cbcvebase.
CVE-2006-5972
published 2006-11-18

CVE-2006-5972: Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless adapter (USB) allows remote attackers to execute arbitrary code via a long 802.11 beacon…

PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.31%
97.0th percentile
Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless adapter (USB) allows remote attackers to execute arbitrary code via a long 802.11 beacon request.

Affected

1 ranges
VendorProductVersion rangeFixed in
netgearwg111v2_driver

Detection & IOCsextracted from sources · hover to see the quote

filenameWG111v2.SYS
versionWG111v2.SYS 5.1213.6.316
other0x80502d7f
other0x804ed5cb
bytes
\x81\xC4\x54\xF2\xFF\xFF
  • Trigger condition: 802.11 Beacon frame containing more than 1100 bytes worth of information elements. Monitor for anomalously large beacon frames exceeding this threshold.
  • The exploit overwrites the return address at offset 1101 within the information elements buffer. A crafted beacon with a 4-byte kernel address (jmp esp gadget) at IE offset 1101 is a strong indicator of exploitation.
  • A secondary jump stub (push 0x39 / pop eax / add edi,eax / jmp edi) is embedded at IE offset 1113 in the exploit beacon. Detect this byte sequence in 802.11 beacon IEs.
  • The exploit targets clients in a non-associated (scanning) state; all cards within RF range are affected. Anomalous beacon floods from a single source MAC should be investigated.
  • The exploit uses a broadcast destination MAC (FF:FF:FF:FF:FF:FF) by default. Beacon frames with oversized IEs sent to broadcast are a key detection signal.
  • ·The exploit requires the victim's WG111v2 USB adapter to be in a non-associated (scanning) state. Associated clients are not affected.
  • ·The Metasploit module depends on the Lorcon2 library and only functions on Linux with a supported wireless card; it cannot be launched from Windows.
  • ·Exploitation timing is non-deterministic; the payload can take up to a minute to execute depending on system activity.
  • ·Return addresses (ROP gadgets) are hardcoded per Windows XP SP2 build; the two supported targets are 5.1.2600.2122 (GDR) and 5.1.2600.2180 (RTM), both paired with WG111v2.SYS 5.1213.6.316.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.