module

Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow

Try Surface Command
Back to search
Disclosed
2010-01-27
Created
2018-05-30

Description

The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
overflow. This bug found and reported by babi.

This particular exploit targets the dissect_getaddrsbyname_request function. Several
other functions also contain potentially exploitable stack-based buffer overflows.

The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents
exploitation via the return address on the stack. Sending a larger string allows
exploitation using the SEH bypass method. However, this packet will usually get
fragmented, which may cause additional complications.

NOTE: The vulnerable code is reached only when the packet dissection is rendered.
If the packet is fragmented, all fragments must be captured and reassembled to
exploit this issue.

Authors

babi
jduck jduck@metasploit.com
redsand

Platform

Linux,OSX,Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/multi/misc/wireshark_lwres_getaddrbyname
    msf exploit(wireshark_lwres_getaddrbyname) > show targets
        ...targets...
    msf exploit(wireshark_lwres_getaddrbyname) > set TARGET < target-id >
    msf exploit(wireshark_lwres_getaddrbyname) > show options
        ...show and set options...
    msf exploit(wireshark_lwres_getaddrbyname) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today