[Snort-sigs] untested sig for THCIISSLame.c (MS04-011 exploit)

James Riden j.riden at ...1766...
Wed Apr 21 13:36:03 EDT 2004


Exploit: http://www.k-otik.com/exploits/04212004.THCIISSLame.c.php

Untested sig:

alert tcp any any -> $HOME_NET 443 (msg:"MS04-011 SSL exploit (THCIISSLame by Johnny Cyberpunk)"; content:"|80 62 01 02 bd 00 01 00 01 00 16|"; offset:0; content:"|eb 23 7a 69 02 05 6c 59 f8 1d 9c de 8c d1 4c 70 d4 03 f0 27 20 20 30 08 57 53 32 5f 33 32|"; within:36;)

Matches the first bits of sslshit[] and shellcode[], which are glued
into a bigger buffer. "within:36" may be overly generous.

Any comments? I'm off to find a couple of boxes to test on.

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-sigs mailing list