search

Percy233 / PPPoE_Simulator-for-RM2100-exploit

15 stars 4 forks source link

TypeError: object of type 'NoneType' has no len() #2

Open THKDev opened 3 years ago

THKDev commented 3 years ago

Using this this script with python 3.8.3 and python3-scapy 2.4.3 on Fedora 32. When the MiWifi Ac2100 router sends discovery the scripts crashes. I don't know where to search for the reason or to fix. Maybe somebody can give me a hint.

Waiting for packets
Client->Server   |   Discovery Initiation
Server->Client   |   Discovery Offer
Traceback (most recent call last):
  File "PPPoE_Simulator.py", line 183, in <module>
    sniff(prn=packet_callback, filter="pppoed or pppoes", lfilter=isNotOutgoing)
  File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 972, in sniff
    sniffer._run(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 925, in _run
    session.on_packet_received(p)
  File "/usr/lib/python3.8/site-packages/scapy/sessions.py", line 47, in on_packet_received
    result = self.prn(pkt)
  File "PPPoE_Simulator.py", line 68, in packet_callback
    sendp(eth_discovery /
  File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 336, in sendp
    results = __gen_send(socket, x, inter=inter, loop=loop,
  File "/usr/lib/python3.8/site-packages/scapy/sendrecv.py", line 291, in __gen_send
    s.send(p)
  File "/usr/lib/python3.8/site-packages/scapy/arch/linux.py", line 559, in send
    return SuperSocket.send(self, x)
  File "/usr/lib/python3.8/site-packages/scapy/supersocket.py", line 48, in send
    sx = raw(x)
  File "/usr/lib/python3.8/site-packages/scapy/compat.py", line 52, in raw
    return bytes(x)
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 487, in __bytes__
    return self.build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 607, in build
    p = self.do_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 592, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 579, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 592, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 579, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 592, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 579, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 592, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 579, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 592, in do_build
    pay = self.do_build_payload()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 579, in do_build_payload
    return self.payload.do_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 589, in do_build
    pkt = self.self_build()
  File "/usr/lib/python3.8/site-packages/scapy/packet.py", line 570, in self_build
    p = f.addfield(self, p, val)
  File "/usr/lib/python3.8/site-packages/scapy/fields.py", line 140, in addfield
    return s + struct.pack(self.fmt, self.i2m(pkt, val))
  File "/usr/lib/python3.8/site-packages/scapy/fields.py", line 1380, in i2m
    f = fld.i2len(pkt, fval)
  File "/usr/lib/python3.8/site-packages/scapy/fields.py", line 938, in i2len
    return len(x)
TypeError: object of type 'NoneType' has no len()
THKDev commented 3 years ago

The problem is that the MiWifi route does NOT send a Host_Uniq tag. So the value of the variable host_uniq stays as "None". Fix is to add the following code before sendp is called 

            if host_uniq is None:
                host_uniq = ""

With this fix the exploit is possible.

tiszus commented 3 years ago

Thank you.