frameCreator.c 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403
  1. /*
  2. Creates frames.
  3. */
  4. #include <stdio.h>
  5. #include <stdlib.h>
  6. #include <stdint.h>
  7. #include <string.h>
  8. #include "frameCreator.h"
  9. #include "fuzzer.h"
  10. #include "frameDefinitions.h"
  11. #include "fuzzSSID.h"
  12. #include "fuzzRates.h"
  13. #include "fuzzFH.h"
  14. #include "fuzzDS.h"
  15. #include "fuzzCF.h"
  16. #include "fuzzTIM.h"
  17. #include "fuzzIBSS.h"
  18. #include "fuzzCOUNTRY.h"
  19. #include "fuzzHOPPARM.h"
  20. #include "fuzzHOPTABLE.h"
  21. #include "fuzzREQUEST.h"
  22. #include "fuzzERP.h"
  23. #include "fuzzEXTRATES.h"
  24. #include "fuzzHTCAPAB.h"
  25. #include "fuzzHTINFO.h"
  26. #include "fuzzAPREPORT.h"
  27. #include "fuzzEXTCAPAB.h"
  28. #include "fuzzBSSLOAD.h"
  29. #include "fuzzRSN.h"
  30. #include "fuzzVENDOR.h"
  31. #include "fuzzProbeResponse.h"
  32. //CHANGE WHEN NEW SUBFUZZER
  33. //Creates Authentication frame
  34. u_char *createAuthResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  35. {
  36. //fill in struct
  37. authResponse authResp = {
  38. 36, radioTapHeader, //RadioTap hdr
  39. 1, "\xb0", //Type
  40. 1, "\x00", //Subtype
  41. 2, "\x3a\x01", //Duration
  42. 6, dstAddress, //DST addr
  43. 6, myMAC, //Source addr
  44. 6, myMAC, //BSS addr
  45. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  46. 2, "\x00\x00", //Auth alg
  47. 2, "\x02\x00", //Auth seq
  48. 2, "\x00\x00", //Status code
  49. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  50. };
  51. //calculate size of final packet
  52. *packetSize = authResp.len_radioTapHdr
  53. + authResp.len_type
  54. + authResp.len_flags
  55. + authResp.len_duration
  56. + authResp.len_destAddr
  57. + authResp.len_sourceAddr
  58. + authResp.len_bssAddr
  59. + authResp.len_seqNr
  60. + authResp.len_authAlg
  61. + authResp.len_authSeq
  62. + authResp.len_status
  63. + authResp.len_fsc;
  64. //define packet
  65. u_char *authRespPacket = malloc(*packetSize);
  66. if(!authRespPacket)
  67. {
  68. printf("Memory allocation error!\n");
  69. exit(-1);
  70. }
  71. //copy all struct fields into packet
  72. int copyOffset = 0;
  73. memcpy(authRespPacket + copyOffset, authResp.radioTapHdr, authResp.len_radioTapHdr);
  74. copyOffset = copyOffset + authResp.len_radioTapHdr;
  75. memcpy(authRespPacket + copyOffset, authResp.type, authResp.len_type);
  76. copyOffset = copyOffset + authResp.len_type;
  77. memcpy(authRespPacket + copyOffset, authResp.flags, authResp.len_flags);
  78. copyOffset = copyOffset + authResp.len_flags;
  79. memcpy(authRespPacket + copyOffset, authResp.duration, authResp.len_duration);
  80. copyOffset = copyOffset + authResp.len_duration;
  81. memcpy(authRespPacket + copyOffset, authResp.destAddr, authResp.len_destAddr);
  82. copyOffset = copyOffset + authResp.len_destAddr;
  83. memcpy(authRespPacket + copyOffset, authResp.sourceAddr, authResp.len_sourceAddr);
  84. copyOffset = copyOffset + authResp.len_sourceAddr;
  85. memcpy(authRespPacket + copyOffset, authResp.bssAddr, authResp.len_bssAddr);
  86. copyOffset = copyOffset + authResp.len_bssAddr;
  87. memcpy(authRespPacket + copyOffset, authResp.seqNr, authResp.len_seqNr);
  88. copyOffset = copyOffset + authResp.len_seqNr;
  89. memcpy(authRespPacket + copyOffset, authResp.authAlg, authResp.len_authAlg);
  90. copyOffset = copyOffset + authResp.len_authAlg;
  91. memcpy(authRespPacket + copyOffset, authResp.authSeq, authResp.len_authSeq);
