1
0

frameCreator.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509
  1. /*
  2. Creates frames.
  3. */
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <stdint.h>
  7. #include <string.h>
  8. #include "frameCreator.h"
  9. #include "fuzzer.h"
  10. #include "frameDefinitions.h"
  11. #include "fuzzChallenge.h"
  12. #include "fuzzAuth.h"
  13. #include "fuzzEXTRATES.h"
  14. #include "fuzzHTCAPAB.h"
  15. #include "fuzzHTINFO.h"
  16. #include "fuzzEXTCAPAB.h"
  17. #include "fuzzEDCA.h"
  18. #include "fuzzRates.h"
  19. //CHANGE WHEN NEW SUBFUZZER
  20. //Creates Authentication frame
  21. u_char *createAuthResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  22. {
  23. //when done with all subfuzzers, we want to return frames from the generic fuzzer
  24. if (getNotifyDone() != 0)
  25. return AuthFuzz(dstAddress, packetSize, radioTapHeader, myMAC);
  26. #define numberOfAuthInfoElems (1) //number of information elements
  27. //definition of all info elements
  28. //CHANGE WHEN NEW SUBFUZZER
  29. infoElem challenge = challengeFuzz();
  30. //CHANGE WHEN NEW SUBFUZZER
  31. //create array of information elements
  32. infoElem taggedParams[numberOfAuthInfoElems] = {challenge};
  33. //length of all info elements, including id and len field
  34. int len_taggedParams = 0;
  35. for(int i = 0; i < numberOfAuthInfoElems; i++)
  36. {
  37. if (taggedParams[i].len_data != -1) //do not include if len_data == -1
  38. {
  39. //+2 to include id and len field size
  40. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  41. }
  42. }
  43. //fill in struct
  44. authResponse authResp = {
  45. 36, radioTapHeader, //RadioTap hdr
  46. 1, "\xb0", //Type
  47. 1, "\x00", //Subtype
  48. 2, "\x3a\x01", //Duration
  49. 6, dstAddress, //DST addr
  50. 6, myMAC, //Source addr
  51. 6, myMAC, //BSS addr
  52. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  53. 2, "\x00\x00", //Auth alg
  54. 2, "\x02\x00", //Auth seq
  55. 2, "\x00\x00", //Status code
  56. len_taggedParams,
  57. taggedParams, //Information elements
  58. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  59. };
  60. //calculate size of final packet
  61. *packetSize = authResp.len_radioTapHdr
  62. + authResp.len_type
  63. + authResp.len_flags
  64. + authResp.len_duration
  65. + authResp.len_destAddr
  66. + authResp.len_sourceAddr
  67. + authResp.len_bssAddr
  68. + authResp.len_seqNr
  69. + authResp.len_authAlg
  70. + authResp.len_authSeq
  71. + authResp.len_status
  72. + authResp.len_taggedParams
  73. + authResp.len_fsc;
  74. //define packet
  75. u_char *authRespPacket = malloc(*packetSize);
  76. if(!authRespPacket)
  77. {
  78. printf("Memory allocation error!\n");
  79. exit(-1);
  80. }
  81. //copy all struct fields into packet
  82. int copyOffset = 0;
  83. memcpy(authRespPacket + copyOffset, authResp.radioTapHdr, authResp.len_radioTapHdr);
  84. copyOffset = copyOffset + authResp.len_radioTapHdr;
  85. memcpy(authRespPacket + copyOffset, authResp.type, authResp.len_type);
  86. copyOffset = copyOffset + authResp.len_type;
  87. memcpy(authRespPacket + copyOffset, authResp.flags, authResp.len_flags);
  88. copyOffset = copyOffset + authResp.len_flags;
  89. memcpy(authRespPacket + copyOffset, authResp.duration, authResp.len_duration);
  90. copyOffset = copyOffset + authResp.len_duration;
