[Snort-sigs] FP? WEB-CLIENT WinHTTP integer wrap buffer overflow attempt [sid 15462]

Nerijus Krukauskas nkrukauskas at ...2420...
Fri Jul 17 06:37:56 EDT 2009


I see a few dozen of these each day. And it's been so far only google
IP addresses. Is this false positive or has "Do no evil" got some kind
of evil.

[**] WEB-CLIENT WinHTTP integer wrap buffer overflow attempt [**]
2009-07-16 10:55:41 74.125.77.17:80 -> 10.0.19.150:1490
TCP TTL:62 TOS:0x0 ID:11103 IPLen:365 HLen:5 CSumIP:0x5B08
***AP*** Seq:0xD848CEB Ack:0xE59A59B7 Win:0x1FBF CSumTCP:0xC3EF

Payload (Hex):
4854 5450 2F31 2E31 2032 3030 204F 4B0D 0A43 6163
6865 2D43 6F6E 7472 6F6C 3A20 7072 6976 6174 652C
2070 726F 7879 2D72 6576 616C 6964 6174 650D 0A44
6174 653A 2054 6875 2C20 3136 204A 756C 2032 3030
3920 3037 3A35 353A 3431 2047 4D54 0D0A 436F 6E74
656E 742D 5479 7065 3A20 7465 7874 2F6A 6176 6173
6372 6970 743B 2063 6861 7273 6574 3D55 5446 2D38
0D0A 4C61 7374 2D4D 6F64 6966 6965 643A 2054 6875
2C20 3136 204A 756C 2032 3030 3920 3037 3A35 353A
3431 2047 4D54 0D0A 4574 6167 3A20 3830 3238 3334
3631 3135 3232 3838 3138 3138 320D 0A58 2D43 6F6E
7465 6E74 2D54 7970 652D 4F70 7469 6F6E 733A 206E
6F73 6E69 6666 0D0A 5472 616E 7366 6572 2D45 6E63
6F64 696E 673A 2063 6875 6E6B 6564 0D0A 5365 7276
6572 3A20 4746 452F 312E 330D 0A0D 0A31 330D 0A38
3032 3833 3436 3131 3532 3238 3831 3831 3832 0D0A
300D 0A0D 0A
	
Payload (ASCII):
HTTP/1.1 200 OK..Cac
he-Control: private,
proxy-revalidate..D
ate: Thu, 16 Jul 200
9 07:55:41 GMT..Cont
ent-Type: text/javas
cript; charset=UTF-8
..Last-Modified: Thu
, 16 Jul 2009 07:55:
41 GMT..Etag: 802834
6115228818182..X-Con
tent-Type-Options: n
osniff..Transfer-Enc
oding: chunked..Serv
er: GFE/1.3....13..8
028346115228818182..
0....

-- 
http://nk99.org/




More information about the Snort-sigs mailing list