CVE-2011-1591

Wireshark 1.4.x < 1.4.5 - Stack-Based Buffer Overflow in DECT Dissector

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2011-1591. PoCs published by Metasploit, sickness, ipv, including Metasploit module exploits/windows/misc/wireshark_packet_dect.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending a malicious packet. It uses ROP gadgets to bypass DEP and ASLR, achieving remote code execution.

Description

Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/17195

This Metasploit module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending a malicious packet. It uses ROP gadgets to bypass DEP and ASLR, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Wireshark <= 1.4.4
No auth needed
Prerequisites: Network access to the target running a vulnerable version of Wireshark
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/17186

This exploit leverages a stack buffer overflow in Wireshark <= 1.4.4 by crafting a malicious .pcap file. It bypasses DEP and ASLR using ROP gadgets to achieve arbitrary code execution on Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Wireshark <= 1.4.4
No auth needed
Prerequisites: Victim must open the malicious .pcap file in Wireshark
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by sickness · pythonlocalwindows
https://www.exploit-db.com/exploits/17185

This exploit targets a buffer overflow vulnerability in Wireshark versions 1.4.1-1.4.4 by crafting a malicious .pcap file. The payload includes shellcode and NOP sleds to achieve remote code execution on systems with DEP disabled.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Wireshark 1.4.1-1.4.4
No auth needed
Prerequisites: DEP disabled on target system · Wireshark version 1.4.1-1.4.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by ipv · pythonremotelinux
https://www.exploit-db.com/exploits/18145

This exploit leverages a stack-based buffer overflow in Wireshark's DECT dissector (CVE-2011-1591) to achieve remote code execution via ROP chains and shellcode execution, bypassing NX/ASLR protections.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Wireshark <= 1.4.4
No auth needed
Prerequisites: Network access to target running vulnerable Wireshark version · Scapy library for packet crafting
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by Paul Makowski, sickness · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/wireshark_packet_dect.rb

This Metasploit module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending a malicious packet. It uses ROP gadgets to bypass DEP and ASLR, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Wireshark <= 1.4.4
No auth needed
Prerequisites: Network access to the target running Wireshark · Wireshark configured to capture packets
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by Paul Makowski, sickness · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/wireshark_packet_dect.rb

This Metasploit module exploits a stack buffer overflow in Wireshark <= 1.4.4 by crafting a malicious .pcap file. It uses ROP gadgets to bypass DEP and ASLR, achieving arbitrary code execution when the file is opened.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Wireshark <= 1.4.4
No auth needed
Prerequisites: Vulnerable version of Wireshark installed · Ability to deliver malicious .pcap file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (20)

Core 20
Core References
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/17185
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/66834
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:083
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058900.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058993.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/17195
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/04/18/8
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15000
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058983.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44374
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/71848
Various Sources x_refsource_confirm
http://www.wireshark.org/security/wnpa-sec-2011-06.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44172
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1025389
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/1022
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/243670
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2011/04/18/2
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/1106

Scores

EPSS 0.4174
EPSS Percentile 98.5%

Details

CWE
CWE-119
Status published
Products (5)
wireshark/wireshark 1.4.0
wireshark/wireshark 1.4.1
wireshark/wireshark 1.4.2
wireshark/wireshark 1.4.3
wireshark/wireshark 1.4.4
Published Apr 29, 2011
Tracked Since Feb 18, 2026