Autor
Ya he encontrado el fallo del primer overflow.
Para evitarlo hay que modificar la línea 858 de wlaninject.c, donde se declara la variable bssid.
Originalmente
Código:
char bssid[17];
Hay que modificarla aCódigo:
char bssid[18];
Le faltaba uno para almacenar el carácter fin de cadena, por lo que la orden de la línea 890
Código:
strncpy(bssid, optarg, 18);
provocaba un overflow.Ahora ya no lo provoca ahí, sino en otro sitio
Código:
wlaninject 0.7 - (c) 2006 nilp0inter2k6_at_gmail.com
------------> http://www.rusoblanco.com <------------
[+] BSSID: 00:16:38:XX:XX:XX
[+] Modelo: Comtrend 536+
[+] ESSID: WLAN_XX
[+] Progreso: 1% *** buffer overflow detected ***: ./wlaninject terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f2b6d8]
/lib/tls/i686/cmov/libc.so.6[0xb7f29800]
/lib/tls/i686/cmov/libc.so.6[0xb7f28ef8]
/lib/tls/i686/cmov/libc.so.6(__overflow+0x53)[0xb7e9f543]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0x4c3a)[0xb7e755fa]
/lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xa4)[0xb7f28fa4]
/lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb7f28eed]
./wlaninject[0x804a53c]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e47685]
./wlaninject[0x8049551]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:12 270281 /home/tommy/wifi/wlaninject/wlaninject-0.7rc4/wlaninject
0804f000-08050000 r--p 00006000 08:12 270281 /home/tommy/wifi/wlaninject/wlaninject-0.7rc4/wlaninject
08050000-08051000 rw-p 00007000 08:12 270281 /home/tommy/wifi/wlaninject/wlaninject-0.7rc4/wlaninject
083ca000-083eb000 rw-p 083ca000 00:00 0 [heap]
b7e30000-b7e31000 rw-p b7e30000 00:00 0
b7e31000-b7f89000 r-xp 00000000 08:12 156105 /lib/tls/i686/cmov/libc-2.8.90.so
b7f89000-b7f8b000 r--p 00158000 08:12 156105 /lib/tls/i686/cmov/libc-2.8.90.so
b7f8b000-b7f8c000 rw-p 0015a000 08:12 156105 /lib/tls/i686/cmov/libc-2.8.90.so
b7f8c000-b7f8f000 rw-p b7f8c000 00:00 0
b7f8f000-b7fb3000 r-xp 00000000 08:12 156110 /lib/tls/i686/cmov/libm-2.8.90.so
b7fb3000-b7fb4000 r--p 00023000 08:12 156110 /lib/tls/i686/cmov/libm-2.8.90.so
b7fb4000-b7fb5000 rw-p 00024000 08:12 156110 /lib/tls/i686/cmov/libm-2.8.90.so
b7fb5000-b7fdd000 r-xp 00000000 08:12 137163 /lib/libpcre.so.3.12.1
b7fdd000-b7fde000 r--p 00027000 08:12 137163 /lib/libpcre.so.3.12.1
b7fde000-b7fdf000 rw-p 00028000 08:12 137163 /lib/libpcre.so.3.12.1
b7fdf000-b7fe0000 rw-p b7fdf000 00:00 0
b7fe0000-b8009000 r-xp 00000000 08:12 277109 /usr/lib/libpcap.so.0.9.8
b8009000-b800a000 r--p 00028000 08:12 277109 /usr/lib/libpcap.so.0.9.8
b800a000-b800b000 rw-p 00029000 08:12 277109 /usr/lib/libpcap.so.0.9.8
b800b000-b801e000 r-xp 00000000 08:12 278007 /usr/lib/libnet.so.1.3.0
b801e000-b801f000 rw-p 00013000 08:12 278007 /usr/lib/libnet.so.1.3.0
b801f000-b8020000 rw-p b801f000 00:00 0
b8021000-b802e000 r-xp 00000000 08:12 137119 /lib/libgcc_s.so.1
b802e000-b802f000 r--p 0000c000 08:12 137119 /lib/libgcc_s.so.1
b802f000-b8030000 rw-p 0000d000 08:12 137119 /lib/libgcc_s.so.1
b8030000-b8033000 rw-p b8030000 00:00 0
b8033000-b804d000 r-xp 00000000 08:12 137308 /lib/ld-2.8.90.so
b804d000-b804e000 r-xp b804d000 00:00 0 [vdso]
