Kismet Wireless

Kismet Forums


Posted by:jsthyer
Subject:Software defect in
Date:02:01:51 08/11/2013

The metasploit Netgear stack overflow exploit detection at line 883 of will never be triggered due to the chunk->length check at line 722. Since the beacon packet is being discarded, the code at line 883 is never going to be executed. I would suggest changing this to be a configurable global option or as the code comment says, something that is driver dependent.

My temp. patch is to increase 512 up to 1514.

Code snippets:

Line 722:
if (chunk->length > 512) {
packinfo->corrupt = 1;
in_pack->insert(_PCM(PACK_COMP_80211), packinfo);
return 0;

LINE 883:
if (fc->subtype == packet_sub_beacon &&
chunk->length >= 1184) {
if (memcmp(&(chunk->data[1180]), "\x6a\x39\x58\x01", 4) == 0)
_ALERT(msfnetgearbeacon_aref, in_pack, packinfo,
"MSF-style poisoned options in over-sized beacon for Netgear "
"driver attack");

Reply to this message