  92. copyOffset = copyOffset + authResp.len_authSeq;
  93. memcpy(authRespPacket + copyOffset, authResp.status, authResp.len_status);
  94. copyOffset = copyOffset + authResp.len_status;
  95. memcpy(authRespPacket + copyOffset, authResp.fsc, authResp.len_fsc);
  96. copyOffset = copyOffset + authResp.len_fsc;
  97. //send packet
  98. return authRespPacket;
  99. }
  100. //Creates Association response
  101. u_char *createAssResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  102. {
  103. #define numberOfAssInfoElems (1) //number of information elements
  104. //definition of all info elements
  105. infoElem suppRates = {
  106. 1, //id
  107. 8, //len
  108. 8, //real lenght of data
  109. "\x82\x84\x8b\x96\x0c\x12\x18\x24" //data
  110. };
  111. //create array of information elements
  112. infoElem taggedParams[numberOfAssInfoElems] = {suppRates};
  113. //length of all info elements, including id and len field
  114. int len_taggedParams = 0;
  115. for(int i = 0; i < numberOfAssInfoElems; i++)
  116. {
  117. if (taggedParams[i].len_data != -1) //do not include if len_data == -1
  118. {
  119. //+2 to include id and len field size
  120. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  121. }
  122. }
  123. //fill in struct
  124. assResponse assResp = {
  125. 36, radioTapHeader, //RadioTap hdr
  126. 1, "\x10", //Type
  127. 1, "\x00", //Flags
  128. 2, "\x40\x01", //Duration
  129. 6, dstAddress, //DST addr
  130. 6, myMAC, //Source addr
  131. 6, myMAC, //BSS addr
  132. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  133. 2, "\x01\x00", //Capab info
  134. 2, "\x00\x00", //Status code
  135. 2, "\x01\xc0", //Association id
  136. len_taggedParams,
  137. taggedParams, //Information elements
  138. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  139. };
  140. //calculate size of final packet
  141. *packetSize = assResp.len_radioTapHdr
  142. + assResp.len_type
  143. + assResp.len_flags
  144. + assResp.len_duration
  145. + assResp.len_destAddr
  146. + assResp.len_sourceAddr
  147. + assResp.len_bssAddr
  148. + assResp.len_seqNr
  149. + assResp.len_capabInfo
  150. + assResp.len_status
  151. + assResp.len_assId
  152. + assResp.len_taggedParams
  153. + assResp.len_fsc;
  154. //define packet
  155. u_char *assRespPacket = malloc(*packetSize);
  156. if(!assRespPacket)
  157. {
  158. printf("Memory allocation error!\n");
  159. exit(-1);
  160. }
  161. //copy all struct fields into packet
  162. int copyOffset = 0;
  163. memcpy(assRespPacket + copyOffset, assResp.radioTapHdr, assResp.len_radioTapHdr);
  164. copyOffset = copyOffset + assResp.len_radioTapHdr;
  165. memcpy(assRespPacket + copyOffset, assResp.type, assResp.len_type);
  166. copyOffset = copyOffset + assResp.len_type;
  167. memcpy(assRespPacket + copyOffset, assResp.flags, assResp.len_flags);
  168. copyOffset = copyOffset + assResp.len_flags;
  169. memcpy(assRespPacket + copyOffset, assResp.duration, assResp.len_duration);
  170. copyOffset = copyOffset + assResp.len_duration;
  171. memcpy(assRespPacket + copyOffset, assResp.destAddr, assResp.len_destAddr);
  172. copyOffset = copyOffset + assResp.len_destAddr;
  173. memcpy(assRespPacket + copyOffset, assResp.sourceAddr, assResp.len_sourceAddr);
  174. copyOffset = copyOffset + assResp.len_sourceAddr;
  175. memcpy(assRespPacket + copyOffset, assResp.bssAddr, assResp.len_bssAddr);
  176. copyOffset = copyOffset + assResp.len_bssAddr;
