« Back to the Da Slop Pit Forum

Wireshark is a lolbin

Posted by yuu

posted
updated

Forum: Da Slop Pit Group

If you haven't heard of lolbins check out: https://lolbas-project.github.io/

Wireshark is capable of running Lua scripts from the command line directly. The -X flag is for eXtension options, which focus primarily on running Lua scripts. Since the Lua engine is used to run dissectors, this should be part of your base Wireshark installation.

Command line options: https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

To run a Lua script from the command line with Wireshark, simply append this to the end of the Wireshark command line options:

-X lua_script:C:\path\to\script.lua

The scripts source can be the following:

os.execute('START /B C:\\Users\\user\\Documents\\myLegitBinary.exe')

There's a very limited number of Lua functions that are shipped with Wireshark, but OS should do the trick for many things.

You can also attempt to load a dll through lua via the require keyword.

require "haha"

At the top of your script, it will attempt to find this file as both a lua script and a dll.

Why does this work?

In the base of you Wireshark install, there is a script called init.lua. Inside are these options:

-- Set enable_lua to false to disable Lua support.
enable_lua = true

-- If set and Wireshark was started as (setuid) root, then the user
-- will not be able to execute custom Lua scripts from the personal
-- configuration directory, the -Xlua_script command line option or
-- the Lua Evaluate menu option in the GUI.
run_user_scripts_when_superuser = true

You can set either of these to false for added security, they are both enabled by default. For more info check here: https://wiki.wireshark.org/Lua

POC TikTok here: https://vm.tiktok.com/ZTd4wXSAG/


Report Topic

0 Replies