blkph0x / cve_2024_30078_poc_wifi Goto Github PK

Firstly I wanna say that I appreciate you sharing!

I've modified the python code you've provided such that I can get test SSID less than 32 characters long to show up in the wifi tab on the target laptop running unpatched Windows 11 22H2, and ones longer than 32 do not, which I understand to be the proper observed behavior. I've never actually observed the crash though.

I've tried modifying the number of times each chunk is sent, fiddled with MAC addresses (are mac2 and 3 supposed to match? Should the last octet actually increment with each new chunk?) the length of the SSID, as well as modifying the security type, and the delay between resending packets for each chunk, even tried it on an unpatched Windows 10 laptop, and yet the damn wifi panel persists and functions normally.

My ultimate goal is to be able to repo this in my home lab, so that I can build out a detection for https://www.nzyme.org/ and enable orgs to proactively alert when these attacks may be happening.

If you're at all open to providing more specific parameters (I dont even need code) on how to reproduce the crash you get I'd be extremely grateful, as would everyone running nzyme.

The code in the repo is unrelated to CVE-2024-30078.

The CVE-2024-30078 vulnerability is in Dot11Translate80211ToEthernetNdisPacket() of the native wifi windows driver (nwifi.sys) and a very specific frame needs to be constructed to even get to the vulnerable code path (which this code does not).

I haven't tried to verify the repo owner claim that it crashes the wifi tab in the taskbar but either way its unrelated to the above mentioned cve.

I’m not able to reproduce the cve. I have my card in monitor mode and am able to verify I’m sending beacon frames. How long of an ssid do you use? Also I noted in your beacon frame construction your missing a lot of data used to set up an ap, are these necessary?

I have modify wifi iface for my computer at the script.

the script run well, but i want to know that how to execute command to other pc?

For those of us following this that want to help develop along with you, how do we get updated code?

Exception in thread Thread-1 (send_beacon):
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/scapy/fields.py", line 243, in addfield
return s + self.struct.pack(self.i2m(pkt, val))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
struct.error: required argument is not an integer

Is there something wrong with the MAC address? When it starts with 01:00:00:00:01, it seems that Windows cannot recognize the WiFi. I changed the addr prefix to 00:11:22 and the iPhone can search it, but the win11 device network card still cannot search the WiFi.

it seems that my ssid gave a length of 10*255 and it did not cause theWindows 10 22H2 exception to occur。
Can you give a specific example?
Sending Beacon frame with SSID chunk 1/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 2/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 3/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 4/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 5/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 6/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 7/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 8/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 9/10 of length: 255
....................................................................................................
Sent 100 packets.
Sending Beacon frame with SSID chunk 10/10 of length: 95

I can't seem to connect to the network