  91. memcpy(authRespPacket + copyOffset, authResp.destAddr, authResp.len_destAddr);
  92. copyOffset = copyOffset + authResp.len_destAddr;
  93. memcpy(authRespPacket + copyOffset, authResp.sourceAddr, authResp.len_sourceAddr);
  94. copyOffset = copyOffset + authResp.len_sourceAddr;
  95. memcpy(authRespPacket + copyOffset, authResp.bssAddr, authResp.len_bssAddr);
  96. copyOffset = copyOffset + authResp.len_bssAddr;
  97. memcpy(authRespPacket + copyOffset, authResp.seqNr, authResp.len_seqNr);
  98. copyOffset = copyOffset + authResp.len_seqNr;
  99. memcpy(authRespPacket + copyOffset, authResp.authAlg, authResp.len_authAlg);
  100. copyOffset = copyOffset + authResp.len_authAlg;
  101. memcpy(authRespPacket + copyOffset, authResp.authSeq, authResp.len_authSeq);
  102. copyOffset = copyOffset + authResp.len_authSeq;
  103. memcpy(authRespPacket + copyOffset, authResp.status, authResp.len_status);
  104. copyOffset = copyOffset + authResp.len_status;
  105. //copy all information elements
  106. for(int i = 0; i < numberOfAuthInfoElems; i++)
  107. {
  108. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  109. {
  110. memcpy(authRespPacket + copyOffset, &taggedParams[i].id, 1);
  111. copyOffset = copyOffset + 1;
  112. memcpy(authRespPacket + copyOffset, &taggedParams[i].len, 1);
  113. copyOffset = copyOffset + 1;
  114. memcpy(authRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  115. copyOffset = copyOffset + taggedParams[i].len_data;
  116. }
  117. }
  118. memcpy(authRespPacket + copyOffset, authResp.fsc, authResp.len_fsc);
  119. copyOffset = copyOffset + authResp.len_fsc;
  120. //send packet
  121. return authRespPacket;
  122. }
  123. //Creates Association response
  124. u_char *createAssResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  125. {
  126. #define numberOfAssInfoElems (6) //number of information elements
  127. //definition of all info elements
  128. //CHANGE WHEN NEW SUBFUZZER
  129. infoElem suppRates = ratesFuzz();
  130. infoElem extrates = extratesFuzz();
  131. infoElem htcapab = htcapabFuzz();
  132. infoElem htinfo = htinfoFuzz();
  133. infoElem extcapab = extcapabFuzz();
  134. infoElem edca = edcaFuzz();
  135. //CHANGE WHEN NEW SUBFUZZER
  136. //create array of information elements
  137. infoElem taggedParams[numberOfAssInfoElems] = {suppRates, extrates, htcapab,
  138. htinfo, extcapab, edca};
  139. //length of all info elements, including id and len field
  140. int len_taggedParams = 0;
  141. for(int i = 0; i < numberOfAssInfoElems; i++)
  142. {
  143. if (taggedParams[i].len_data != -1) //do not include if len_data == -1
  144. {
  145. //+2 to include id and len field size
  146. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  147. }
  148. }
  149. //fill in struct
  150. assResponse assResp = {
  151. 36, radioTapHeader, //RadioTap hdr
  152. 1, "\x10", //Type
  153. 1, "\x00", //Flags
  154. 2, "\x40\x01", //Duration
  155. 6, dstAddress, //DST addr
  156. 6, myMAC, //Source addr
  157. 6, myMAC, //BSS addr
  158. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  159. 2, "\x01\x00", //Capab info
  160. 2, "\x00\x00", //Status code
  161. 2, "\x01\xc0", //Association id
  162. len_taggedParams,
  163. taggedParams, //Information elements
  164. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  165. };
  166. //calculate size of final packet
