PoC: Set SSID 77777777 and Pass 88888888
This commit is contained in:
parent
47a37b81db
commit
97f367de2f
332
main.c
332
main.c
|
@ -9,6 +9,12 @@
|
||||||
|
|
||||||
#include "config.h"
|
#include "config.h"
|
||||||
|
|
||||||
|
#define ERR_EXIT(errcode) do { perr(" %s\n", libusb_strerror((enum libusb_error)errcode)); return -1; } while (0)
|
||||||
|
#define CALL_CHECK(fcall) do { int _r=fcall; if (_r < 0) ERR_EXIT(_r); } while (0)
|
||||||
|
#define CALL_CHECK_CLOSE(fcall, hdl) do { int _r=fcall; if (_r < 0) { libusb_close(hdl); ERR_EXIT(_r); } } while (0)
|
||||||
|
|
||||||
|
#define REQUEST_SENSE_LENGTH 0x12
|
||||||
|
|
||||||
// Section 5.1: Command Block Wrapper (CBW)
|
// Section 5.1: Command Block Wrapper (CBW)
|
||||||
struct command_block_wrapper {
|
struct command_block_wrapper {
|
||||||
uint8_t dCBWSignature[4];
|
uint8_t dCBWSignature[4];
|
||||||
|
@ -45,14 +51,10 @@ static const uint8_t cdb_length[256] = {
|
||||||
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // C
|
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // C
|
||||||
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // D
|
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // D
|
||||||
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // E
|
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // E
|
||||||
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, // F
|
00,00,00,00,00,00,00,00,00,00,00,00,00,16,16,16, // F
|
||||||
};
|
};
|
||||||
|
|
||||||
|
// static struct libusb_device_handle *devh = NULL;
|
||||||
#define REQUEST_SENSE_LENGTH 0x12
|
|
||||||
|
|
||||||
|
|
||||||
static struct libusb_device_handle *devh = NULL;
|
|
||||||
|
|
||||||
static void perr(char const *format, ...)
|
static void perr(char const *format, ...)
|
||||||
{
|
{
|
||||||
|
@ -63,6 +65,34 @@ static void perr(char const *format, ...)
|
||||||
va_end(args);
|
va_end(args);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void display_buffer_hex(unsigned char *buffer, unsigned size)
|
||||||
|
{
|
||||||
|
unsigned i, j, k;
|
||||||
|
|
||||||
|
for (i=0; i<size; i+=16) {
|
||||||
|
printf("\n %08x ", i);
|
||||||
|
for(j=0,k=0; k<16; j++,k++) {
|
||||||
|
if (i+j < size) {
|
||||||
|
printf("%02x", buffer[i+j]);
|
||||||
|
} else {
|
||||||
|
printf(" ");
|
||||||
|
}
|
||||||
|
printf(" ");
|
||||||
|
}
|
||||||
|
printf(" ");
|
||||||
|
for(j=0,k=0; k<16; j++,k++) {
|
||||||
|
if (i+j < size) {
|
||||||
|
if ((buffer[i+j] < 32) || (buffer[i+j] > 126)) {
|
||||||
|
printf(".");
|
||||||
|
} else {
|
||||||
|
printf("%c", buffer[i+j]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
printf("\n" );
|
||||||
|
}
|
||||||
|
|
||||||
static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpoint, uint8_t lun,
|
static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpoint, uint8_t lun,
|
||||||
uint8_t *cdb, uint8_t direction, int data_length, uint32_t *ret_tag)
|
uint8_t *cdb, uint8_t direction, int data_length, uint32_t *ret_tag)
|
||||||
{
|
{
|
||||||
|
@ -80,6 +110,8 @@ static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpo
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
display_buffer_hex(cdb, cdb_length[cdb[0]]);
|
||||||
|
|
||||||
cdb_len = cdb_length[cdb[0]];
|
cdb_len = cdb_length[cdb[0]];
|
||||||
if ((cdb_len == 0) || (cdb_len > sizeof(cbw.CBWCB))) {
|
if ((cdb_len == 0) || (cdb_len > sizeof(cbw.CBWCB))) {
|
||||||
perr("send_mass_storage_command: don't know how to handle this command (%02X, length %d)\n",
|
perr("send_mass_storage_command: don't know how to handle this command (%02X, length %d)\n",
|
||||||
|
@ -111,178 +143,178 @@ static int send_mass_storage_command(libusb_device_handle *handle, uint8_t endpo
|
||||||
i++;
|
i++;
|
||||||
} while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
|
} while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
|
||||||
if (r != LIBUSB_SUCCESS) {
|
if (r != LIBUSB_SUCCESS) {
|
||||||
perr(" send_mass_storage_command: %s\n", libusb_strerror((enum libusb_error)r));
|
perr("send_mass_storage_command: %s\n", libusb_strerror((enum libusb_error)r));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
printf(" sent %d CDB bytes\n", cdb_len);
|
printf("sent %d CDB bytes\n", cdb_len);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static libusb_device_handle *open_actionpro()
