[Snort-sigs] Snort Rule

rmkml rmkml at ...174...
Mon Oct 27 06:09:48 EDT 2014


Hello Nicholas,

Maybe this url ?

http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html

""""
CVE-2013-0634

This exploit involves Adobe Flash player regex handling buffer overflow. 
The attacker overwrites the length of a Vector.<Number> object, and then 
reads more memory content to get base address of flash.ocx.

Here’s how the exploit works:

     Set up a continuous memory layout by allocating the following objects”:13
     Free the <Number> object at index 1 of the above objects as follows:

     obj[1] = null;
     Allocate the new RegExp object. This allocation reuses memory in the obj[1] position as follows:

     boom = "(?i)()()(?-i)||||||||||||||||||||||||";
     var trigger = new RegExp(boom, "");

Later, the malformed expression overwrites the length of a Vector.<Number> 
object in obj[2] to enlarge it. With a corrupted size, the attacker can 
use obj[2] to read from or write to memory in a huge region to locate the 
flash.ocx base address and overwrite a vftable to execute the payload.
"""

Regards
@Rmkml


On Mon, 27 Oct 2014, Nicholas Horton wrote:

> Anyone have the info for Snort ID 1:16400:8 ?
>
>
>
> Thanks!
>
> Nick
>


More information about the Snort-sigs mailing list