KARMA Wireless Client Security Assessment Tools

KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.

KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for 'linksys', it is 'linksys' to them (even while it may be 'tmobile' to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.

Currently, these releases are BYOX (Bring Your Own Exploits), although a number of client-side exploits have been written, tested and demonstrated within this framework. Some may be included in a future release. Automated agent deployment is also planned.

Viha MacOS X Wireless Tools

Viha is a project developing a suite of wireless auditing tools for MacOS X. So far, the only components developed are a custom AirPort driver for monitor mode packet capture, a framework for driver access and 802.11 packet deconstruction, and a command-line wireless network stumbler. Because OS X before 10.2 (Jaguar) doesn't allow us to dynamically unload/load the Apple AirPort driver, we require OS X 10.2 for now.

I am GPL'ing everything for the newer releases, so the 0.0.1a release is binary-only, but the 0.0.2 releases will be under the GNU General Public License. To assist in using the driver in other projects, it will be available separately while the "Tools" release includes everything else (including the driver).

The 0.0.1a release is a bugfix to correct a memory leak in IEEE80211Frame (thanks to Michael Rossberg (aziel@gmx.net) for reporting it, check out his awesome Aqua stumbler).

• README
• Viha-0.0.1a.tar.gz
• Viha Wireless LAN Driver 0.0.2 Source Release
• Example Stumbler source code

Shellcode

These are some payloads that I wrote for various code injection exploits over the years. They are being published here for educational and research purposes only.

MacOS X / PowerPC

Hacking MacOS X is fun! Here is some remote shellcode that reuses your existing connection to the vulnerable service for your shell. It peeks at the next four bytes from every socket in the process for the magic 4-byte key. Once found, a shell is launched on that socket.

• MacOS X recv() key Remote Shellcode
• PowerPC LongXOR Shellcode Decoder
• MacOS X setuid and execve Local Shellcode
• MacOS X Local Shellcode (old) [ .s ] [ .h ]

Win32 / x86

Here is my original operating system and service pack independent windows shellcode that I wrote back in April 2003 to exploit the Microsoft IIS WebDAV buffer overflow vulnerability. It finds the base of KERNEL32.DLL through the PEB (read about it in some VX article at the time, can't remember which) and uses a 32-bit hash function to lookup the functions in needs, a method I read about in LSD's paper. While LSD used a "rol 5" hash, I used a rotate "ror 13" just to be different and because it was an unlucky number. My rotate right 13-bits and accumulate hashing function has very few collisions over all the exports on Win2K, so it works pretty well. I contributed this code to the Metasploit project in May 2003 and the Metasploit Windows payloads still use some pieces of it.

• Win32 TCP Listen Remote Shellcode
• Win32 TCP Connect Remote Shellcode

Solaris / SPARC

Here is some old Solaris remote and local shellcode.

• Solaris TCP Listen Remote Shellcode [ .s ] [ .h ]
• Solaris Local Shellcode [ .s ] [ .h ]

OpenBSD / x86

• toupper() clean Local Shellcode [ .h ]