Closed GoogleCodeExporter closed 9 years ago
Dec 29 16:32:21 fedora kernel: [1446351.705655] reaver[27494]: segfault at 48
ip 0000000000411206 sp 00007fff3d4b5960 error 4 in reaver[400000+3d000]
Original comment by Tommyn...@gmail.com
on 29 Dec 2011 at 3:33
This is probably related to issue #6...what wireless card and driver are you
using?
Original comment by cheff...@tacnetsol.com
on 29 Dec 2011 at 3:39
awus036h - rtl8187
Original comment by Tommyn...@gmail.com
on 29 Dec 2011 at 3:42
Can you provide a core dump or valgrind log?
Original comment by cheff...@tacnetsol.com
on 29 Dec 2011 at 3:45
Same issue with Atheros 9285 useing ath9k driver
Original comment by shadow...@gmail.com
on 29 Dec 2011 at 3:52
Just checked in some code that may be a fix for this. Can anyone check out the
latest SVN code and see if the bug still exists?
Original comment by cheff...@tacnetsol.com
on 29 Dec 2011 at 3:56
I am also have this issue using ALFA AWUS036H(rtl8187). I'm assuming it's
crashing because sometimes no output is displayed, indicating that the attempt
was unsuccessful.
Original comment by rtstanif...@gmail.com
on 29 Dec 2011 at 3:59
after one pIN in 1.1 ver
root@bt:/opt/wpa/reaver-1.1/src# reaver -i mon1 -b 00:1C:DF:99:EC:B4 -vv
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Waiting for beacon from 00:1C:DF:99:EC:B4
[+] Switching mon1 to channel 1
[+] Associated with 00:1C:DF:99:EC:B4 (ESSID: belkin54g)
[+] Trying pin 64816807
Segmentation fault
Original comment by stoneman...@gmail.com
on 29 Dec 2011 at 4:01
valgrind --track-origins=yes ./reaver -i mon0 -b 00:1C:F0:C2:BF:27 -vv
==29147== Memcheck, a memory error detector
==29147== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==29147== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==29147== Command: ./reaver -i mon0 -b 00:1C:F0:C2:BF:27 -vv
==29147==
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Waiting for beacon from 00:1C:F0:C4:BF:26
[+] Switching mon0 to channel 10
[+] Associated with 00:1C:F0:C4:BF:26 (ESSID: Test)
==29147== Conditional jump or move depends on uninitialised value(s)
==29147== at 0x4071C5: get_wps_data_element (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406C97: parse_wps_tag (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406B69: parse_wps_parameters (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x403578: is_wps_locked (80211.c:133)
==29147== by 0x404BD7: crack (cracker.c:105)
==29147== by 0x402460: main (wpscrack.c:80)
==29147== Uninitialised value was created by a stack allocation
==29147== at 0x406B72: parse_wps_tag (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147==
==29147== Invalid read of size 4
==29147== at 0x410F52: wps_registrar_init (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406077: initialize_wps_data (init.c:56)
==29147== by 0x404BE2: crack (cracker.c:117)
==29147== by 0x402460: main (wpscrack.c:80)
==29147== Address 0x4d1dfe4 is 0 bytes after a block of size 84 alloc'd
==29147== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147== by 0x40600E: initialize_wps_data (init.c:32)
==29147== by 0x404BE2: crack (cracker.c:117)
==29147== by 0x402460: main (wpscrack.c:80)
==29147==
==29147== Invalid read of size 8
==29147== at 0x40F38E: wps_init (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406099: initialize_wps_data (init.c:68)
==29147== by 0x404BE2: crack (cracker.c:117)
==29147== by 0x402460: main (wpscrack.c:80)
==29147== Address 0x4d1df48 is 56 bytes inside a block of size 60 alloc'd
==29147== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147== by 0x405FE1: initialize_wps_data (init.c:24)
==29147== by 0x404BE2: crack (cracker.c:117)
==29147== by 0x402460: main (wpscrack.c:80)
==29147==
==29147== Invalid read of size 4
==29147== at 0x40F3C2: wps_init (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406099: initialize_wps_data (init.c:68)
==29147== by 0x404BE2: crack (cracker.c:117)
==29147== by 0x402460: main (wpscrack.c:80)
==29147== Address 0x4d1df50 is 4 bytes after a block of size 60 alloc'd
==29147== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==29147== by 0x405FE1: initialize_wps_data (init.c:24)
==29147== by 0x404BE2: crack (cracker.c:117)
==29147== by 0x402460: main (wpscrack.c:80)
==29147==
[+] Trying pin 27176948
==29147== Invalid read of size 8
==29147== at 0x411368: wps_registrar_get_pin (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x4121C6: wps_get_dev_password (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x413E29: wps_registrar_get_msg (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406718: send_msg (send.c:80)
==29147== by 0x405384: do_wps_exchange (exchange.c:66)
==29147== by 0x404CC6: crack (cracker.c:160)
==29147== by 0x402460: main (wpscrack.c:80)
==29147== Address 0x48 is not stack'd, malloc'd or (recently) free'd
==29147==
==29147==
==29147== Process terminating with default action of signal 11 (SIGSEGV)
==29147== Access not within mapped region at address 0x48
==29147== at 0x411368: wps_registrar_get_pin (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x4121C6: wps_get_dev_password (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x413E29: wps_registrar_get_msg (in
/opt/reaver/reaver-wps-read-only/src/reaver)
==29147== by 0x406718: send_msg (send.c:80)
==29147== by 0x405384: do_wps_exchange (exchange.c:66)
==29147== by 0x404CC6: crack (cracker.c:160)
==29147== by 0x402460: main (wpscrack.c:80)
==29147== If you believe this happened as a result of a stack
==29147== overflow in your program's main thread (unlikely but
==29147== possible), you can try to increase the size of the
==29147== main thread stack using the --main-stacksize= flag.