  167. *packetSize = assResp.len_radioTapHdr
  168. + assResp.len_type
  169. + assResp.len_flags
  170. + assResp.len_duration
  171. + assResp.len_destAddr
  172. + assResp.len_sourceAddr
  173. + assResp.len_bssAddr
  174. + assResp.len_seqNr
  175. + assResp.len_capabInfo
  176. + assResp.len_status
  177. + assResp.len_assId
  178. + assResp.len_taggedParams
  179. + assResp.len_fsc;
  180. //define packet
  181. u_char *assRespPacket = malloc(*packetSize);
  182. if(!assRespPacket)
  183. {
  184. printf("Memory allocation error!\n");
  185. exit(-1);
  186. }
  187. //copy all struct fields into packet
  188. int copyOffset = 0;
  189. memcpy(assRespPacket + copyOffset, assResp.radioTapHdr, assResp.len_radioTapHdr);
  190. copyOffset = copyOffset + assResp.len_radioTapHdr;
  191. memcpy(assRespPacket + copyOffset, assResp.type, assResp.len_type);
  192. copyOffset = copyOffset + assResp.len_type;
  193. memcpy(assRespPacket + copyOffset, assResp.flags, assResp.len_flags);
  194. copyOffset = copyOffset + assResp.len_flags;
  195. memcpy(assRespPacket + copyOffset, assResp.duration, assResp.len_duration);
  196. copyOffset = copyOffset + assResp.len_duration;
  197. memcpy(assRespPacket + copyOffset, assResp.destAddr, assResp.len_destAddr);
  198. copyOffset = copyOffset + assResp.len_destAddr;
  199. memcpy(assRespPacket + copyOffset, assResp.sourceAddr, assResp.len_sourceAddr);
  200. copyOffset = copyOffset + assResp.len_sourceAddr;
  201. memcpy(assRespPacket + copyOffset, assResp.bssAddr, assResp.len_bssAddr);
  202. copyOffset = copyOffset + assResp.len_bssAddr;
  203. memcpy(assRespPacket + copyOffset, assResp.seqNr, assResp.len_seqNr);
  204. copyOffset = copyOffset + assResp.len_seqNr;
  205. memcpy(assRespPacket + copyOffset, assResp.capabInfo, assResp.len_capabInfo);
  206. copyOffset = copyOffset + assResp.len_capabInfo;
  207. memcpy(assRespPacket + copyOffset, assResp.status, assResp.len_status);
  208. copyOffset = copyOffset + assResp.len_status;
  209. memcpy(assRespPacket + copyOffset, assResp.assId, assResp.len_assId);
  210. copyOffset = copyOffset + assResp.len_assId;
  211. //copy all information elements
  212. for(int i = 0; i < numberOfAssInfoElems; i++)
  213. {
  214. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  215. {
  216. memcpy(assRespPacket + copyOffset, &taggedParams[i].id, 1);
  217. copyOffset = copyOffset + 1;
  218. memcpy(assRespPacket + copyOffset, &taggedParams[i].len, 1);
  219. copyOffset = copyOffset + 1;
  220. memcpy(assRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  221. copyOffset = copyOffset + taggedParams[i].len_data;
  222. }
  223. }
  224. memcpy(assRespPacket + copyOffset, assResp.fsc, assResp.len_fsc);
  225. copyOffset = copyOffset + assResp.len_fsc;
  226. //send packet
  227. return assRespPacket;
  228. }
  229. //Creates Probe response frame
  230. u_char *createProbeResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  231. {
  232. #define numberOfProbeInfoElems (3) //number of information elements
  233. //definition of all info elements
  234. infoElem ssid = {
  235. 0, //id
  236. 4, //len
  237. 4, //real length of data
  238. "\x46\x55\x5a\x5a" //data
  239. };
  240. infoElem suppRates = {
  241. 1, //id
  242. 7, //len
  243. 7, //real length of data
  244. "\x96\x18\x24\x30\x48\x60\x6c" //data
  245. };
  246. infoElem ds = {
