[Snort-devel] ProFTPD FreeBSD FTPD remote root exploit rules

Ozan UÇAR mail at ...3232...
Sat Dec 3 17:48:07 EST 2011


Hello Guys,

I wrote FreeBSD FTPD remote root exploit signature for snort.

alert tcp any any -> any 21 (msg:"ProFTPD FreeBSD FTPD remote root
exploit";
pcre:"/(RMD.+etc|RMD.+lib|STOR\s+.*nss_compat.so.1|cron|inetd|syslogd|sendmail)/smi";
reference:cehturkiye.com,bga.com.tr; reference:packetstormsecurity,7350;
classtype:attempted-admin; sid:19731; rev:1; )

I tested it,

[**] [1:19731:1] ProFTPD FreeBSD FTPD remote root exploit [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
12/04-00:44:51.395511 6.6.6.101:48788 -> 6.6.6.154:21
TCP TTL:64 TOS:0x0 ID:2498 IpLen:20 DgmLen:61 DF
***AP*** Seq: 0x83C45F55  Ack: 0xCF825A28  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2185084 29606930
[Xref => packetstormsecurity 7350][Xref => cehturkiye.com bga.com.tr]


----
www.cehturkiye.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111204/70f059b3/attachment.html>


More information about the Snort-devel mailing list