search

tomac / yersinia

A framework for layer 2 attacks
GNU General Public License v2.0
712 stars 122 forks source link

Yersinia crash when performing DHCP rogue server (on DHCP Discover received frame) #74

Closed nathan-rabet closed 1 year ago

nathan-rabet commented 1 year ago

Issue

The title is pretty explicit. The program crash when performing DHCP rogue server at the moment when the DHCP discover packet is received on the hacking maching.

Attack settings (DHCP rogue server)

Generated logs

# yersinia v0.8.2 started in evil-pc on Mon Nov  7 01:23:11 2022

Network Interface wlan0

 wlan0 iflinkname EN10MB
 wlan0 iflinkdesc Ethernet
 wlan0 MAC = AAAA.BBBB.CCCC
Network Interface lo

 lo iflinkname EN10MB
 lo iflinkdesc Ethernet
 lo MAC = 0000.0000.0000
Network Interface bluetooth0
Network Interface bluetooth-monitor
pcap_open_live failed: bluetooth-monito: No such device exists (No such device exists)
Network Interface nflog
Network Interface nfqueue
Network Interface dbus-system
Network Interface dbus-session
pcap_open_live failed: dbus-session: Failed to get session bus: /usr/bin/dbus-launch terminated abnormally without any error message

 th_uptime thread = 5F455640

 gtk_gui_th = 5EC54640
 attack_launch: 5EC54640 Attack thread 5DFFF640 is born!!
Error in dhcp_get_printable: len is 0 and type is 80

DHCP Discover frame (from Wireshark)

fffffffffffffed57658e859080045100148000040004011399600000000ffffffff004400430134e2f001010600d24be21d0001000000000000000000000000000000000000fed57658e85900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000638253633501013d0701fed57658e859390205dc3c0f616e64726f69642d646863702d31330c08506978656c2d3561370c0103060f1a1c333a3b2b726c5000ff

It seems that there is a problem with the following line : https://github.com/tomac/yersinia/blob/b56334e3ae45c9ff27969f57bd1d81cfe21bc717/src/dhcp.c#L1382

Best regards.

nathan-rabet commented 1 year ago

After a quick code review, it seems that the error occurs because the DHCP option Rapid Commit is not supported.

image

Because this option has no value (len=0), the next if condition become true :

https://github.com/tomac/yersinia/blob/b56334e3ae45c9ff27969f57bd1d81cfe21bc717/src/dhcp.c#L1382-L1387

aoshiken commented 1 year ago

Thank you Nathan