As the otherwise simple one-line-patch to fix the buffer overflow in aircrack-ng/airodump-ng/airdecap-ng/airbase-ng has actually been screwed up, I decided to have some more fun with the aircrack-ng.
I’ve just put a new tool into svn that serves as a honeypot for vulnerable versions of airodump-ng and all the other tools. It creates a faked WiFi-network that crashes all airodump-ng session on the air and also causes the aircrack-tools to crash when trying to parse the resulting dump file.
From the code’s comments:
The tool uses packet injection to setup a fake IEEE802.11-network with one Access-Point and one Station. To attract people to our faked network, some data-traffic is also generated. From time to time the “Station” sends a EAPOL-confirmation to the “Access-Point” that corrupts airodump-ng’s memory structures to either crash it immediately or print false information to the user (handshake is shown as if being completed). Aircrack-ng will immediately crash when trying to parse the generated dump-file as the exploit-payload overwrote the size-field of the EAPOL-packet in memory (causing aircrack-ng to compute the EAPOL-MIC over huge, invalid memory regions).
I am also still 90% sure that one can use the heap corruption in airodump-ng for remote code execution…
Hint: The change that was made in aircrack-ng to fix the EAPOL-parsing checks if the self-proclaimed packet-size is larger than the real packet-size. If a packet correctly states that it will overflow the buffer allocated by any of the aircrack-ng tools, the latest svn version still simply does so…
Leave a comment
No comments yet.