[Snort-sigs] WEB-IIS PCT overflow attempt

Aaron W. DeLashmutt awd at ...2442...
Mon May 3 04:54:23 EDT 2004


I've seen a few signatures for detecting possible exploitation for the
recent MS04-011 vulnerabilities.
I had a chance to play with the plugin for metasploit
(http://www.k-otik.com/exploits/04242004.iis5x_ssl_pct.pm.php) and noticed I
wasn't getting alerts.  I ran a few packet captures and noticed the payload
slightly differs between the THC exploit and the metasploit plugin.

Here is the (coded) THC payload:
\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00
Here is the (coded) metasploit payload:
\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00

I modified the sig to catch both... tested and verified.
alert tcp any any -> $HOME_NET 443 (msg:"WEB-IIS PCT overflow attempt";
flow:to_server,established; content:"|01 02 bd 00 01 00 01 00 16 8f|";
offset:2; depth:10; within:33; classtype:web-application-attack;
reference:cve,CAN-2003-0719;
reference:url,xforce.iss.net/xforce/alerts/id/168; sid:13456924; rev:2;)

Hope this helps.... happy snorting!

---
Aaron W. DeLashmutt <awd at ...2442...> 






More information about the Snort-sigs mailing list