[Snort-sigs] untested sig for THCIISSLame.c (MS04-011 exploit)

Paul Tinsley jackhammer at ...2420...
Mon Apr 26 21:21:06 EDT 2004


Whoops, I meant to hit reply to all so others could use it :/  Here goes.

I still haven't had a chance to fix the sig to be more generic but it
seems to be working as you say...

On Tue, 27 Apr 2004 14:23:07 +1200, James Riden <j.riden at ...1766...> wrote:
> 
> pdt at ...1716... writes:
> 
> > Yours doesn't seem to work and the reason being, you are basing it off of
> > the shellcode which he is XORing before it goes into the string.  This one
> > is quick and dirty but will work with the exploit code.  I am going to
> > play with it further so that it has a chance of working with modififed
> > versions, right now i key off of the greetz message and the xor'd offset,
> > not good long term.
> >
> > alert tcp any any -> $HOME_NET 443 (msg:"MS04-011 SSL exploit (THCIISSLame
> > by Johnny Cyberpunk)"; sid:900034;content:"|54 48 43 4F 57 4E 5A 49 49 53
> > 21 32 5E BE 98|";within:36;)
> 
> Works for me - I've seen it coming from a few addresses - to a server
> I patched a few days ago, HAH!
> 
> Do you want to post it to the list? I know there's some people who
> would appreciate it - and it's a lot better than nothing as it is.
> 
> cheers,
>  Jamie
> --
> James Riden / j.riden at ...1766... / Systems Security Engineer
> Information Technology Services, Massey University, NZ.
> GPG public key available at: http://www.massey.ac.nz/~jriden/
> 
>




More information about the Snort-sigs mailing list