[Snort-sigs] DCOM MS03-026 Alpha Rules

daniel uriah clemens daniel_clemens at ...842...
Mon Jul 28 19:29:02 EDT 2003


Here is a pcap for an attack against xpsp1.

http://birmingham-infragard.org/dcom.pcap.xpsp1

-Dan

On Mon, 28 Jul 2003 pdt at ...1716... wrote:

> Hey guys,
>     I came up with these a little while ago and at least with the dcom.c
> that is freely available this seems to catch each variation pretty
> well.  I am wondering about false positives and other variations.  I
> would appreciate some testing of these rules if anybody is up for it
> :)  Any feedback would be greatly appreciated.  A few minutes ago I
> saw an 18 target version of the exploit floating around, but don't
> have time to test it, maybe tomorrow.
>
> Thanks,
>     Paul Tinsley
>
> P.S. - There is some documentation at the jackhammer.org reference.
>
> Each of the target (English) platforms:
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows 2000 SP0"; content:"|74 16 e8 77 cc e0 fd 7f cc e0 fd 7f|";
> classtype:attempted-admin; sid:1100001;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100001; rev:1;)
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows 2000 SP1"; content:"|ec 29 e8 77 cc e0 fd 7f cc e0 fd 7f|";
> classtype:attempted-admin; sid:1100002;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100002; rev:1;)
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows 2000 SP2"; content:"|b5 24 e8 77 cc e0 fd 7f cc e0 fd 7f|";
> classtype:attempted-admin; sid:1100003;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100003; rev:1;)
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows 2000 SP3"; content:"|7a 36 e8 77 cc e0 fd 7f cc e0 fd 7f|";
> classtype:attempted-admin; sid:1100004;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100004; rev:1;)
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows 2000 SP4"; content:"|9b 2a f9 77 cc e0 fd 7f cc e0 fd 7f|";
> classtype:attempted-admin; sid:1100005;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100005; rev:1;)
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows XP SP0"; content:"|e3 af e9 77 cc e0 fd 7f cc e0 fd 7f|";
> classtype:attempted-admin; sid:1100006;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100006; rev:1;)
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) targeting
> Windows XP SP1"; content:"|BA 26 E6 77 CC E0 FD 7F CC E0 FD 7F|";
> classtype:attempted-admin; sid:1100007;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/rules/1100007; rev:1;)
>
> A more "generic" rule to try and catch variations that might affect other
> language platforms and opcodes not currently known.
> Not too sure how well this one will work out in the long run, but am
> giving it out for those who might want it, instead of 7 rules:
> alert tcp any any -> any 135 (msg:"DCOM Exploit (MS03-026) generic dcom.c
> rule"; content:"|5c 00 5c 00 46 00 58 00 4e 00 42 00 46 00 58 00 46 00 58
> 00|"; content: "|77 cc e0 fd 7f cc e0 fd 7f|";  classtype:attempted-admin;
> sid:1100008;
> reference:URL,www.microsoft.com/security/security_bulletins/ms03-026.asp;
> reference:URL,jackhammer.org/snort/rules/1100008; rev:1;)
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list