I was reading about Wireshark vulnerabilities that could cause a DoS or buffer overflow. I downloaded the pcap associated with one of the vulnerabilities and read it using a vulnerable Wireshark version 1.2.6. Sure enough, it caused Wireshark to display a gray screen and upon trying to close it, it displayed the following:
I was interested in finding the record(s) that caused the crash by methodically selecting given ranges of the records and narrowing down the problem records(s). At first I thought of using tcpdump to select some records and write only those records to a new output file and reading the new output file into Wireshark. Doing this using tcpdump is not possible because it has a command line switch (-c) that allows you to specify the number of records you want to read, but always begins reading at the first record. So, I wrote a small Python/Scapy program that would allow me to select the starting and ending records from the pcap, write the selected records to a Python list, feed the records into Wireshark and observe whether or not it crashed. It didn’t take me long to find the problem record.
Here is the program I used:
from scapy.all import *
import sys
recs=rdpcap("/tmp/fuzz-2010-06-02-11020.pcap")
lrecs=len(recs)
outrecs=[ ]
start=int(sys.argv[1])-1
end=int(sys.argv[2])-1
if (end >=lrecs):
....print "End value greater than number of pcap records"
....sys.exit()
x=start
while (x <= end):
....outrecs.append(recs[x])
....x=x+1
wireshark(outrecs)
There really isn’t much to it and there is only one statement that uses Scapy. The program starts by importing the Scapy and Python modules required for the program. I stored the downloaded pcap from http://www.wireshark.org/download/automated/captures/fuzz-2010-06-02-11020.pcap in file /tmp/fuzz-06-02-11020.pcap and used the Scapy “rdpcap” to read the pcap into a Python list named “recs”. Next, I created an empty Python list called “outrecs” to stored the user selected records.
The next block of code simply takes two command line arguments and stores the first in an integer named “start” and the second into an integer named “end”. This is the range of records to select and feed into Wireshark. Then there is a check to make sure that the value of the last record selected is less than or equal to the number of records in the pcap. Note, I've used periods to represent spaces since Python requires indentation after the "if" statement and the "while" statement. I did this because the spaces I tried to use were removed by the HTML formatting of the blog software - sorry.
The next block of code creates a loop to read through the list of pcap records and select and append the ones that fall in the user-supplied range into the output list “outrecs”. Scapy has a built-in functionality to invoke Wireshark. The selected records are fed into Wireshark. With a little trial and error, you can discover which record causes the DoS.
My challenge to you is to tell me the record number that causes Wireshark to crash. Make sure you have Scapy installed . Also, make sure that you have a vulnerable version of Wireshark (versions 0.8.20 through 1.2.8) and make sure to supply to “rdpcap” the file location where you stored the downloaded pcap http://www.wireshark.org/download/automated/captures/fuzz-2010-06-02-11020.pcap. There are 704 records in the pcap so that's the upper bounds for the input range.
I stored the Python program in a file named “find-badrec.py”. Now, suppose I want to test to see if the bad record falls in the range of records from 1-10, I’d run it from the command line using:
python find-badrec.py 1 10
The program displays the following Wireshark output and does not crash. I would close Wireshark and press CTRL-C to stop the Scapy program to try again with a different range of values.
Time is running out to sign up for my Scapy course at SANS Network Security in Las Vegas. I cover reading, writing, and altering pcaps using Scapy along with a bunch of other very useful features of Scapy. If you’re already taking a multi-day track at the conference, I’m teaching the one-day course after these end.
This course is a nice complement to SEC503 “Intrusion Detection In-Depth”, SEC502 “Perimeter Detection In-Depth”, SEC504 “Hacker Techniques, Exploits & Incident Handling”, and SEC560 “Network Penetration Testing and Ethical Hacking”. These are just some tracks where you can use Scapy as an additional tool to implement what you’ve learned. I hope to see you there!