[Snort-sigs] SMBdie exploit (MS02-45)

Kevin Rowland krowland at ...379...
Thu Aug 29 07:48:07 EDT 2002

On Wed, 28 Aug 2002, Tod Beardsley wrote:

> Kevin Rowland (Tuesday, August 27, 2002, 3:32 PM) wrote:
> > For any interested... Here's a rule I'm using to catch the recently
> > posted SMBdie concept code for the MS02-45 Advisory.
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS SMBdie attack"; 
> > flags: A+; content:"|57724c65680042313342577a|"; reference: bugtraq,5556; 
> > reference:cve,CAN-2002-0724; classtype: attempted-dos;)
> Assuming your network doesn't expect any Samba machines in the
> WORKGROUP domain, this should also catch SMBdie.exe:
> alert tcp any any -> any 139 (msg: DOS SMBdie attack"; flags: PA+;
> content:"|574f524b47524f555000556e69780053616d6261|";
> reference:bugtraq,5556; reference:cve,CAN-2002-0724; 
> classtype: attempted-dos;)
> I only mention it because this will catch it during the setup phase of
> the SMB session. This will buy auto-responding IDS's a few extra
> milliseconds to react before the killer packet gets sent.

I was kind of hoping it would be harder to manipulate the SMBdie.exe file 
with a hex editor in order to circumvent the rule. Manipulating the static 
strings (which both our rules match on) are easy to fiddle with.

However, the combination of function code (0x68 -- NetServerEnum2), 
parameter descriptor ("WrLeh") and return descriptor ("B13BWz") might be 
just a wee bit more difficult to meddle with and get the box to crash.

I can already subvert my own rule pretty easily. A proper(?) parameter 
descriptor for the NetServerEnum2 inside the SMBTrans would seems to be 
"WrLehDz" with a return descriptor of "B16BBDz" (I'm pulling this out of 
the Samba code...) It looks like all SMBdie does is use the descriptors 
for the NetShareEnum API and maybe meddle with the buffer lengths.

-- kevin

| Kevin Rowland                   Office of Information Technology |
| Sr. Systems Engineer            University of Notre Dame         |
|                                                                  |
| pgpKeyID: 0x83C89CCE                                             |
| fingerprint: 7750 F81A BBD9 8487 18DC  5312 154E FCBA 83C8 9CCE  |
| http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x83C89CCE     |

More information about the Snort-sigs mailing list