|
|
||||||
{
|
|
||||||
ssize_t devc;
|
|
||||||
libusb_device **dev_list;
|
|
||||||
static libusb_device *dev = NULL;
|
|
||||||
struct libusb_device_descriptor dev_desc;
|
|
||||||
struct libusb_config_descriptor *dev_conf = NULL;
|
|
||||||
const struct libusb_interface *iface = NULL;
|
|
||||||
const struct libusb_interface_descriptor *iface_desc = NULL;
|
|
||||||
|
|
||||||
int res = 0;
|
|
||||||
|
|
||||||
devc = libusb_get_device_list(NULL, &dev_list);
|
|
||||||
if (devc < 1) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (int i = 0; i < devc; i++) {
|
|
||||||
dev = dev_list[i];
|
|
||||||
if (libusb_get_device_descriptor(dev, &dev_desc)) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((dev_desc.idVendor != VENDOR_ID || dev_desc.idProduct != PRODUCT_ID)) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
res = libusb_open(dev, &devh);
|
|
||||||
if (res < 0) {
|
|
||||||
perror("libusb_open");
|
|
||||||
return(NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
for (int j = 0; j < dev_desc.bNumConfigurations; j++) {
|
|
||||||
if (libusb_get_config_descriptor(dev, j, &dev_conf)) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (int k = 0; k < dev_conf->bNumInterfaces; k++) {
|
|
||||||
iface = &dev_conf->interface[k];
|
|
||||||
for (int l = 0; l < iface->num_altsetting; l++) {
|
|
||||||
iface_desc = &iface->altsetting[l];
|
|
||||||
if (libusb_kernel_driver_active(devh, iface_desc->bInterfaceNumber)) {
|
|
||||||
libusb_detach_kernel_driver(devh, iface_desc->bInterfaceNumber);
|
|
||||||
}
|
|
||||||
|
|
||||||
libusb_set_configuration(devh, dev_conf->bConfigurationValue);
|
|
||||||
libusb_claim_interface(devh, iface_desc->bInterfaceNumber);
|
|
||||||
|
|
||||||
int e = 0;
|
|
||||||
while (libusb_claim_interface(devh, iface_desc->bInterfaceNumber) && (e < 10)) {
|
|
||||||
sleep(1);
|
|
||||||
e++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
libusb_free_config_descriptor(dev_conf);
|
|
||||||
}
|
|
||||||
|
|
||||||
return devh;
|
|
||||||
}
|
|
||||||
|
|
||||||
devh = NULL;
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int get_mass_storage_status(libusb_device_handle *handle, uint8_t endpoint, uint32_t expected_tag)
|
static int get_mass_storage_status(libusb_device_handle *handle, uint8_t endpoint, uint32_t expected_tag)
|
||||||
{
|
{
|
||||||
int i, r, size;
|
int i, r, size;
|
||||||
struct command_status_wrapper csw;
|
struct command_status_wrapper csw;
|
||||||
|
|
||||||
// The device is allowed to STALL this transfer. If it does, you have to
|
// The device is allowed to STALL this transfer. If it does, you have to
|
||||||
// clear the stall and try again.
|
// clear the stall and try again.
|
||||||
i = 0;
|
i = 0;
|
||||||
do {
|
do {
|
||||||
r = libusb_bulk_transfer(handle, endpoint, (unsigned char*)&csw, 13, &size, 1000);
|
r = libusb_bulk_transfer(handle, endpoint, (unsigned char*)&csw, 13, &size, 1000);
|
||||||
if (r == LIBUSB_ERROR_PIPE) {
|
if (r == LIBUSB_ERROR_PIPE) {
|
||||||
libusb_clear_halt(handle, endpoint);
|
libusb_clear_halt(handle, endpoint);
|
||||||
}
|
}
|
||||||
i++;
|
i++;
|
||||||
} while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
|
} while ((r == LIBUSB_ERROR_PIPE) && (i<RETRY_MAX));
|
||||||
if (r != LIBUSB_SUCCESS) {
|
if (r != LIBUSB_SUCCESS) {
|
||||||
perr(" get_mass_storage_status: %s\n", libusb_strerror((enum libusb_error)r));
|
perr("get_mass_storage_status: %s\n", libusb_strerror((enum libusb_error)r));
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (size != 13) {
|
if (size != 13) {
|
||||||
perr(" get_mass_storage_status: received %d bytes (expected 13)\n", size);
|
perr("get_mass_storage_status: received %d bytes (expected 13)\n", size);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
if (csw.dCSWTag != expected_tag) {
|
if (csw.dCSWTag != expected_tag) {
|
||||||
perr(" get_mass_storage_status: mismatched tags (expected %08X, received %08X)\n",
|
perr("get_mass_storage_status: mismatched tags (expected %08X, received %08X)\n",
|
||||||
expected_tag, csw.dCSWTag);
|
expected_tag, csw.dCSWTag);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
// For this test, we ignore the dCSWSignature check for validity...
