[Snort-sigs] Metasploit - CVE-2012-1823 - Snort Sleeping

James Lay jlay at ...3266...
Fri Apr 26 16:49:45 EDT 2013


On 2013-04-26 14:43, MA Bel wrote:
> Hi,
>
> I found a working exploit (reverse shell) where Snort’s signature
> fail to trigger an alert.
>
> In a lab I have 3 physical hosts: one Snort, one with BackTrack, and
> one Ubuntu running Metasploitable in VirtualBox. I use Metasploit to
> attack the Metasploitable VM, Snort is in passive (non-inline) mode.
>
> I came across CVE-2012-1823 (PHP CGI Argument Injection) which
> corresponds to three potential snort signatures: 22097, 22063, 22064.
> Metasploit has a nice exploit that will give you a reverse shell. It
> works.
>
> 
> http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection
> [1]
>
> SID 22063’s rule attempts to catch the string
> “auto_prepend_file” When the Metasploint exploit is launched,
> WireShark confirms that the string is indeed sent. I get a reverse
> shell. I can list directories, move into them, delete stuff, etc, yet
> Snort does not generate an alert. Yes, rules are up to date,
> activated, etc. The basics are covered.
>
> I decided to strip off all extra parameters and create a very basic
> rule: “content: auto_prepend_file”. No luck catching the exploit.
> I used Scapy to send the “auto_prepend_file” string. Snort woke
> up. I used Scapy to send the whole string sent by Metasploit (I did a
> copy & paste of what I found in Wireshark). That works, Snort wakes
> up.
>
> I don’t understand why an http string sent by Scapy generates an
> alert whereas the same string sent by Metasploit keeps Snort silent. 
> I
> am not event using evasion techniques.
>
> How do I get Snort to catch the exploit? I am worried other rules
> won't fire when they should.
>
> Thanks in advance.
>
> Links:
> ------
> [1]
> 
> http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection

Got a pcap?

James




More information about the Snort-sigs mailing list