Snort mailing list archives
Possible FP 12280?
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 22 Oct 2010 08:39:35 -0600
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT VML source file memory corruption"; flow:to_client,established; content:"imagedata"; nocase; pcre:"/<(?P<t>[A-Z]+\x3A)\s*[^>]+>.*<[A-Z]+\x3A\s*imagedata\s+[^>]*src\s *=\s*(?P<q>\x22|\x27|)[\w\x25\x2D\x2E]+(?P=q)[^>]*>.*?<\x2F/smi"; reference:bugtraq,25310; reference:cve,2007-1749; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-050.mspx; classtype:attempted-user; sid:12280; rev:2;) Rule hit: 10/22-08:34:59.217505 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 97.74.144.97:80 -> 66.193.105.132:16331 Packet dump: 08:34:59.217505 IP 97.74.144.97.80 > 66.193.105.132.16331: Flags [.], ack 3213, win 15008, length 1400 0x0000: 4500 05a0 559d 4000 3906 48ca 614a 9061 E...U. () 9 H aJ.a 0x0010: 42c1 6984 0050 3fcb e7d4 6a57 5dea 813c B.i..P?...jW]..< 0x0020: 5010 3aa0 d0f8 0000 2254 6578 7420 426f P.:....."Text.Bo 0x0030: 783a 204f 7220 436c 6963 6b20 4865 7265 x:.Or.Click.Here 0x0040: 2074 6f20 5072 696e 7420 616e 204f 7264 .to.Print.an.Ord 0x0050: 6572 2046 6f72 6d26 2331 333b 220d 0a76 er.Form "..v 0x0060: 3a73 6861 7065 733d 225f 7830 3030 305f :shapes="_x0000_ 0x0070: 7331 3233 3222 3e3c 2f73 7061 6e3e 3c21 s1232"></span><! 0x0080: 5b65 6e64 6966 5d3e 3c21 2d2d 5b69 6620 [endif]><!--[if. 0x0090: 6774 6520 766d 6c20 315d 3e3c 763a 7265 gte.vml.1]><v:re 0x00a0: 6374 2069 643d 225f 7830 3030 305f 7331 ct.id="_x0000_s1 0x00b0: 3233 3722 0d0a 2068 7265 663d 2268 7474 237"...href="htt 0x00c0: 703a 2f2f 7777 772e 6d61 7071 7565 7374 p://www.mapquest 0x00d0: 2e63 6f6d 2f6d 712f 352d 6a30 6667 3973 .com/mq/5-j0fg9s 0x00e0: 716c 664b 7461 2220 7374 796c 653d 2770 qlfKta".style='p 0x00f0: 6f73 6974 696f 6e3a 6162 736f 6c75 7465 osition:absolute 0x0100: 3b0d 0a20 6c65 6674 3a32 3731 2e32 3770 ;...left:271.27p 0x0110: 743b 746f 703a 3630 332e 3235 7074 3b77 t;top:603.25pt;w 0x0120: 6964 7468 3a38 342e 3435 7074 3b68 6569 idth:84.45pt;hei 0x0130: 6768 743a 3137 7074 3b7a 2d69 6e64 6578 ght:17pt;z-index 0x0140: 3a31 3638 3b0d 0a20 6d73 6f2d 7772 6170 :168;...mso-wrap 0x0150: 2d64 6973 7461 6e63 652d 6c65 6674 3a32 -distance-left:2 0x0160: 2e38 3870 743b 6d73 6f2d 7772 6170 2d64 .88pt;mso-wrap-d 0x0170: 6973 7461 6e63 652d 746f 703a 322e 3838 istance-top:2.88 0x0180: 7074 3b0d 0a20 6d73 6f2d 7772 6170 2d64 pt;...mso-wrap-d 0x0190: 6973 7461 6e63 652d 7269 6768 743a 322e istance-right:2. 0x01a0: 3838 7074 3b6d 736f 2d77 7261 702d 6469 88pt;mso-wrap-di 0x01b0: 7374 616e 6365 2d62 6f74 746f 6d3a 322e stance-bottom:2. 0x01c0: 3838 7074 270d 0a20 6f3a 7072 6566 6572 88pt'...o:prefer 0x01d0: 7265 6c61 7469 7665 3d22 7422 2066 696c relative="t".fil 0x01e0: 6c65 643d 2266 2220 6669 6c6c 636f 6c6f led="f".fillcolo 0x01f0: 723d 2277 6869 7465 205b 375d 2220 7374 r="white.[7]".st 0x0200: 726f 6b65 643d 2266 220d 0a20 7374 726f roked="f"...stro 0x0210: 6b65 636f 6c6f 723d 2262 6c61 636b 205b kecolor="black.[ 0x0220: 305d 2220 6f3a 636c 6970 746f 7772 6170 0]".o:cliptowrap 0x0230: 3d22 7422 3e0d 0a20 3c76 3a66 696c 6c20 ="t">...<v:fill. 0x0240: 636f 6c6f 7232 3d22 7768 6974 6520 5b37 color2="white.[7 0x0250: 5d22 2f3e 0d0a 203c 763a 7374 726f 6b65 ]"/>...<v:stroke 0x0260: 2063 6f6c 6f72 323d 2277 6869 7465 205b .color2="white.[ 0x0270: 375d 223e 0d0a 2020 3c6f 3a6c 6566 7420 7]">....