[Snort-sigs] WEB-IIS PCT overflow attempt

Aaron W. DeLashmutt awd at ...2442...
Mon May 3 04:54:23 EDT 2004

I've seen a few signatures for detecting possible exploitation for the
recent MS04-011 vulnerabilities.
I had a chance to play with the plugin for metasploit
(http://www.k-otik.com/exploits/04242004.iis5x_ssl_pct.pm.php) and noticed I
wasn't getting alerts.  I ran a few packet captures and noticed the payload
slightly differs between the THC exploit and the metasploit plugin.

Here is the (coded) THC payload:
Here is the (coded) metasploit payload:

I modified the sig to catch both... tested and verified.
alert tcp any any -> $HOME_NET 443 (msg:"WEB-IIS PCT overflow attempt";
flow:to_server,established; content:"|01 02 bd 00 01 00 01 00 16 8f|";
offset:2; depth:10; within:33; classtype:web-application-attack;
reference:url,xforce.iss.net/xforce/alerts/id/168; sid:13456924; rev:2;)

Hope this helps.... happy snorting!

Aaron W. DeLashmutt <awd at ...2442...> 

More information about the Snort-sigs mailing list