[Snort-sigs] MS Messenger Overflow (MS03-043) POC sig

Michael J. Pomraning mjp at ...1399...
Wed Oct 22 05:55:02 EDT 2003

On Tue, 21 Oct 2003, Sam Evans wrote:

> I'm guessing you are basing this signature off of the recently released
> DoS proof of concept code right?

That's right, specifically from the Hanabishi Recca post to BugTraq.
Obviously the mechanism of overflow (0x14 0x14 ...) could be altered pretty
easily to evade the sig, but my immediate concern is those first four bytes
(efficiency and FP/FN windows).

Does the 0x28 byte occur too often in nature to make this useful?  Conversely,
would the future virus/attack pick a different Flags1 value just by accident
of, say, the attacking host's OS version or config?  Etc.

Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

More information about the Snort-sigs mailing list