├── README.md └── PPPoE_Simulator.py /README.md: -------------------------------------------------------------------------------- 1 | # PPPoE_Simulator-for-RM2100-exploit -------------------------------------------------------------------------------- /PPPoE_Simulator.py: -------------------------------------------------------------------------------- 1 | from scapy.all import * 2 | from scapy.layers.ppp import * 3 | 4 | # In most cases you just have to change this: 5 | interface = "" 6 | 7 | 8 | ac_name = "PPPoE-Simulator" 9 | service_name = "" 10 | magic_number = 0xDEADBEEF 11 | host_uniq = session_id = ac_cookie = mac_router = mac_server = eth_discovery = eth_session = None 12 | ident = 0 13 | 14 | End_Of_List = 0x0000 15 | Service_Name = 0x0101 16 | AC_Name = 0x0102 17 | Host_Uniq = 0x0103 18 | AC_Cookie = 0x0104 19 | Vendor_Specific = 0x0105 20 | Relay_Session_Id = 0x0110 21 | Service_Name_Error = 0x0201 22 | AC_System_Error = 0x0202 23 | Generic_Error = 0x0203 24 | 25 | PADI = 0x09 26 | PADO = 0x07 27 | PADR = 0x19 28 | PADS = 0x65 29 | PADT = 0xa7 30 | 31 | LCP = 0xc021 32 | PAP = 0xc023 33 | CHAP = 0xc223 34 | IPCP = 0x8021 35 | IPV6CP = 0x8057 36 | PPPoE_Discovery = 0x8863 37 | PPPoE_Session = 0x8864 38 | 39 | Configure_Request = 1 40 | Configure_Ack = 2 41 | Authenticate_Ack = 2 42 | Configure_Nak = 3 43 | Configure_Reject = 4 44 | Terminate_Request = 5 45 | Terminate_Ack = 6 46 | Code_Reject = 7 47 | Protocol_Reject = 8 48 | Echo_Request = 9 49 | Echo_Reply = 10 50 | Discard_Request = 11 51 | 52 | 53 | def packet_callback(pkt): 54 | global host_uniq, session_id, ident, ac_cookie, mac_router, mac_server, eth_discovery, eth_session 55 | mac_router = pkt[Ether].src 56 | eth_discovery = Ether(src=mac_server, dst=mac_router, type=PPPoE_Discovery) 57 | eth_session = Ether(src=mac_server, dst=mac_router, type=PPPoE_Session) 58 | 59 | if pkt.haslayer(PPPoED): 60 | if pkt[PPPoED].code == PADI: 61 | session_id = pkt[PPPoED].fields['sessionid'] 62 | ac_cookie = os.urandom(20) 63 | for tag in pkt[PPPoED][PPPoED_Tags].tag_list: 64 | if tag.tag_type == Host_Uniq: 65 | host_uniq = tag.tag_value 66 | print("Client->Server | Discovery Initiation") 67 | print("Server->Client | Discovery Offer") 68 | sendp(eth_discovery / 69 | PPPoED(code=PADO, sessionid=0) / 70 | PPPoETag(tag_type=Service_Name, tag_value=service_name) / 71 | PPPoETag(tag_type=AC_Name, tag_value=ac_name) / 72 | PPPoETag(tag_type=AC_Cookie, tag_value=ac_cookie) / 73 | PPPoETag(tag_type=Host_Uniq, tag_value=host_uniq)) 74 | elif pkt[PPPoED].code == PADR: 75 | print("Client->Server | Discovery Request") 76 | print("Server->Client | Discovery Session-confirmation") 77 | session_id = os.urandom(2)[0] 78 | sendp(eth_discovery / 79 | PPPoED(code=PADS, sessionid=session_id) / 80 | PPPoETag(tag_type=Service_Name, tag_value=service_name) / 81 | PPPoETag(tag_type=Host_Uniq, tag_value=host_uniq)) 82 | print("Server->Client | Configuration Request (PAP)") 83 | sendp(eth_session / 84 | PPPoE(sessionid=session_id) / 85 | PPP(proto=LCP) / 86 | PPP_LCP(code=Configure_Request, id=ident + 1, data=(Raw(PPP_LCP_MRU_Option(max_recv_unit=1492)) / 87 | Raw(PPP_LCP_Auth_Protocol_Option( 88 | auth_protocol=PAP)) / 89 | Raw(PPP_LCP_Magic_Number_Option( 90 | magic_number=magic_number))))) 91 | 92 | elif pkt.haslayer(PPPoE) and pkt.haslayer(PPP): 93 | if pkt[PPPoE].sessionid != 0: 94 | session_id = pkt[PPPoE].sessionid 95 | if pkt.haslayer(PPP_LCP_Configure): 96 | ppp_lcp = pkt[PPP_LCP_Configure] 97 | if pkt[PPP_LCP_Configure].code == Configure_Request: 98 | ident = pkt[PPP_LCP_Configure].id 99 | print("Client->Server | Configuration Request (MRU)") 100 | print("Server->Client | Configuration Ack (MRU)") 101 | sendp(eth_session / 102 | PPPoE(sessionid=session_id) / 103 | PPP(proto=LCP) / 104 | PPP_LCP(code=Configure_Ack, id=ident, data=(Raw(PPP_LCP_MRU_Option(max_recv_unit=1480)) / 105 | Raw(ppp_lcp[PPP_LCP_Magic_Number_Option])))) 106 | elif pkt[PPP_LCP_Configure].code == Configure_Ack: 107 | print("Client->Server | Configuration Ack") 108 | print("Server->Client | Echo Request") 109 | sendp(eth_session / 110 | PPPoE(sessionid=session_id) / 111 | PPP(proto=LCP) / 112 | PPP_LCP_Echo(code=Echo_Request, id=ident + 1, magic_number=magic_number)) 113 | elif pkt.haslayer(PPP_LCP_Echo): 114 | if pkt[PPP_LCP_Echo].code == Echo_Request: 115 | ident = pkt[PPP_LCP_Echo].id 116 | print("Client->Server | Echo Request") 117 | print("Server->Client | Echo Reply") 118 | sendp(eth_session / 119 | PPPoE(sessionid=session_id) / 120 | PPP(proto=LCP) / 121 | PPP_LCP_Echo(code=Echo_Reply, id=ident, magic_number=magic_number)) 122 | elif pkt.haslayer(PPP_PAP_Request): 123 | ident = pkt[PPP_PAP_Request].id 124 | print("Client->Server | Authentication Request") 125 | print("Server->Client | Authenticate Ack") 126 | sendp(eth_session / 127 | PPPoE(sessionid=session_id) / 128 | PPP(proto=PAP) / 129 | PPP_PAP_Response(code=Authenticate_Ack, id=ident, message="Login ok")) 130 | print("Server->Client | Configuration Request (IP)") 131 | sendp(eth_session / 132 | PPPoE(sessionid=session_id) / 133 | PPP(proto=IPCP) / 134 | PPP_IPCP(code=Configure_Request, id=ident + 1, options=PPP_IPCP_Option_IPAddress(data="10.15.0.8"))) 135 | elif pkt.haslayer(PPP_IPCP): 136 | ident = pkt[PPP_IPCP].id 137 | if pkt[PPP_IPCP].options[0].data == "0.0.0.0": 138 | options = [PPP_IPCP_Option_IPAddress(data="10.16.0.9"), 139 | PPP_IPCP_Option_DNS1(data="114.114.114.114"), 140 | PPP_IPCP_Option_DNS2(data="114.114.114.114")] 141 | print("Client->Server | Configuration Request (invalid)") 142 | print("Server->Client | Configuration Nak") 143 | sendp(eth_session / 144 | PPPoE(sessionid=session_id) / 145 | PPP(proto=IPCP) / 146 | PPP_IPCP(code=Configure_Nak, id=ident, options=options)) 147 | else: 148 | print("Client->Server | Configuration Request (valid)") 149 | print("Server->Client | Configuration Ack") 150 | sendp(eth_session / 151 | PPPoE(sessionid=session_id) / 152 | PPP(proto=IPCP) / 153 | PPP_IPCP(code=Configure_Ack, id=ident, options=pkt[PPP_IPCP].options)) 154 | if pkt[PPP].proto == IPV6CP: 155 | print("Client->Server | Configuration Request IPV6CP") 156 | print("Server->Client | Protocol Reject IPV6CP") 157 | sendp(eth_session / 158 | PPPoE(sessionid=session_id) / 159 | PPP(proto=LCP) / 160 | PPP_LCP_Protocol_Reject(code=Protocol_Reject, id=ident + 1, rejected_protocol=IPV6CP, 161 | rejected_information=pkt[PPP].payload)) 162 | 163 | 164 | def terminateConnection(): 165 | print("Server->Client | Terminate Connection") 166 | sendp(eth_session / 167 | PPPoE(sessionid=session_id) / 168 | PPP(proto=LCP) / 169 | PPP_LCP_Terminate()) 170 | 171 | 172 | def isNotOutgoing(pkt): 173 | if pkt.haslayer(Ether): 174 | return pkt[Ether].src != mac_server 175 | return False 176 | 177 | 178 | if __name__ == '__main__': 179 | conf.verb = 0 # Suppress Scapy output 180 | conf.iface = interface # Set default interface 181 | mac_server = get_if_hwaddr(interface) 182 | print("Waiting for packets") 183 | sniff(prn=packet_callback, filter="pppoed or pppoes", lfilter=isNotOutgoing) 184 | --------------------------------------------------------------------------------