[Snort-sigs] Re: MS Messenger Overflow (MS03-043) POC sig

Michael J. Pomraning mjp at ...1399...
Tue Oct 28 06:17:06 EST 2003


On Mon, 20 Oct 2003, Mike Pomraning wrote:

> I believe this will match Hanabishi Recca's BugTraq POC code for MS03-043

Various improvements, with an eye toward actually matching something (hex
quoting fixed, offset v. depth, etc.):

   alert udp any any -> any 135 (
     msg:"EXPLOIT MS Messenger Buffer Overflow";
     dsize:>100;
     content:"|04 00 28 00|"; offset: 0;
     content:"|14 14 14 14 14 14 14 14 14 14 14 14 14|"; offset: 4;
     classtype:attempted-admin;
     reference:url,www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp;
     reference:url,http://www.cert.org/advisories/CA-2003-27.html;
     sid:??;
     rev:1;)

Thanks to everyone who responded on and off list, esp. Samuel Adams.

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-sigs mailing list