Wireshark exploit from Defcon 20 CTF

Posted by morgothan on Wednesday, August 8. 2012 in Code, Pentest

First let me start by saying I did not find this, nor did I do any of the heavy lifting in making this. All of that was the guys at NYU Poly ISIS Lab.

That being I always get a little excited I get whenever a new wireshark exploit comes out.  Sometimes when I am conducting an internal pentest I get a network admin with the mentality of a Stasi.  They sit there with wireshark running monitoring my port looking for any hint of malicious traffic. As soon as they see something the flag us as "caught" and put a stop to the pentest.  So having a collection of wireshark exploits is helpful in stopping the network admins and allowing me to continue my work unimpeded.  As such I "weaponized" the code the NYU Poly ISIS lab blog post to make my life easier.
The only real changes are making the packet get sent every second, I hard coded in the IPv6 link-local all nodes multicast group at FF02::1, and I took out the writing of the pcap file.  It should also be noted that if for some reason you need to run this over IPv4 you can change "packet=IPv6(" to "packet=IP(" and change the dst="FF02::1" to your local broadcast and it will still work.  Although, as long as your machine can write an IPv6 packet and the wireshark machine can read it, it doesn't matter if they are running IPv6 on the network.

If you know the admins IPv6 Address you can change the FF02::1 address to it so you are only targeting him
Other wise just leave it as is and it will get sent to everyone local who is talking IPv6.

Either way just run it and wireshark should crash leaving you free to finish your pentest.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.


Search for an entry in 0xDEADBEEF:

Did not find what you were looking for? Post a comment for an entry or contact us via email!