NetGear MA521 Wireless Driver Long Rates Overflow

This module exploits a buffer overflow in the NetGear MA521 wireless device driver under Windows XP. When a specific malformed frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 Cardbus adapter. A remote code execution module is also in development. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.

Search Other Modules

Rank

• Normal

Authors

• Laurent Butti < 0x9090 [at] gmail.com >

Vulnerability References

• CVE-2006-6059
• OSVDB-30507
• http://projects.info-pull.com/mokb/MOKB-18-11-2006.html
• ftp://downloads.netgear.com/files/ma521_1_2.zip

Development

• Source Code
• History

Similar Modules

• auxiliary/dos/wifi/apple_orinoco_probe_response
• auxiliary/dos/wifi/cts_rts_flood
• auxiliary/dos/wifi/deauth
• auxiliary/dos/wifi/fakeap
• auxiliary/dos/wifi/file2air
• auxiliary/dos/wifi/netgear_wg311pci
• auxiliary/dos/wifi/probe_resp_null_ssid
• auxiliary/dos/wifi/ssidlist_beacon
• auxiliary/dos/wifi/wifun

Usage Information

Module Options