[Snort-sigs] untested sig for THCIISSLame.c (MS04-011 exploit)

Chris Reining creining at ...1973...
Thu Apr 22 16:13:02 EDT 2004


On Thu, Apr 22, 2004 at 08:34:49AM +1200, James Riden wrote:
> alert tcp any any -> $HOME_NET 443 (msg:"MS04-011 SSL exploit (THCIISSLame by Johnny Cyberpunk)"; content:"|80 62 01 02 bd 00 01 00 01 00 16|"; offset:0; content:"|eb 23 7a 69 02 05 6c 59 f8 1d 9c de 8c d1 4c 70 d4 03 f0 27 20 20 30 08 57 53 32 5f 33 32|"; within:36;)
> 
> Matches the first bits of sslshit[] and shellcode[], which are glued
> into a bigger buffer. "within:36" may be overly generous.

It should suffice to just match sslshit[] for this particular exploit
code against IIS as so:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-IIS PCT
overflow attempt"; flow:to_server,established; flags:A+; content:"|80 62
01 02 bd 00 01 00 01 00 16|"; offset:0; depth:11;
classtype:web-application-attack; reference:cve,CAN-2003-0719;
reference:url,http://xforce.iss.net/xforce/alerts/id/168; sid:1000000;
rev:1;)

Chris




More information about the Snort-sigs mailing list