Apple Airport 802.11 Probe Response Kernel Memory Corruption | Metasploit Exploit Database (DB)

Home > Exploit DB

Apple Airport 802.11 Probe Response Kernel Memory Corruption

The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.

Search Other Modules

Rank

Normal

Authors

hdm < hdm [at] metasploit.com >

Vulnerability References

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use auxiliary/dos/wifi/apple_orinoco_probe_response
msf auxiliary(apple_orinoco_probe_response) > set ADDR_DST [STRING]
msf auxiliary(apple_orinoco_probe_response) > run

Module Options

ADDR_DST	The MAC address of the target system
CHANNEL	The initial channel (default: 11)
COUNT	The number of frames to send (default: 2000)
DRIVER	The name of the wireless driver for lorcon (default: autodetect)
INTERFACE	The name of the wireless interface (default: wlan0)
VERBOSE	Enable detailed status messages
WORKSPACE	Specify the workspace for this module