Snort mailing list archives
Re: SMTP ETRN overflow attempt
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 06 May 2003 16:07:17 -0400
At 11:37 AM 5/6/2003 -0500, NO JUNK MAIL wrote:
Would anybody have a raw packet or more info on what the packet looks like when it is a lagitamite attack.
The the DMail ETRN vulnerability is a classic linear buffer overflow attack. It's going to consist of the text "ETRN" (any case) followed by 500 bytes of arbitrary data ( can be absolutely anything with no CRs), followed by exploit code (can vary).
You might be able to narrow this up by looking for "ETRN " instead of "ETRN", as the space will need to be in there. Also note that this rule is coded to only look for this data at the start of a packet.
One well-known exploit (http://downloads.securityfocus.com/vulnerabilities/exploits/netwinroot.c) just fills the entire "don't care" buffer space with a return address, but the data itself (up to where the return address needs to be) can be *anything*.
As far as I can tell from reading around, the actual size of the buffer area prior to the return address is about 260ish bytes.
It should be noted that a DOS against this can be accomplished in under 500 bytes, so the rule will only detect an attack that is trying to gain access, not merely crash the dmail package.
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SMTP ETRN overflow attempt NO JUNK MAIL (May 06)
- Re: SMTP ETRN overflow attempt Matt Kettler (May 06)