==29147== The main thread stack size used in this run was 8388608.
==29147==
==29147== HEAP SUMMARY:
==29147== in use at exit: 155,143 bytes in 11,025 blocks
==29147== total heap usage: 11,085 allocs, 60 frees, 157,789 bytes allocated
==29147==
==29147== LEAK SUMMARY:
==29147== definitely lost: 54,915 bytes in 11,007 blocks
==29147== indirectly lost: 10,322 bytes in 6 blocks
==29147== possibly lost: 0 bytes in 0 blocks
==29147== still reachable: 89,906 bytes in 12 blocks
==29147== suppressed: 0 bytes in 0 blocks
==29147== Rerun with --leak-check=full to see details of leaked memory
==29147==
==29147== For counts of detected and suppressed errors, rerun with: -v
==29147== ERROR SUMMARY: 18 errors from 5 contexts (suppressed: 2 from 2)
Segmentation fault (core dumped)
Original comment by Tommyn...@gmail.com
on 29 Dec 2011 at 4:07
Tried revision 12, problem still arising.
Original comment by rtstanif...@gmail.com
on 29 Dec 2011 at 4:11
Looks like there are some unhandled NULL pointer exceptions. Added null checks
to the latest check in, try now.
Original comment by cheff...@tacnetsol.com
on 29 Dec 2011 at 4:12
Just tried revision 14. Sometimes it gives "[!] WARNING: Receive timeout
occurred" and sometimes it exits with nothing.
Original comment by rtstanif...@gmail.com
on 29 Dec 2011 at 4:15
just tried revision 14 tries 1 pin and segfaults
Original comment by shadow...@gmail.com
on 29 Dec 2011 at 4:19
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous
message
[+] Trying pin 97035473
[!] WARNING: Last message not processed properly, reverting state to previous
message
[+] Trying pin 97035473
revision 15
Original comment by shadow...@gmail.com
on 29 Dec 2011 at 4:34
as of revision 16 the segfault is cleared..
i am trying with some SSID but what is get is...
[+] Waiting for beacon from 74:EA:3A:D5:E3:3A
[+] Switching mon0 to channel 1
[+] Associated with 74:EA:3A:D5:E3:3A (ESSID: Gecevi)
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] 0.00% complete @ 0 seconds/attempt
[+] Trying pin 71951249
[!] WARNING: Receive timeout occurred
[+] Trying pin 71951249
[+] Trying pin 71951249
Original comment by ianc...@gmail.com
on 30 Dec 2011 at 9:41
but again nothing happens..
/reaver -i mon0 -b 74:EA:3A:B9:E3:B0 -vv
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Waiting for beacon from 74:EA:3A:B9:E3:B0
[+] Switching mon0 to channel 11
[+] Associated with 74:EA:3A:B9:E3:B0 (ESSID: RADDY)
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
[!] WARNING: Receive timeout occurred
[!] WARNING: Receive timeout occurred
[+] Trying pin 04781530
^C
Original comment by ianc...@gmail.com
on 30 Dec 2011 at 9:44
I am also getting the same output as comment 15 and 16.
Original comment by rtstanif...@gmail.com
on 30 Dec 2011 at 9:51
Actually the svn 16 again core dumped..
My first try was with Backtrack 5 on x64bit and it does not segfault but was
only trying same PIn..
However on x64 Fedora 16 svn 16
i got:
/reaver -i mon0 -b 70:71:BC:26:EE:C0 -vv
Reaver v1.1 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
<cheffner@tacnetsol.com>
[+] Waiting for beacon from 70:71:BC:26:EE:C0
[+] Switching mon0 to channel 2
[+] Switching mon0 to channel 3
[+] Switching mon0 to channel 1
[+] Associated with 70:71:BC:26:EE:C0 (ESSID: fe5f4c)
[+] Trying pin 98850471
Segmentation fault (core dumped)
Original comment by ianc...@gmail.com
on 30 Dec 2011 at 10:29
DMESG:
[ 1862.958153] reaver[5202] general protection ip:40f3df sp:7fff32cc7ca0
error:0 in reaver[400000+3d000]
Original comment by ianc...@gmail.com
on 30 Dec 2011 at 10:30
after
debuginfo-install glibc-2.14.90-21.x86_64 libpcap-1.1.1-4.fc16.x86_64
(gdb) backtrace
#0 0x000000000040f3df in wps_init ()
#1 0x00000000004060a1 in initialize_wps_data () at init.c:72
#2 0x0000000000404be3 in crack () at cracker.c:117
#3 0x0000000000402461 in main (argc=6, argv=<optimized out>) at wpscrack.c:80
Original comment by ianc...@gmail.com
on 30 Dec 2011 at 10:49
[deleted comment]
The latest code (r20) seems to have fixed these issues. Please check out the
lastet code and verify.
Original comment by cheff...@tacnetsol.com
on 30 Dec 2011 at 2:43
Issues 5 & 6 are the same; more comments have been happening on issue #6, so
rolling this into #6.
Original comment by cheff...@tacnetsol.com
on 30 Dec 2011 at 4:23
Original issue reported on code.google.com by
Tommyn...@gmail.com
on 29 Dec 2011 at 3:30