  177. memcpy(assRespPacket + copyOffset, assResp.seqNr, assResp.len_seqNr);
  178. copyOffset = copyOffset + assResp.len_seqNr;
  179. memcpy(assRespPacket + copyOffset, assResp.capabInfo, assResp.len_capabInfo);
  180. copyOffset = copyOffset + assResp.len_capabInfo;
  181. memcpy(assRespPacket + copyOffset, assResp.status, assResp.len_status);
  182. copyOffset = copyOffset + assResp.len_status;
  183. memcpy(assRespPacket + copyOffset, assResp.assId, assResp.len_assId);
  184. copyOffset = copyOffset + assResp.len_assId;
  185. //copy all information elements
  186. for(int i = 0; i < numberOfAssInfoElems; i++)
  187. {
  188. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  189. {
  190. memcpy(assRespPacket + copyOffset, &taggedParams[i].id, 1);
  191. copyOffset = copyOffset + 1;
  192. memcpy(assRespPacket + copyOffset, &taggedParams[i].len, 1);
  193. copyOffset = copyOffset + 1;
  194. memcpy(assRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  195. copyOffset = copyOffset + taggedParams[i].len_data;
  196. }
  197. }
  198. memcpy(assRespPacket + copyOffset, assResp.fsc, assResp.len_fsc);
  199. copyOffset = copyOffset + assResp.len_fsc;
  200. //send packet
  201. return assRespPacket;
  202. }
  203. //Creates Probe response frame
  204. u_char *createProbeResponse(u_char *dstAddress, int *packetSize, u_char * radioTapHeader, u_char *myMAC)
  205. {
  206. //when done with all subfuzzers, we want to return frames from the generic fuzzer
  207. if (getNotifyDone() != 0)
  208. return PrbRespFuzz(dstAddress, packetSize, radioTapHeader, myMAC);
  209. //CHANGE WHEN NEW SUBFUZZER
  210. #define numberOfProbeInfoElems (20) //number of information elements
  211. //definition of all info elements
  212. //CHANGE WHEN NEW SUBFUZZER
  213. infoElem ssid = ssidFuzz();
  214. infoElem suppRates = ratesFuzz();
  215. infoElem fh = fhFuzz();
  216. infoElem ds = dsFuzz();
  217. infoElem cf = cfFuzz();
  218. infoElem tim = timFuzz();
  219. infoElem ibss = ibssFuzz();
  220. infoElem country = countryFuzz();
  221. infoElem hopparm = hopparmFuzz();
  222. infoElem hoptable = hoptableFuzz();
  223. infoElem request = requestFuzz();
  224. infoElem erp = erpFuzz();
  225. infoElem extrates = extratesFuzz();
  226. infoElem htcapab = htcapabFuzz();
  227. infoElem htinfo = htinfoFuzz();
  228. infoElem apreport = apreportFuzz();
  229. infoElem extcapab = extcapabFuzz();
  230. infoElem bssload = bssloadFuzz();
  231. infoElem rsn = rsnFuzz();
  232. infoElem vendor = vendorFuzz();
  233. //CHANGE WHEN NEW SUBFUZZER
  234. //create array of information elements
  235. infoElem taggedParams[numberOfProbeInfoElems] = {ssid, suppRates, fh, ds, cf,
  236. tim, ibss, country, hopparm, hoptable, request, erp, extrates, htcapab,
  237. htinfo, apreport, extcapab, bssload, rsn, vendor};
  238. //length of all info elements, including id and len field
  239. int len_taggedParams = 0;
  240. for(int i = 0; i < numberOfProbeInfoElems; i++)
  241. {
  242. if (taggedParams[i].len_data != -1) //do not include when len_data == -1
  243. {
  244. //+2 to include id and len field size
  245. len_taggedParams = len_taggedParams + taggedParams[i].len_data+2;
  246. }
  247. }
  248. //fill in struct
  249. probeResponse probeResp = {
  250. 36, radioTapHeader, //RadioTap hdr
  251. 1, "\x50", //Type
  252. 1, "\x00", //Flags
  253. 2, "\x3a\x01", //Duration
  254. 6, dstAddress, //DST addr
  255. 6, myMAC, //Source addr
  256. 6, myMAC, //BSS addr
  257. 2, "\x00\x00", //Seq nr (overwritten by firmware)
  258. 8, "\x00\x00\x00\x00\x00\x00\x00\x00", //Timestamp (overwritten by firmware)
  259. 2, "\x64\x00", //Beacon interval
  260. 2, "\x01\x00", //Capab info
  261. len_taggedParams,
  262. taggedParams, //Information elements
  263. 4, "\x00\x00\x00\x00" //FSC (overwritten by firmware)
  264. };
  265. //calculate size of final packet
  266. *packetSize = probeResp.len_radioTapHdr
  267. + probeResp.len_type
  268. + probeResp.len_flags
  269. + probeResp.len_duration
  270. + probeResp.len_destAddr
  271. + probeResp.len_sourceAddr
  272. + probeResp.len_bssAddr
  273. + probeResp.len_seqNr
  274. + probeResp.len_timeStamp
  275. + probeResp.len_beaconInterval
  276. + probeResp.len_capabInfo
  277. + probeResp.len_taggedParams
  278. + probeResp.len_fsc;
  279. //define packet
  280. u_char *probeRespPacket = malloc(*packetSize);
  281. if(!probeRespPacket)
  282. {
  283. printf("Memory allocation error!\n");
  284. exit(-1);
  285. }
  286. //copy all struct fields into packet
  287. int copyOffset = 0;
  288. memcpy(probeRespPacket + copyOffset, probeResp.radioTapHdr, probeResp.len_radioTapHdr);
  289. copyOffset = copyOffset + probeResp.len_radioTapHdr;
  290. memcpy(probeRespPacket + copyOffset, probeResp.type, probeResp.len_type);
  291. copyOffset = copyOffset + probeResp.len_type;
  292. memcpy(probeRespPacket + copyOffset, probeResp.flags, probeResp.len_flags);
  293. copyOffset = copyOffset + probeResp.len_flags;
  294. memcpy(probeRespPacket + copyOffset, probeResp.duration, probeResp.len_duration);
  295. copyOffset = copyOffset + probeResp.len_duration;
  296. memcpy(probeRespPacket + copyOffset, probeResp.destAddr, probeResp.len_destAddr);
  297. copyOffset = copyOffset + probeResp.len_destAddr;
  298. memcpy(probeRespPacket + copyOffset, probeResp.sourceAddr, probeResp.len_sourceAddr);
  299. copyOffset = copyOffset + probeResp.len_sourceAddr;
  300. memcpy(probeRespPacket + copyOffset, probeResp.bssAddr, probeResp.len_bssAddr);
  301. copyOffset = copyOffset + probeResp.len_bssAddr;
  302. memcpy(probeRespPacket + copyOffset, probeResp.seqNr, probeResp.len_seqNr);
  303. copyOffset = copyOffset + probeResp.len_seqNr;
  304. memcpy(probeRespPacket + copyOffset, probeResp.timeStamp, probeResp.len_timeStamp);
  305. copyOffset = copyOffset + probeResp.len_timeStamp;
  306. memcpy(probeRespPacket + copyOffset, probeResp.beaconInterval, probeResp.len_beaconInterval);
  307. copyOffset = copyOffset + probeResp.len_beaconInterval;
  308. memcpy(probeRespPacket + copyOffset, probeResp.capabInfo, probeResp.len_capabInfo);
  309. copyOffset = copyOffset + probeResp.len_capabInfo;
  310. //copy all information elements
  311. for(int i = 0; i < numberOfProbeInfoElems; i++)
  312. {
  313. if (taggedParams[i].len_data != -1) //if id == -1, we do not want to include the information element
  314. {
  315. memcpy(probeRespPacket + copyOffset, &taggedParams[i].id, 1);
  316. copyOffset = copyOffset + 1;
  317. memcpy(probeRespPacket + copyOffset, &taggedParams[i].len, 1);
  318. copyOffset = copyOffset + 1;
  319. memcpy(probeRespPacket + copyOffset, taggedParams[i].data, taggedParams[i].len_data);
  320. copyOffset = copyOffset + taggedParams[i].len_data;
  321. }
  322. }
  323. memcpy(probeRespPacket + copyOffset, probeResp.fsc, probeResp.len_fsc);
  324. copyOffset = copyOffset + probeResp.len_fsc;
  325. //return packet
  326. return probeRespPacket;
  327. }