Snort mailing list archives
Re: Snort Rule
From: rmkml <rmkml () yahoo fr>
Date: Mon, 27 Oct 2014 11:09:48 +0100 (CET)
Hello Nicholas, Maybe this url ? http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html """" CVE-2013-0634This exploit involves Adobe Flash player regex handling buffer overflow. The attacker overwrites the length of a Vector.<Number> object, and then reads more memory content to get base address of flash.ocx.
Here’s how the exploit works: Set up a continuous memory layout by allocating the following objects”:13 Free the <Number> object at index 1 of the above objects as follows: obj[1] = null; Allocate the new RegExp object. This allocation reuses memory in the obj[1] position as follows: boom = "(?i)()()(?-i)||||||||||||||||||||||||"; var trigger = new RegExp(boom, "");Later, the malformed expression overwrites the length of a Vector.<Number> object in obj[2] to enlarge it. With a corrupted size, the attacker can use obj[2] to read from or write to memory in a huge region to locate the flash.ocx base address and overwrite a vftable to execute the payload.
""" Regards @Rmkml On Mon, 27 Oct 2014, Nicholas Horton wrote:
Anyone have the info for Snort ID 1:16400:8 ? Thanks! Nick
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort Rule Nicholas Horton (Oct 26)
- Snort Rule Nicholas Horton (Oct 26)
- Re: Snort Rule rmkml (Oct 27)