Unable to reproduce

[zhefox]

Is there something wrong with the MAC address? When it starts with 01:00:00:00:01, it seems that Windows cannot recognize the WiFi. I changed the addr prefix to 00:11:22 and the iPhone can search it, but the win11 device network card still cannot search the WiFi.

[zhefox]

But I think this may not have much impact. If the vulnerability is due to ssid out of bounds, the device only needs to search for the ssid and handle it. But it seems that my ssid gave a length of 7*255 and it did not cause the win11 after uninstalling the June patch to crash. Did the author reproduce it on win10 or win7?

[blkph0x]

windows 11 I might add the other script for this as this is a little redacted just so some kid doesn't just dos his whole wifi reach. the observed issue on windows 11 is the wifi tab in the taskbar will stop responding and switching the device on and off from the task bar does nothing. it seems like a soft crash somewhere trying to reverse the issue but its hard to find the crash without knowing what is crashing

[h4kuy4]

I have tried to run this script, and it not works too. My windows computer can search the ssid if it's length short than 32 bytes, but if the length large than 32, nothing happend, the wifi tab still work. I also tried to debug the wlansvc service (wlansvc.dll), the ssid not find in the functions that process the scan result if it is longer than 32 bytes. Maybe I analysed wrong file 😢. I'm not sure whether the vuln is in the wlansvc. did your wlansvc broken when testing the script?

[blkph0x]

im happy to work with you on this just been busy with work if you can screen shot what your looking at il have a dig in that area are you using kernel mode debugging?

[blkph0x]

you also wont see the ssid if its more then 32 chars long as the final process will only allow it to be 32 long under the wifi standards this is attacking a buffer in the windows wifi driver that is set to 512 so sending the fragmented packets to grow the ssid over 512 is what we need to-do but it should not show an ssid once over 32 chars

[h4kuy4]

I realized that I analiyzed wrong direction. I have to dig deeper to driver layer, not service layer.