void read_tap(struct params *p) { char buf[4096]; char *ptr; int len = sizeof(buf); int offset; char src[6], dst[6]; struct ieee80211_frame *wh; int rd; ptr = buf; offset = sizeof(struct ieee80211_frame) + 8 - 14; if (p->wep_len) offset += 4; ptr += offset; len -= offset; /* read packet */ memset(buf, 0, sizeof(buf)); rd = read(p->tap, ptr, len); if (rd == -1) err(1, "read()"); /* 802.11 header */ wh = (struct ieee80211_frame*) buf; memcpy(dst, ptr, sizeof(dst)); memcpy(src, ptr+6, sizeof(src)); fill_basic(wh, p); memcpy(wh->i_addr3, src, sizeof(wh->i_addr3)); memcpy(wh->i_addr1, dst, sizeof(wh->i_addr1)); wh->i_fc[0] |= IEEE80211_FC0_TYPE_DATA; wh->i_fc[1] |= IEEE80211_FC1_DIR_FROMDS; if (p->wep_len) wh->i_fc[1] |= IEEE80211_FC1_PROTECTED; /* LLC & SNAP */ ptr = (char*) (wh+1); if (p->wep_len) ptr += 4; *ptr++ = 0xAA; *ptr++ = 0xAA; *ptr++ = 0x03; *ptr++ = 0x00; *ptr++ = 0x00; *ptr++ = 0x00; /* ether type overlaps w00t */ rd += offset; /* WEP */ if (p->wep_len) { ptr = (char*) (wh+1); memcpy(ptr, &p->wep_iv, 3); ptr[3] = 0; p->wep_iv++; wep_encrypt(wh, rd, p->wep_key, p->wep_len); rd += 4; /* ICV */ } send_frame(p, wh, rd); }
/*---------------------------------------------------------------- * p80211pb_ether_to_80211 * * Uses the contents of the ether frame and the etherconv setting * to build the elements of the 802.11 frame. * * We don't actually set * up the frame header here. That's the MAC's job. We're only handling * conversion of DIXII or 802.3+LLC frames to something that works * with 802.11. * * Note -- 802.11 header is NOT part of the skb. Likewise, the 802.11 * FCS is also not present and will need to be added elsewhere. * * Arguments: * ethconv Conversion type to perform * skb skbuff containing the ether frame * p80211_hdr 802.11 header * * Returns: * 0 on success, non-zero otherwise * * Call context: * May be called in interrupt or non-interrupt context ----------------------------------------------------------------*/ int skb_ether_to_p80211(wlandevice_t *wlandev, u32 ethconv, struct sk_buff *skb, union p80211_hdr *p80211_hdr, struct p80211_metawep *p80211_wep) { u16 fc; u16 proto; struct wlan_ethhdr e_hdr; struct wlan_llc *e_llc; struct wlan_snap *e_snap; int foo; memcpy(&e_hdr, skb->data, sizeof(e_hdr)); if (skb->len <= 0) { pr_debug("zero-length skb!\n"); return 1; } if (ethconv == WLAN_ETHCONV_ENCAP) { /* simplest case */ pr_debug("ENCAP len: %d\n", skb->len); /* here, we don't care what kind of ether frm. Just stick it */ /* in the 80211 payload */ /* which is to say, leave the skb alone. */ } else { /* step 1: classify ether frame, DIX or 802.3? */ proto = ntohs(e_hdr.type); if (proto <= 1500) { pr_debug("802.3 len: %d\n", skb->len); /* codes <= 1500 reserved for 802.3 lengths */ /* it's 802.3, pass ether payload unchanged, */ /* trim off ethernet header */ skb_pull(skb, WLAN_ETHHDR_LEN); /* leave off any PAD octets. */ skb_trim(skb, proto); } else { pr_debug("DIXII len: %d\n", skb->len); /* it's DIXII, time for some conversion */ /* trim off ethernet header */ skb_pull(skb, WLAN_ETHHDR_LEN); /* tack on SNAP */ e_snap = (struct wlan_snap *) skb_push(skb, sizeof(struct wlan_snap)); e_snap->type = htons(proto); if (ethconv == WLAN_ETHCONV_8021h && p80211_stt_findproto(proto)) { memcpy(e_snap->oui, oui_8021h, WLAN_IEEE_OUI_LEN); } else { memcpy(e_snap->oui, oui_rfc1042, WLAN_IEEE_OUI_LEN); } /* tack on llc */ e_llc = (struct wlan_llc *) skb_push(skb, sizeof(struct wlan_llc)); e_llc->dsap = 0xAA; /* SNAP, see IEEE 802 */ e_llc->ssap = 0xAA; e_llc->ctl = 0x03; } } /* Set up the 802.11 header */ /* It's a data frame */ fc = cpu_to_le16(WLAN_SET_FC_FTYPE(WLAN_FTYPE_DATA) | WLAN_SET_FC_FSTYPE(WLAN_FSTYPE_DATAONLY)); switch (wlandev->macmode) { case WLAN_MACMODE_IBSS_STA: memcpy(p80211_hdr->a3.a1, &e_hdr.daddr, ETH_ALEN); memcpy(p80211_hdr->a3.a2, wlandev->netdev->dev_addr, ETH_ALEN); memcpy(p80211_hdr->a3.a3, wlandev->bssid, ETH_ALEN); break; case WLAN_MACMODE_ESS_STA: fc |= cpu_to_le16(WLAN_SET_FC_TODS(1)); memcpy(p80211_hdr->a3.a1, wlandev->bssid, ETH_ALEN); memcpy(p80211_hdr->a3.a2, wlandev->netdev->dev_addr, ETH_ALEN); memcpy(p80211_hdr->a3.a3, &e_hdr.daddr, ETH_ALEN); break; case