[Snort-sigs] MS Messenger Overflow (MS03-043) POC sig

Mike Pomraning mjp-snortsigs at ...1399...
Tue Oct 21 10:37:07 EDT 2003


I believe this will match Hanabishi Recca's BugTraq POC code for MS03-043
(Messenger Service Overrun --> Remote Code Execution), and simple derivatives.

  alert udp any any -> any 135 (
    msg:"EXPLOIT MS Messenger Buffer Overflow";
    content:"04 00 28 00"; depth: 0;
    content:"|14 14 14 14 14 14 14 14 14 14 14 14 14|";
    classtype:attempted-admin;
    reference:url,www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp;
    reference:url,www.cert.org/advisories/CA-2003-27.html;
    sid:??;
    rev:1;
  )

Can anyone with more Windows wire expertise nail this down further?  I'm not
sure of the wisdom of matching on the first four bytes of recca's supplied
header (DCERPC Version, Type, Flags1, Flags2) -- none of my NET SEND packets
have 0x28 for the Flags1 byte, but that may be an accident of my limited
configuration.

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-sigs mailing list