<o:left. 0x0280: 763a 6578 743d 2276 6965 7722 2063 6f6c v:ext="view".col 0x0290: 6f72 3d22 626c 6163 6b20 5b30 5d22 2063 or="black.[0]".c 0x02a0: 6f6c 6f72 323d 2277 6869 7465 205b 375d olor2="white.[7] 0x02b0: 222f 3e0d 0a20 203c 6f3a 746f 7020 763a "/>....<o:top.v: 0x02c0: 6578 743d 2276 6965 7722 2063 6f6c 6f72 ext="view".color 0x02d0: 3d22 626c 6163 6b20 5b30 5d22 2063 6f6c ="black.[0]".col 0x02e0: 6f72 323d 2277 6869 7465 205b 375d 222f or2="white.[7]"/ 0x02f0: 3e0d 0a20 203c 6f3a 7269 6768 7420 763a
....<o:right.v:
0x0300: 6578 743d 2276 6965 7722 2063 6f6c 6f72 ext="view".color 0x0310: 3d22 626c 6163 6b20 5b30 5d22 2063 6f6c ="black.[0]".col 0x0320: 6f72 323d 2277 6869 7465 205b 375d 222f or2="white.[7]"/ 0x0330: 3e0d 0a20 203c 6f3a 626f 7474 6f6d 2076
....<o:bottom.v
0x0340: 3a65 7874 3d22 7669 6577 2220 636f 6c6f :ext="view".colo 0x0350: 723d 2262 6c61 636b 205b 305d 2220 636f r="black.[0]".co 0x0360: 6c6f 7232 3d22 7768 6974 6520 5b37 5d22 lor2="white.[7]" 0x0370: 2f3e 0d0a 2020 3c6f 3a63 6f6c 756d 6e20 />....<o:column. 0x0380: 763a 6578 743d 2276 6965 7722 2063 6f6c v:ext="view".col 0x0390: 6f72 3d22 626c 6163 6b20 5b30 5d22 2063 or="black.[0]".c 0x03a0: 6f6c 6f72 323d 2277 6869 7465 205b 375d olor2="white.[7] 0x03b0: 222f 3e0d 0a20 3c2f 763a 7374 726f 6b65 "/>...</v:stroke 0x03c0: 3e0d 0a20 3c76 3a69 6d61 6765 6461 7461
...<v:imagedata
0x03d0: 2073 7263 3d22 696d 6167 6537 3036 2e70 .src="image706.p 0x03e0: 6e67 2220 6f3a 7469 746c 653d 2222 2f3e ng".o:title=""/> 0x03f0: 0d0a 203c 763a 7368 6164 6f77 2063 6f6c ...<v:shadow.col 0x0400: 6f72 3d22 2363 6363 205b 345d 222f 3e0d or="#ccc.[4]"/>. 0x0410: 0a20 3c76 3a70 6174 6820 6f3a 6578 7472 ..<v:path.o:extr 0x0420: 7573 696f 6e6f 6b3d 2266 2220 696e 7365 usionok="f".inse 0x0430: 7470 656e 6f6b 3d22 6622 2f3e 0d0a 203c tpenok="f"/>...< 0x0440: 6f3a 6c6f 636b 2076 3a65 7874 3d22 6564 o:lock.v:ext="ed 0x0450: 6974 2220 6173 7065 6374 7261 7469 6f3d it".aspectratio= 0x0460: 2274 222f 3e0d 0a3c 2f76 3a72 6563 743e "t"/>..</v:rect> 0x0470: 3c21 5b65 6e64 6966 5d2d 2d3e 3c21 5b69 <![endif]--><![i 0x0480: 6620 2176 6d6c 5d3e 3c73 7061 6e20 7374 f.!vml]><span.st 0x0490: 796c 653d 2770 6f73 6974 696f 6e3a 6162 yle='position:ab 0x04a0: 736f 6c75 7465 3b7a 2d69 6e64 6578 3a31 solute;z-index:1 0x04b0: 3638 3b0d 0a6c 6566 743a 3336 3270 783b 68;..left:362px; 0x04c0: 746f 703a 3830 3470 783b 7769 6474 683a top:804px;width: 0x04d0: 3131 3270 783b 6865 6967 6874 3a32 3370 112px;height:23p 0x04e0: 7827 3e3c 610d 0a68 7265 663d 2268 7474 x'><a..href="htt 0x04f0: 703a 2f2f 7777 772e 6d61 7071 7565 7374 p://www.mapquest 0x0500: 2e63 6f6d 2f6d 712f 352d 6a30 6667 3973 .com/mq/5-j0fg9s 0x0510: 716c 664b 7461 223e 3c69 6d67 2062 6f72 qlfKta"><img.bor 0x0520: 6465 723d 3020 7769 6474 683d 3131 320d der=0.width=112. 0x0530: 0a68 6569 6768 743d 3233 2073 7263 3d69 .height=23.src=i 0x0540: 6d61 6765 3639 342e 6769 6620 763a 7368 mage694.gif.v:sh 0x0550: 6170 6573 3d22 5f78 3030 3030 5f73 3132 apes="_x0000_s12 0x0560: 3337 223e 3c2f 613e 3c2f 7370 616e 3e3c 37"></a></span>< 0x0570: 215b 656e 6469 665d 3e3c 212d 2d5b 6966 ![endif]><!--[if 0x0580: 2067 7465 2076 6d6c 2031 5d3e 3c76 3a73 .gte.vml.1]><v:s 0x0590: 6861 7065 0d0a 2069 643d 225f 7830 3030 hape...id="_x000 James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Possible FP 12280? Lay, James (Oct 22)
- Re: Possible FP 12280? L0rd Ch0de1m0rt (Oct 22)