[Snort-sigs] DCOM MS03-026 Alpha Rules

pdt at ...1716... pdt at ...1716...
Mon Jul 28 18:31:02 EDT 2003


Hey guys,
    I came up with these a little while ago and at least with the dcom.c
that is freely available this seems to catch each variation pretty
well.  I am wondering about false positives and other variations.  I
would appreciate some testing of these rules if anybody is up for it
:)  Any feedback would be greatly appreciated.  A few minutes ago I
saw an 18 target version of the exploit floating around, but don't
have time to test it, maybe tomorrow.

Thanks,
    Paul Tinsley

P.S. - There is some documentation at the jackhammer.org reference.

Each of the target (English) platforms:
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100001;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100001; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100002;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100002; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100003;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100003; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100004;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100004; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows 2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|"; 
classtype:attempted-admin; sid:1100005;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100005; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|";
classtype:attempted-admin; sid:1100006;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100006; rev:1;)
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
Windows XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|";
classtype:attempted-admin; sid:1100007;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/rules/1100007; rev:1;)

A more "generic" rule to try and catch variations that might affect other
language platforms and opcodes not currently known.
Not too sure how well this one will work out in the long run, but am
giving it out for those who might want it, instead of 7 rules:
alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) generic dcom.c
rule"; content:"|5c 00 5c 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58
00|"; content: "|77 cc e0 fd 7f cc e0 fd 7f|";  classtype:attempted-admin;
sid:1100008;
reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
reference:URL,jackhammer.org/snort/rules/1100008; rev:1;)





More information about the Snort-sigs mailing list