[Snort-sigs] Metasploit - CVE-2012-1823 - Snort Sleeping

Alex McDonnell amcdonnell at ...435...
Fri Apr 26 17:03:05 EDT 2013


Alerts for me, please attach your configuration as Nathan asked.

Alex McDonnell
VRT


On Fri, Apr 26, 2013 at 4:56 PM, MA Bel <mab_generic at ...3751...> wrote:

>
>
> > To: snort-sigs at lists.sourceforge.net
> > Date: Fri, 26 Apr 2013 14:49:45 -0600
> > From: jlay at ...3266...
> > Subject: Re: [Snort-sigs] Metasploit - CVE-2012-1823 - Snort Sleeping
>
> >
> > On 2013-04-26 14:43, MA Bel wrote:
> > > Hi,
> > >
> > > I found a working exploit (reverse shell) where Snort’s signature
> > > fail to trigger an alert.
> > >
> > > In a lab I have 3 physical hosts: one Snort, one with BackTrack, and
> > > one Ubuntu running Metasploitable in VirtualBox. I use Metasploit to
> > > attack the Metasploitable VM, Snort is in passive (non-inline) mode.
> > >
> > > I came across CVE-2012-1823 (PHP CGI Argument Injection) which
> > > corresponds to three potential snort signatures: 22097, 22063, 22064.
> > > Metasploit has a nice exploit that will give you a reverse shell. It
> > > works.
> > >
> > >
> > >
> http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection
> > > [1]
> > >
> > > SID 22063’s rule attempts to catch the string
> > > “auto_prepend_file” When the Metasploint exploit is launched,
> > > WireShark confirms that the string is indeed sent. I get a reverse
> > > shell. I can list directories, move into them, delete stuff, etc, yet
> > > Snort does not generate an alert. Yes, rules are up to date,
> > > activated, etc. The basics are covered.
> > >
> > > I decided to strip off all extra parameters and create a very basic
> > > rule: “content: auto_prepend_file”. No luck catching the exploit.
> > > I used Scapy to send the “auto_prepend_file” string. Snort woke
> > > up. I used Scapy to send the whole string sent by Metasploit (I did a
> > > copy & paste of what I found in Wireshark). That works, Snort wakes
> > > up.
> > >
> > > I don’t understand why an http string sent by Scapy generates an
> > > alert whereas the same string sent by Metasploit keeps Snort silent.
> > > I
> > > am not event using evasion techniques.
> > >
> > > How do I get Snort to catch the exploit? I am worried other rules
> > > won't fire when they should.
> > >
> > > Thanks in advance.
> > >
> > > Links:
> > > ------
> > > [1]
> > >
> > >
> http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection
> >
> > Got a pcap?
> >
> > James
> >
> >
> ------------------------------------------------------------------------------
> > Try New Relic Now & We'll Send You this Cool Shirt
> > New Relic is the only SaaS-based application performance monitoring
> service
> > that delivers powerful full stack analytics. Optimize and monitor your
> > browser, app, & servers with just a few lines of code. Try New Relic
> > and get this awesome Nerd Life shirt!
> http://p.sf.net/sfu/newrelic_d2d_apr
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130426/0ecda3e1/attachment.html>


More information about the Snort-sigs mailing list