Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Rule

From: rmkml <rmkml () yahoo fr>
Date: Mon, 27 Oct 2014 11:09:48 +0100 (CET)
Hello Nicholas,

Maybe this url ?

http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html

""""
CVE-2013-0634
This exploit involves Adobe Flash player regex handling buffer overflow. The attacker overwrites the length of a Vector.<Number> object, and then reads more memory content to get base address of flash.ocx. 

Here’s how the exploit works:

    Set up a continuous memory layout by allocating the following objects”:13
    Free the <Number> object at index 1 of the above objects as follows:

    obj[1] = null;
    Allocate the new RegExp object. This allocation reuses memory in the obj[1] position as follows:

    boom = "(?i)()()(?-i)||||||||||||||||||||||||";
    var trigger = new RegExp(boom, "");
Later, the malformed expression overwrites the length of a Vector.<Number> object in obj[2] to enlarge it. With a corrupted size, the attacker can use obj[2] to read from or write to memory in a huge region to locate the flash.ocx base address and overwrite a vftable to execute the payload. 
"""

Regards
@Rmkml


On Mon, 27 Oct 2014, Nicholas Horton wrote:


Anyone have the info for Snort ID 1:16400:8 ?



Thanks!

Nick

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: