Uninformed is pleased to announce the release of its sixth volume. This volume includes 3 articles on reverse engineering and exploitation technology. These articles include - Engineering in Reverse: Subverting PatchGuard Version 2, Engineering in Reverse: Locreate: An Anagram for Relocate, Exploitation Technology: Exploiting 802.11 Wireless Driver Vulnerabilities on Windows. PDFs of all articles and related code are included in this tarball.
77ce1bc8aec65cc4a56356bef955197cab0127a53332ee6046b934865b61016f
The Intel 2200BG card suffers from a race condition vulnerability. Proof of concept code included.
52fece9a4bfaaa83265054f29f2318eb916e0cfd1bd0d159da6c9810cca9d699
This Metasploit module exploits a stack overflow in the Broadcom Wireless driver that allows remote code execution in kernel mode by sending a 802.11 probe response that contains a long SSID. The target MAC address must be provided to use this exploit. The two cards tested fell into the 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
2ff6d29125b46d296be9c00aba6e22b7ec7b8b26fb33105084e75a05c8cc0a55
This Metasploit module exploits a stack overflow in the A5AGU.SYS driver provided with the D-Link DWL-G132 USB wireless adapter. This stack overflow allows remote code execution in kernel mode. The stack overflow is triggered when a 802.11 Beacon frame is received that contains a long Rates information element. This exploit was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX.
5245f37a2a49581c658dd9bdd9e766576bf78b633852da860acdc8bc666fa469
shadowmac is a kernel patch for spoofing MAC addresses under Mac OS X. It works even if the device does not support the IOCTL via rewriting the MAC on the wire as packets go out and the reverse when they come in.
77d15ab51734337202aee04137fe18a425cafc515df7a8724e5c9bf2c4c2d3f3
jc-wepcrack is a distributed WEP cracker. It uses its own sockets-based protocol for communication. It can easily be installed on a lab or your own cluster. It supports any key size. Other features include the ability to save/restore the state of the server to disk and a fancy ncurses interface. It is architecture neutral, and was co-developed on a G4 Powerbook and an x86 Linux machine. If you only have one machine, it will still run.
9949fc7d342fb9a771aefaff3c401081b8bdb28cef459ac144145a7d1368d2b0