I presumed that if faulty firmware can be 'fuzzed' to produce exploits then one of those
exploits could be overwriting the firmware on the card itself.
I don't see how big of a difference it would be to find a exploitable hole in a OS driver or
firmware for a network card and then write new firmware as long as that it is possible for the
OS or card itself to write new firmware.
(Kinda interesting because that 'open' firmware code is something that RMS and his fan club
has been clamoring for if the card itself is writable. Open firmware could be required to
produce effective defenses against these sort of attacks)
And it's common for wireless drivers to have loadable firmware anyways (more sophisticated
wired ethernet cards shouldn't be too far behind), so if you get system access then you could
hack the card's firmware (either in a file on Linux or embedded in the driver binary for
windows) to do all sorts of nasty stuff. That way, depending on your goal, (say you want
network access, but you don't care about 'owning' the access point) you could stealthily
introduce a firmware hack that would allow you to get WPA keys, sniff traffic, or something
like that if you send a specially crafted packet.