[Snort-users] SMTP ETRN overflow attempt
mkettler at ...4108...
Tue May 6 13:09:03 EDT 2003
At 11:37 AM 5/6/2003 -0500, NO JUNK MAIL wrote:
> Would anybody have a raw packet or more info on what the packet looks
> like when it is a lagitamite attack.
The the DMail ETRN vulnerability is a classic linear buffer overflow
attack. It's going to consist of the text "ETRN" (any case) followed by 500
bytes of arbitrary data ( can be absolutely anything with no CRs), followed
by exploit code (can vary).
You might be able to narrow this up by looking for "ETRN " instead of
"ETRN", as the space will need to be in there. Also note that this rule is
coded to only look for this data at the start of a packet.
One well-known exploit
just fills the entire "don't care" buffer space with a return address, but
the data itself (up to where the return address needs to be) can be
As far as I can tell from reading around, the actual size of the buffer
area prior to the return address is about 260ish bytes.
It should be noted that a DOS against this can be accomplished in under 500
bytes, so the rule will only detect an attack that is trying to gain
access, not merely crash the dmail package.
More information about the Snort-users