[Snort-users] SMTP ETRN overflow attempt

Matt Kettler mkettler at ...4108...
Tue May 6 13:09:03 EDT 2003


At 11:37 AM 5/6/2003 -0500, NO JUNK MAIL wrote:
>  Would anybody have a raw packet or more info on what the packet looks 
> like when it is a lagitamite attack.

The the DMail ETRN vulnerability is a classic linear buffer overflow 
attack. It's going to consist of the text "ETRN" (any case) followed by 500 
bytes of arbitrary data ( can be absolutely anything with no CRs), followed 
by exploit code (can vary).

You might be able to narrow this up by looking for "ETRN " instead of 
"ETRN", as the space will need to be in there. Also note that this rule is 
coded to only look for this data at the start of a packet.

One well-known exploit 
(http://downloads.securityfocus.com/vulnerabilities/exploits/netwinroot.c) 
just fills the entire "don't care" buffer space with a return address, but 
the data itself (up to where the return address needs to be) can be 
*anything*.

As far as I can tell from reading around, the actual size of the buffer 
area prior to the return address is about 260ish bytes.

It should be noted that a DOS against this can be accomplished in under 500 
bytes, so the rule will only detect an attack that is trying to gain 
access, not merely crash the dmail package. 





More information about the Snort-users mailing list