|
// For this test, we ignore the dCSWSignature check for validity...
|
||||||
printf(" Mass Storage Status: %02X (%s)\n", csw.bCSWStatus, csw.bCSWStatus?"FAILED":"Success");
|
printf("Mass Storage Status: %02X (%s)\n", csw.bCSWStatus, csw.bCSWStatus?"FAILED":"Success");
|
||||||
if (csw.dCSWTag != expected_tag)
|
if (csw.dCSWTag != expected_tag)
|
||||||
return -1;
|
return -1;
|
||||||
if (csw.bCSWStatus) {
|
if (csw.bCSWStatus) {
|
||||||
// REQUEST SENSE is appropriate only if bCSWStatus is 1, meaning that the
|
// REQUEST SENSE is appropriate only if bCSWStatus is 1, meaning that the
|
||||||
// command failed somehow. Larger values (2 in particular) mean that
|
// command failed somehow. Larger values (2 in particular) mean that
|
||||||
// the command couldn't be understood.
|
// the command couldn't be understood.
|
||||||
if (csw.bCSWStatus == 1)
|
if (csw.bCSWStatus == 1)
|
||||||
return -2; // request Get Sense
|
return -2; // request Get Sense
|
||||||
else
|
else
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
// In theory we also should check dCSWDataResidue. But lots of devices
|
// In theory we also should check dCSWDataResidue. But lots of devices
|
||||||
// set it wrongly.
|
// set it wrongly.
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int main(int argc, char *argv[])
|
int main(int argc, char *argv[])
|
||||||
{
|
{
|
||||||
int res = 0;
|
int r = 0, e = 0;
|
||||||
uint8_t cdb[16];
|
struct libusb_device_handle *handle = NULL;
|
||||||
uint8_t sense[18];
|
struct libusb_device **devs;
|
||||||
int transferred = 0;
|
struct libusb_device *dev;
|
||||||
|
struct libusb_device_descriptor desc;
|
||||||
|
|
||||||
|
/* Init libusb */
|
||||||
|
r = libusb_init(NULL);
|
||||||
|
if (r < 0)
|
||||||
|
{
|
||||||
|
printf("\nfailed to initialise libusb\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
handle = libusb_open_device_with_vid_pid(NULL, VENDOR_ID, PRODUCT_ID);
|
||||||
|
if(handle == NULL) {
|
||||||
|
printf("\nError in device opening!");
|
||||||
|
} else {
|
||||||
|
printf("\nDevice Opened");
|
||||||
|
}
|
||||||
|
|
||||||
|
libusb_set_configuration(handle, 1);
|
||||||
|
if(libusb_kernel_driver_active(handle, 0) == 1) {
|
||||||
|
printf("\nKernel Driver Active");
|
||||||
|
if(libusb_detach_kernel_driver(handle, 0) == 0) {
|
||||||
|
printf("\nKernel Driver Detached!");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
e = libusb_claim_interface(handle, 0);
|
||||||
|
if(e < 0) {
|
||||||
|
printf("\nCannot Claim Interface");
|
||||||
|
} else {
|
||||||
|
printf("\nClaimed Interface");
|
||||||
|
}
|
||||||
|
|
||||||
uint32_t expected_tag = 0;
|
uint32_t expected_tag = 0;
|
||||||
|
uint8_t cdb[16];
|
||||||
|
uint8_t sense[18];
|
||||||
|
int size;
|
||||||
|
int rc;
|
||||||
|
|
||||||
res = libusb_init(NULL);
|
memset(cdb, 0, sizeof(cdb));
|
||||||
if (res < 0) {
|
cdb[0] = 0x03;
|
||||||
perror("libusb_init");
|
cdb[4] = REQUEST_SENSE_LENGTH;
|
||||||
fprintf(stderr, "Error: %s\n", libusb_strerror(res));
|
send_mass_storage_command(handle, 0x01, 0, cdb, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
|
||||||
exit(EXIT_FAILURE);
|
rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
|
||||||
|
if (rc < 0)
|
||||||
|
{
|
||||||
|
printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
|
printf("received %d bytes\n", size);
|
||||||
|
|
||||||
if (!open_actionpro()) {
|
rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
|
||||||
fprintf(stderr, "Error opening device, no ACTIONPRO X7 found!\n");
|
if (rc < 0)
|
||||||
libusb_exit(NULL);
|
{
|
||||||
exit(EXIT_FAILURE);
|
printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
|
printf("received %d bytes\n", size);
|
||||||
|
|
||||||
unsigned char cmd[] = "\xfe\x00\x58\x37\x41\x50\x50\x41\x53\x00\x00\x00\x00\x00\x00\x00";
|
|
||||||
|
|
||||||
memset(sense, 0, sizeof(sense));
|
|
||||||
memset(cdb, 0, sizeof(cdb));
|
memset(cdb, 0, sizeof(cdb));
|
||||||
cdb[0] = 0x03;
|
cdb[0] = 0x03;
|
||||||
cdb[4] = REQUEST_SENSE_LENGTH;
|
cdb[4] = REQUEST_SENSE_LENGTH;
|
||||||
|
|
||||||
send_mass_storage_command(devh, 0x01, 0, cdb, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
|
unsigned char cmd[] = "\xfe\x00\x37\x37\x37\x37\x37\x37\x37\x37\x37\x37\x00\x00\x00\x00";
|
||||||
res = libusb_bulk_transfer(devh, 0x81, (unsigned char *)&sense, REQUEST_SENSE_LENGTH, &transferred, 1000);
|
send_mass_storage_command(handle, 0x01, 0, cmd, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
|
||||||
if (res < 0) {
|
rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
|
||||||
perror("libusb_bulk_transfer");
|
if (rc < 0)
|
||||||
fprintf(stderr, "Error: %s\n", libusb_strerror(res));
|
{
|
||||||
|
printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
|
||||||
libusb_release_interface(devh, 0);
|
return 1;
|
||||||
libusb_reset_device(devh);
|
|
||||||
libusb_close(devh);
|
|
||||||
|
|
||||||
libusb_exit(NULL);
|
|
||||||
|
|
||||||
exit(EXIT_FAILURE);
|
|
||||||
}
|
}
|
||||||
|
printf("received %d bytes\n", size);
|
||||||
|
|
||||||
get_mass_storage_status(devh, 0x1, expected_tag);
|
memset(cdb, 0, sizeof(cdb));
|
||||||
|
cdb[0] = 0x03;
|
||||||
|
cdb[4] = REQUEST_SENSE_LENGTH;
|
||||||
|
send_mass_storage_command(handle, 0x01, 0, cdb, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
|
||||||
|
rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
|
||||||
|
if (rc < 0)
|
||||||
|
{
|
||||||
|
printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
printf("received %d bytes\n", size);
|
||||||
|
|
||||||
libusb_release_interface(devh, 0);
|
rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
|
||||||
libusb_reset_device(devh);
|
if (rc < 0)
|
||||||
libusb_close(devh);
|
{
|
||||||
|
printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
printf("received %d bytes\n", size);
|
||||||
|
|
||||||
|
memset(cdb, 0, sizeof(cdb));
|
||||||
|
cdb[0] = 0x03;
|
||||||
|
cdb[4] = REQUEST_SENSE_LENGTH;
|
||||||
|
|
||||||
|
unsigned char cmd2[] = "\xfd\x00\x38\x38\x38\x38\x38\x38\x38\x38\x38\x38\x00\x00\x00\x00";
|
||||||
|
send_mass_storage_command(handle, 0x01, 0, cmd2, LIBUSB_ENDPOINT_IN, REQUEST_SENSE_LENGTH, &expected_tag);
|
||||||
|
rc = libusb_bulk_transfer(handle, 0x81, (unsigned char*)&sense, REQUEST_SENSE_LENGTH, &size, 1000);
|
||||||
|
if (rc < 0)
|
||||||
|
{
|
||||||
|
printf("libusb_bulk_transfer failed: %s\n", libusb_error_name(rc));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
printf("received %d bytes\n", size);
|
||||||
|
|
||||||
|
//get_mass_storage_status(handle, 0x01, expected_tag);
|
||||||
|
|
||||||
|
libusb_release_interface(handle, 0);
|
||||||
|
libusb_reset_device(handle);
|
||||||
|
libusb_close(handle);
|
||||||
|
|
||||||
libusb_exit(NULL);
|
libusb_exit(NULL);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue