 2;
  121. authResp.len_status = 2;
  122. authResp.authAlg = "\x04\x00";
  123. authResp.authSeq = "\x04\x00";
  124. }
  125. if (step == 11)
  126. {
  127. authResp.len_authAlg = 2;
  128. authResp.len_authSeq = 2;
  129. authResp.len_status = 2;
  130. authResp.authAlg = "\x05\x00";
  131. authResp.authSeq = "\x05\x00";
  132. }
  133. if (step == 12)
  134. {
  135. authResp.len_authAlg = 2;
  136. authResp.len_authSeq = 2;
  137. authResp.len_status = 2;
  138. authResp.authAlg = "\x06\x00";
  139. authResp.authSeq = "\x06\x00";
  140. }
  141. if (step == 13)
  142. {
  143. authResp.len_authAlg = 2;
  144. authResp.len_authSeq = 2;
  145. authResp.len_status = 2;
  146. authResp.authAlg = "\xFF\xFF";
  147. authResp.authSeq = "\xFF\xFF";
  148. }
  149. //calculate size of final packet
  150. *packetSize = authResp.len_radioTapHdr
  151. + authResp.len_type
  152. + authResp.len_flags
  153. + authResp.len_duration
  154. + authResp.len_destAddr
  155. + authResp.len_sourceAddr
  156. + authResp.len_bssAddr
  157. + authResp.len_seqNr
  158. + authResp.len_authAlg
  159. + authResp.len_authSeq
  160. + authResp.len_status
  161. + authResp.len_taggedParams
  162. + authResp.len_fsc;
  163. //define packet
  164. u_char *authRespPacket = malloc(*packetSize);
  165. if(!authRespPacket)
  166. {
  167. printf("Memory allocation error!\n");
  168. exit(-1);
  169. }
  170. //copy all struct fields into packet
  171. int copyOffset = 0;
  172. memcpy(authRespPacket + copyOffset, authResp.radioTapHdr, authResp.len_radioTapHdr);
  173. copyOffset = copyOffset + authResp.len_radioTapHdr;
  174. memcpy(authRespPacket + copyOffset, authResp.type, authResp.len_type);
  175. copyOffset = copyOffset + authResp.len_type;
  176. memcpy(authRespPacket + copyOffset, authResp.flags, authResp.len_flags);
  177. copyOffset = copyOffset + authResp.len_flags;
  178. memcpy(authRespPacket + copyOffset, authResp.duration, authResp.len_duration);
  179. copyOffset = copyOffset + authResp.len_duration;
  180. memcpy(authRespPacket + copyOffset, authResp.destAddr, authResp.len_destAddr);
  181. copyOffset = copyOffset + authResp.len_destAddr;
  182. memcpy(authRespPacket + copyOffset, authResp.sourceAddr, authResp.len_sourceAddr);
  183. copyOffset = copyOffset + authResp.len_sourceAddr;
  184. memcpy(authRespPacket + copyOffset, authResp.bssAddr, authResp.len_bssAddr);
  185. copyOffset = copyOffset + authResp.len_bssAddr;
  186. memcpy(authRespPacket + copyOffset, authResp.seqNr, authResp.len_seqNr);
  187. copyOffset = copyOffset + authResp.len_seqNr;
  188. memcpy(authRespPacket + copyOffset, authResp.authAlg, authResp.len_authAlg);
  189. copyOffset = copyOffset + authResp.len_authAlg;
  190. memcpy(authRespPacket + copyOffset, authResp.authSeq, authResp.len_authSeq);
  191. copyOffset = copyOffset + authResp.len_authSeq;
  192. memcpy(authRespPacket + copyOffset, authResp.status, authResp.len_status);
  193. copyOffset = copyOffset + authResp.len_status;
  194. //copy all information elements
  195. for(int i = 0; i < AuthstaticIES; i++)
  196. {
  197. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  198. {
  199. memcpy(authRespPacket + copyOffset, &taggedParams[i].id, 1);
  200. copyOffset = copyOffset + 1;
  201. memcpy(authRespPacket + copyOffset, &taggedParams[i].len, 1);
  202. copyOffset = copyOffset + 1;
  203. memcpy(authRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  204. copyOffset = copyOffset + taggedParams[i].len_data;
  205. }
  206. }
  207. memcpy(authRespPacket + copyOffset, authResp.fsc, authResp.len_fsc);
  208. copyOffset = copyOffset + authResp.len_fsc;
  209. //send packet
  210. return authRespPacket;
  211. }