  247. 3, //id
  248. 1, //len
  249. 1, //real length of data
  250. "\x01" //data
  251. };
  252. //CHANGE WHEN NEW SUBFUZZER
  253. //create array of information elements
  254. infoElem taggedParams[numberOfProbeInfoElems] = {ssid, suppRates, ds};
  255. //length of all info elements, including id and len field
  256. int len_taggedParams = 0;
  257. for(int i = 0; i < numberOfProbeInfoElems; i++)
  258. {
  259. if (taggedParams[i].len_data != -1) //do not include when len_data == -1
  260. {
  261. //+2 to include id and len field size
  262. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  263. }
  264. }
  265. //fill in struct
  266. probeResponse probeResp = {
  267. 36, radioTapHeader, //RadioTap hdr
  268. 1, "\x50", //Type
  269. 1, "\x00", //Flags
  270. 2, "\x3a\x01", //Duration
  271. 6, dstAddress, //DST addr
  272. 6, myMAC, //Source addr
  273. 6, myMAC, //BSS addr
  274. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  275. 8, "\x00\x00\x00\x00\x00\x00\x00\x00", //Timestamp (overwritten by firmware)
  276. 2, "\x64\x00", //Beacon interval
  277. 2, "\x01\x00", //Capab info
  278. len_taggedParams,
  279. taggedParams, //Information elements
  280. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  281. };
  282. //calculate size of final packet
  283. *packetSize = probeResp.len_radioTapHdr
  284. + probeResp.len_type
  285. + probeResp.len_flags
  286. + probeResp.len_duration
  287. + probeResp.len_destAddr
  288. + probeResp.len_sourceAddr
  289. + probeResp.len_bssAddr
  290. + probeResp.len_seqNr
  291. + probeResp.len_timeStamp
  292. + probeResp.len_beaconInterval
  293. + probeResp.len_capabInfo
  294. + probeResp.len_taggedParams
  295. + probeResp.len_fsc;
  296. //define packet
  297. u_char *probeRespPacket = malloc(*packetSize);
  298. if(!probeRespPacket)
  299. {
  300. printf("Memory allocation error!\n");
  301. exit(-1);
  302. }
  303. //copy all struct fields into packet
  304. int copyOffset = 0;
  305. memcpy(probeRespPacket + copyOffset, probeResp.radioTapHdr, probeResp.len_radioTapHdr);
  306. copyOffset = copyOffset + probeResp.len_radioTapHdr;
  307. memcpy(probeRespPacket + copyOffset, probeResp.type, probeResp.len_type);
  308. copyOffset = copyOffset + probeResp.len_type;
  309. memcpy(probeRespPacket + copyOffset, probeResp.flags, probeResp.len_flags);
  310. copyOffset = copyOffset + probeResp.len_flags;
  311. memcpy(probeRespPacket + copyOffset, probeResp.duration, probeResp.len_duration);
  312. copyOffset = copyOffset + probeResp.len_duration;
  313. memcpy(probeRespPacket + copyOffset, probeResp.destAddr, probeResp.len_destAddr);
  314. copyOffset = copyOffset + probeResp.len_destAddr;
  315. memcpy(probeRespPacket + copyOffset, probeResp.sourceAddr, probeResp.len_sourceAddr);
  316. copyOffset = copyOffset + probeResp.len_sourceAddr;
  317. memcpy(probeRespPacket + copyOffset, probeResp.bssAddr, probeResp.len_bssAddr);
  318. copyOffset = copyOffset + probeResp.len_bssAddr;
  319. memcpy(probeRespPacket + copyOffset, probeResp.seqNr, probeResp.len_seqNr);
  320. copyOffset = copyOffset + probeResp.len_seqNr;
  321. memcpy(probeRespPacket + copyOffset, probeResp.timeStamp, probeResp.len_timeStamp);
  322. copyOffset = copyOffset + probeResp.len_timeStamp;
  323. memcpy(probeRespPacket + copyOffset, probeResp.beaconInterval, probeResp.len_beaconInterval);
