[Snort-sigs] MS Messenger Overflow (MS03-043) POC sig

Sam Evans sam at ...219...
Tue Oct 21 12:34:53 EDT 2003


I'm guessing you are basing this signature off of the recently released
DoS proof of concept code right?

-Sam


On Mon, 20 Oct 2003, Mike Pomraning wrote:

> I believe this will match Hanabishi Recca's BugTraq POC code for MS03-043
> (Messenger Service Overrun --> Remote Code Execution), and simple derivatives.
>
>   alert udp any any -> any 135 (
>     msg:"EXPLOIT MS Messenger Buffer Overflow";
>     content:"04 00 28 00"; depth: 0;
>     content:"|14 14 14 14 14 14 14 14 14 14 14 14 14|";
>     classtype:attempted-admin;
>     reference:url,www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp;
>     reference:url,www.cert.org/advisories/CA-2003-27.html;
>     sid:??;
>     rev:1;
>   )
>
> Can anyone with more Windows wire expertise nail this down further?  I'm not
> sure of the wisdom of matching on the first four bytes of recca's supplied
> header (DCERPC Version, Type, Flags1, Flags2) -- none of my NET SEND packets
> have 0x28 for the Flags1 byte, but that may be an accident of my limited
> configuration.
>
> Regards,
> Mike
> --
> Michael J. Pomraning, CISSP
> Project Manager, Infrastructure
> SecurePipe, Inc. - Managed Internet Security
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN developer relations
> Here's your chance to show off your extensive product knowledge
> We want to know what you know. Tell us and you have a chance to win $100
> http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list