WLAN_MACMODE_ESS_AP: fc |= cpu_to_le16(WLAN_SET_FC_FROMDS(1)); memcpy(p80211_hdr->a3.a1, &e_hdr.daddr, ETH_ALEN); memcpy(p80211_hdr->a3.a2, wlandev->bssid, ETH_ALEN); memcpy(p80211_hdr->a3.a3, &e_hdr.saddr, ETH_ALEN); break; default: // printk(KERN_ERR ; return 1; break; } p80211_wep->data = NULL; if ((wlandev->hostwep & HOSTWEP_PRIVACYINVOKED) && (wlandev->hostwep & HOSTWEP_ENCRYPT)) { /* XXXX need to pick keynum other than default? */ p80211_wep->data = kmalloc(skb->len, GFP_ATOMIC); foo = wep_encrypt(wlandev, skb->data, p80211_wep->data, skb->len, (wlandev->hostwep & HOSTWEP_DEFAULTKEY_MASK), p80211_wep->iv, p80211_wep->icv); if (foo) { // printk(KERN_WARNING // "Host en-WEP failed, dropping frame (%d).\n", ; return 2; } fc |= cpu_to_le16(WLAN_SET_FC_ISWEP(1)); } /* skb->nh.raw = skb->data; */ p80211_hdr->a3.fc = fc; p80211_hdr->a3.dur = 0; p80211_hdr->a3.seq = 0; return 0; }
/** * Function to inject TCP packets to the wireless interface. Requires headers * from a TO_DS packet for use in crafting the FROM_DS response. */ void inject_tcp(airpwn_ctx *ctx, ieee80211_hdr *w_hdr, struct iphdr *ip_hdr, struct tcphdr *tcp_hdr, uint8_t *wepkey, uint32_t keylen, char *content, uint32_t contentlen, uint8_t tcpflags, uint32_t *seqnum) { // libnet wants the data in host-byte-order u_int ack = ntohl(tcp_hdr->seq) + ( ntohs(ip_hdr->tot_len) - ip_hdr->ihl * 4 - tcp_hdr->doff * 4 ); ctx->tcp_t = libnet_build_tcp( ntohs(tcp_hdr->dest), // source port ntohs(tcp_hdr->source), // dest port *seqnum, // sequence number ack, // ack number tcpflags, // flags 0xffff, // window size 0, // checksum 0, // urg ptr 20 + contentlen, // total length of the TCP packet (uint8_t*)content, // response contentlen, // response_length ctx->lnet, // libnet_t pointer ctx->tcp_t // ptag ); if(ctx->tcp_t == -1){ printf("libnet_build_tcp returns error: %s\n", libnet_geterror(ctx->lnet)); return; } ctx->ip_t = libnet_build_ipv4( 40 + contentlen, // length 0, // TOS bits 1, // IPID (need to calculate) 0, // fragmentation 0xff, // TTL 6, // protocol 0, // checksum ip_hdr->daddr, // source address ip_hdr->saddr, // dest address NULL, // response 0, // response length ctx->lnet, // libnet_t pointer ctx->ip_t // ptag ); if(ctx->ip_t == -1){ printf("libnet_build_ipv4 returns error: %s\n", libnet_geterror(ctx->lnet)); return; } // copy the libnet packets to to a buffer to send raw.. unsigned char packet_buff[0x10000]; memcpy(packet_buff, w_hdr, IEEE80211_HDR_LEN); ieee80211_hdr *n_w_hdr = (ieee80211_hdr *)packet_buff; // set the FROM_DS flag and swap MAC addresses n_w_hdr->flags = IEEE80211_FROM_DS; if(wepkey) n_w_hdr->flags |= IEEE80211_WEP_FLAG; n_w_hdr->llc.type = LLC_TYPE_IP; uint8_t tmp_addr[6]; memcpy(tmp_addr, n_w_hdr->addr1, 6); memcpy(n_w_hdr->addr1, n_w_hdr->addr2, 6); memcpy(n_w_hdr->addr2, tmp_addr, 6); u_int32_t packet_len; u_int8_t *lnet_packet_buf; // cull_packet will dump the packet (with correct checksums) into a // buffer for us to send via the raw socket if(libnet_adv_cull_packet(ctx->lnet, &lnet_packet_buf, &packet_len) == -1){ printf("libnet_adv_cull_packet returns error: %s\n", libnet_geterror(ctx->lnet)); return; } memcpy(packet_buff + IEEE80211_HDR_LEN, lnet_packet_buf, packet_len); libnet_adv_free_packet(ctx->lnet, lnet_packet_buf); // total packet length int len = IEEE80211_HDR_LEN + 40 + contentlen; if(wepkey){ uint8_t tmpbuf[0x10000]; /* encryption starts after the 802.11 header, but the LLC header * gets encrypted. */ memcpy(tmpbuf, packet_buff+IEEE80211_HDR_LEN_NO_LLC, len-IEEE80211_HDR_LEN_NO_LLC); len = wep_encrypt(tmpbuf, packet_buff+IEEE80211_HDR_LEN_NO_LLC, len-IEEE80211_HDR_LEN_NO_LLC, wepkey, keylen); if(len <= 0){ fprintf(stderr, "Error performing WEP encryption!\n"); return; } else len += IEEE80211_HDR_LEN_NO_LLC; } /* Establish lorcon packet transmission structure */ ctx->in_packet.packet = packet_buff; ctx->in_packet.plen = len; /* Send the packet */ if (tx80211_txpacket(&ctx->inject_tx, &ctx->in_packet) < 0) { fprintf(stderr, "Unable to transmit packet."); perror("tx80211_txpacket"); return; } *seqnum += contentlen; //advance the sequence number printlog(ctx, 2, "wrote %d bytes to the wire(less)\n", len); }