[Snort-sigs] SID 2417

Frank Knobbe frank at ...1978...
Fri Aug 20 10:44:01 EDT 2004


On Fri, 2004-08-20 at 11:32, Paul Schmehl wrote:
> 50 41 53 56 0D 0A 52 45 54 52 20 2F 68 6F 6D 65   PASV..RETR /home
> 2F 30 30 31 2F 6C 2F 6C 78 2F 6C 78 6F 30 31 35   /001/l/lx/lxo015
> 30 30 30 2F 70 75 62 6C 69 63 5F 68 74 6D 6C 2F   000/public_html/
> 50 68 6F 74 6F 2F 4D 75 6E 6B 61 68 65 6C 79 2F   Photo/Munkahely/
> 65 62 65 64 5F 73 7A 75 6E 65 74 5F 6B 2E 6A 70   ebed_szunet_k.jp
> 67 0D 0A 33 61 25 32 66 25 32 66 62 61 79 39 25   g..3a%2f%2fbay9%
> 32 65 6F 65 25 32 65 68 6F 74 6D 61 69 6C 25 32   2eoe%2ehotmail%2
> 65 63 6F 6D 25 32 66 63 67 69 25 32 64 62 69 6E   ecom%2fcgi%2dbin
> 25 32 66 68 6D 64 61 74 61 25 32 66 64 61 6F 6F   %2fhmdata%2fdaoo
> 64 25 34 30 68 6F 74 6D 61 69 6C 25 32 65 63 6F   d%40hotmail%2eco
> 6D 25 33 66 26 6C                                 m%3f&l


Let's see. First, switch to passive mode, then retrieve that jpeg from
the users html dir. But
"3a//bay9.oe.hostmail.com/cgi-bin/hmdata/daood at ...12...?&l" is not a
valid FTP command :)  Perhaps left-overs from a previous buffer?
considering that %3a is a ";" which fits fine in front of "//bay9..etc",
it appears that the FTP session data was overwriting a previous packet
(with the last LF overwriting the % of the ":").

A bug in the preprocessor perhaps?

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040820/fbef9bc5/attachment.sig>


More information about the Snort-sigs mailing list