Skip to content

Commit

Permalink
Only wait the first PADI without timeout
Browse files Browse the repository at this point in the history
  • Loading branch information
xfangfang committed Jun 1, 2024
1 parent 229fb36 commit cbc09a3
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 6 deletions.
2 changes: 1 addition & 1 deletion include/exploit.h
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ class Exploit {
int ipcp_negotiation() const;

int ppp_negotiation(const std::function<std::vector<uint8_t>(Exploit *)> &cb = nullptr,
bool ignore_initial_req = false);
bool ignore_initial_req = false, bool always_wait_padi = false);

void ppp_byebye();

Expand Down
14 changes: 9 additions & 5 deletions src/exploit.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -330,23 +330,27 @@ int Exploit::ipcp_negotiation() const {
return RETURN_SUCCESS;
}

int Exploit::ppp_negotiation(const std::function<std::vector<uint8_t>(Exploit *)> &cb, bool ignore_initial_req) {
int Exploit::ppp_negotiation(const std::function<std::vector<uint8_t>(Exploit *)> &cb, bool ignore_initial_req,
bool always_wait_padi) {
int padi_count = ignore_initial_req ? 2 : 1;

Cookie pkt;
while (padi_count--) {
std::cout << "[*] Waiting for PADI..." << std::endl;
dev->startCaptureBlockingMode(
if (dev->startCaptureBlockingMode(
[](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool {
pcpp::Packet parsedPacket(packet, pcpp::PPPoEDiscovery);
auto *layer = PacketBuilder::getPPPoEDiscoveryLayer(parsedPacket,
pcpp::PPPoELayer::PPPOE_CODE_PADI);
if (!layer) return false;
((Cookie *) cookie)->packet = parsedPacket;
return true;
}, &pkt, 0);
}, &pkt, always_wait_padi ? 0 : this->timeout) != 1) {
return RETURN_FAIL;
} else if (!running) {
return RETURN_STOP;
}
}
CHECK_RUNNING();

auto *pppoeDiscoveryLayer = pkt.packet.getLayerOfType<pcpp::PPPoEDiscoveryLayer>();
if (!pppoeDiscoveryLayer) {
Expand Down Expand Up @@ -695,7 +699,7 @@ std::vector<uint8_t> Exploit::build_second_rop(Exploit *self) {
}

int Exploit::stage0() {
CHECK_RET(this->ppp_negotiation(Exploit::build_fake_ifnet, this->wait_padi));
CHECK_RET(this->ppp_negotiation(Exploit::build_fake_ifnet, this->wait_padi, true));
CHECK_RET(this->lcp_negotiation());
CHECK_RET(this->ipcp_negotiation());

Expand Down

0 comments on commit cbc09a3

Please sign in to comment.