  324. copyOffset = copyOffset + probeResp.len_beaconInterval;
  325. memcpy(probeRespPacket + copyOffset, probeResp.capabInfo, probeResp.len_capabInfo);
  326. copyOffset = copyOffset + probeResp.len_capabInfo;
  327. //copy all information elements
  328. for(int i = 0; i < numberOfProbeInfoElems; i++)
  329. {
  330. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  331. {
  332. memcpy(probeRespPacket + copyOffset, &taggedParams[i].id, 1);
  333. copyOffset = copyOffset + 1;
  334. memcpy(probeRespPacket + copyOffset, &taggedParams[i].len, 1);
  335. copyOffset = copyOffset + 1;
  336. memcpy(probeRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  337. copyOffset = copyOffset + taggedParams[i].len_data;
  338. }
  339. }
  340. memcpy(probeRespPacket + copyOffset, probeResp.fsc, probeResp.len_fsc);
  341. copyOffset = copyOffset + probeResp.len_fsc;
  342. //return packet
  343. return probeRespPacket;
  344. }
  345. //Creates Desassociation frame
  346. u_char *createDisAss(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  347. {
  348. //fill in struct
  349. disAss dis = {
  350. 36, radioTapHeader, //RadioTap hdr
  351. 1, "\xC0", //Type (set to deAUTHentication instead, since some devices ignore the disassociation frame)
  352. 1, "\x00", //Flags
  353. 2, "\x3a\x01", //Duration
  354. 6, dstAddress, //DST addr
  355. 6, myMAC, //Source addr
  356. 6, myMAC, //BSS addr
  357. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  358. 2, "\x01\x00", //Reason code
  359. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  360. };
  361. //calculate size of final packet
  362. *packetSize = dis.len_radioTapHdr
  363. + dis.len_type
  364. + dis.len_flags
  365. + dis.len_duration
  366. + dis.len_destAddr
  367. + dis.len_sourceAddr
  368. + dis.len_bssAddr
  369. + dis.len_seqNr
  370. + dis.len_reasonCode
  371. + dis.len_fsc;
  372. //define packet
  373. u_char *disPacket = malloc(*packetSize);
  374. if(!disPacket)
  375. {
  376. printf("Memory allocation error!\n");
  377. exit(-1);
  378. }
  379. //copy all struct fields into packet
  380. int copyOffset = 0;
  381. memcpy(disPacket + copyOffset, dis.radioTapHdr, dis.len_radioTapHdr);
  382. copyOffset = copyOffset + dis.len_radioTapHdr;
  383. memcpy(disPacket + copyOffset, dis.type, dis.len_type);
  384. copyOffset = copyOffset + dis.len_type;
  385. memcpy(disPacket + copyOffset, dis.flags, dis.len_flags);
  386. copyOffset = copyOffset + dis.len_flags;
  387. memcpy(disPacket + copyOffset, dis.duration, dis.len_duration);
  388. copyOffset = copyOffset + dis.len_duration;
  389. memcpy(disPacket + copyOffset, dis.destAddr, dis.len_destAddr);
  390. copyOffset = copyOffset + dis.len_destAddr;
  391. memcpy(disPacket + copyOffset, dis.sourceAddr, dis.len_sourceAddr);
  392. copyOffset = copyOffset + dis.len_sourceAddr;
  393. memcpy(disPacket + copyOffset, dis.bssAddr, dis.len_bssAddr);
  394. copyOffset = copyOffset + dis.len_bssAddr;
  395. memcpy(disPacket + copyOffset, dis.seqNr, dis.len_seqNr);
  396. copyOffset = copyOffset + dis.len_seqNr;
  397. memcpy(disPacket + copyOffset, dis.reasonCode, dis.len_reasonCode);
  398. copyOffset = copyOffset + dis.len_reasonCode;
  399. memcpy(disPacket + copyOffset, dis.fsc, dis.len_fsc);
  400. copyOffset = copyOffset + dis.len_fsc;
  401. //return packet
  402. return disPacket;
  403. }