b804e000-b804f000 r--p 0001a000 08:12 137308 /lib/ld-2.8.90.so
b804f000-b8050000 rw-p 0001b000 08:12 137308 /lib/ld-2.8.90.so
bfc3b000-bfc50000 rw-p bffeb000 00:00 0 [stack]
Cancelado
------------> http://www.rusoblanco.com <------------
[+] BSSID: 00:16:38:XX:XX:XX
[+] Modelo: Comtrend 536+
[+] ESSID: WLAN_XX
[+] Progreso: 1% *** buffer overflow detected ***: ./wlaninject terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f2b6d8]
/lib/tls/i686/cmov/libc.so.6[0xb7f29800]
/lib/tls/i686/cmov/libc.so.6[0xb7f28ef8]
/lib/tls/i686/cmov/libc.so.6(__overflow+0x53)[0xb7e9f543]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0x4c3a)[0xb7e755fa]
/lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xa4)[0xb7f28fa4]
/lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb7f28eed]
./wlaninject[0x804a53c]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e47685]
./wlaninject[0x8049551]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:12 270281 /home/tommy/wifi/wlaninject/wlaninject-0.7rc4/wlaninject
0804f000-08050000 r--p 00006000 08:12 270281 /home/tommy/wifi/wlaninject/wlaninject-0.7rc4/wlaninject
08050000-08051000 rw-p 00007000 08:12 270281 /home/tommy/wifi/wlaninject/wlaninject-0.7rc4/wlaninject
083ca000-083eb000 rw-p 083ca000 00:00 0 [heap]
b7e30000-b7e31000 rw-p b7e30000 00:00 0
b7e31000-b7f89000 r-xp 00000000 08:12 156105 /lib/tls/i686/cmov/libc-2.8.90.so
b7f89000-b7f8b000 r--p 00158000 08:12 156105 /lib/tls/i686/cmov/libc-2.8.90.so
b7f8b000-b7f8c000 rw-p 0015a000 08:12 156105 /lib/tls/i686/cmov/libc-2.8.90.so
b7f8c000-b7f8f000 rw-p b7f8c000 00:00 0
b7f8f000-b7fb3000 r-xp 00000000 08:12 156110 /lib/tls/i686/cmov/libm-2.8.90.so
b7fb3000-b7fb4000 r--p 00023000 08:12 156110 /lib/tls/i686/cmov/libm-2.8.90.so
b7fb4000-b7fb5000 rw-p 00024000 08:12 156110 /lib/tls/i686/cmov/libm-2.8.90.so
b7fb5000-b7fdd000 r-xp 00000000 08:12 137163 /lib/libpcre.so.3.12.1
b7fdd000-b7fde000 r--p 00027000 08:12 137163 /lib/libpcre.so.3.12.1
b7fde000-b7fdf000 rw-p 00028000 08:12 137163 /lib/libpcre.so.3.12.1
b7fdf000-b7fe0000 rw-p b7fdf000 00:00 0
b7fe0000-b8009000 r-xp 00000000 08:12 277109 /usr/lib/libpcap.so.0.9.8
b8009000-b800a000 r--p 00028000 08:12 277109 /usr/lib/libpcap.so.0.9.8
b800a000-b800b000 rw-p 00029000 08:12 277109 /usr/lib/libpcap.so.0.9.8
b800b000-b801e000 r-xp 00000000 08:12 278007 /usr/lib/libnet.so.1.3.0
b801e000-b801f000 rw-p 00013000 08:12 278007 /usr/lib/libnet.so.1.3.0
b801f000-b8020000 rw-p b801f000 00:00 0
b8021000-b802e000 r-xp 00000000 08:12 137119 /lib/libgcc_s.so.1
b802e000-b802f000 r--p 0000c000 08:12 137119 /lib/libgcc_s.so.1
b802f000-b8030000 rw-p 0000d000 08:12 137119 /lib/libgcc_s.so.1
b8030000-b8033000 rw-p b8030000 00:00 0
b8033000-b804d000 r-xp 00000000 08:12 137308 /lib/ld-2.8.90.so
b804d000-b804e000 r-xp b804d000 00:00 0 [vdso]
b804e000-b804f000 r--p 0001a000 08:12 137308 /lib/ld-2.8.90.so
b804f000-b8050000 rw-p 0001b000 08:12 137308 /lib/ld-2.8.90.so
bfc3b000-bfc50000 rw-p bffeb000 00:00 0 [stack]
Cancelado
Cualquier ayuda es bienvenida
En línea
... ya he añadido el link de descarga a la chincheta de wlaninject 
