Aircrack-ng still vulnerable / honeypot

As the otherwise simple one-line-patch to fix the buffer overflow in aircrack-ng/airodump-ng/airdecap-ng/airbase-ng has actually been screwed up, I decided to have some more fun with the aircrack-ng.

I’ve just put a new tool into svn that serves as a honeypot for vulnerable versions of airodump-ng and all the other tools. It creates a faked WiFi-network that crashes all airodump-ng session on the air and also causes the aircrack-tools to crash when trying to parse the resulting dump file.

From the code’s comments:

The tool uses packet injection to setup a fake IEEE802.11-network with one Access-Point and one Station. To attract people to our faked network, some data-traffic is also generated. From time to time the “Station” sends a EAPOL-confirmation to the “Access-Point” that corrupts airodump-ng’s memory structures to either crash it immediately or print false information to the user (handshake is shown as if being completed). Aircrack-ng will immediately crash when trying to parse the generated dump-file as the exploit-payload overwrote the size-field of the EAPOL-packet in memory (causing aircrack-ng to compute the EAPOL-MIC over huge, invalid memory regions).

I am also still 90% sure that one can use the heap corruption in airodump-ng for remote code execution…

Hint: The change that was made in aircrack-ng to fix the EAPOL-parsing checks if the self-proclaimed packet-size is larger than the real packet-size. If a packet correctly states that it will overflow the buffer allocated by any of the aircrack-ng tools, the latest svn version still simply does so…

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • RSS Unknown Feed

    • An error has occurred; the feed is probably down. Try again later.