Re: Testing the quickness of signature writers

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Caswell wrote:

> On May 1, 2006, at 5:58 PM, Dave Aitel wrote:
>
> > So this is our basic IDS tester of the week. It's in the April
> > CANVAS release (that's today), and my bet is that NO IDS detects
> > it, since none of them were brave enough to send me a VM to test.
> > But now everyone has it, so we'll see if they have the ability to
> > quickly pump out a signature. It's a easier test than the
> > previous one, so we expect par time of less than one week. Less
> > than one day is considered a birdy. :>
>
>
> If only the wife didn't expect me to eat dinner with the family,
> then help the girls with their homework.
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
> PHP horde help module arbitrary command execution attempt";
> flow:established,to_server; uricontent:"/services/help/";
> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
> classtype:web-application- attack;)
>
> Brian


That's a bit like getting a hole in one....on the wrong hole. Seeing
as how I also thought it was April, when it's clearly May, we'll give
you a half point here for effort. But the movie:

http://www.immunityinc.com/documentation/BABYBOTTLE_cmdline.html
is not horde, but MS06-014. It's the RDS.DataStore exploit. The CANVAS
version has a wee encoder/decoder as well. On thing we found while
writing up the exploits for horde and for BABYBOTTLE was that all the
things you're used to seeing in the world of shellcode also apply to
scripting languages. Encoder/Decoders, callback/GOcode payloads, etc.
Scripting engines are both easier and harder. You don't have to worry
about what architecture you're on, and  you do have some high-level
stuff to play with, but you lose access to the low level stuff, and
you have to account for platform/engine changes. Scripting languages
change pretty fast, and bits of them are supported on different
platforms. With Horde you can't really just drop a linux trojan to
disk and run it because you'll end up wondering why it didn't work
against your Win32 or BSD hosts.

Does your script break if I shove a space in between the \x3b and the
\x26? I try to understand snort signatures, but they're essentially
optimized to be exactly the opposite of what my brain can handle. PCRE
is here
http://www.snort.org/docs/snort_manual/node21.html#SECTION004510000000000000000
but maybe I'm not seeing it right.

- -dave



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEV28cB8JNm+PA+iURAq/DAJ49Z2weAL0vOf+ipZjyfsyD6KrM4wCeOGq1
MXCa6jnZDxSO4jJfVVZD7II=
=bI8B
-----END PGP SIGNATURE-----