Vulnerability Development mailing list archives

Re: Remote exploit for popular Sniffer Ettercap.

From: Brian <bmc () snort org>
Date: Wed, 12 Dec 2001 19:51:57 -0500

The snort signatures released by GOBBLES Labs posted to their website
at www.bugtraq.org/misc/GOBBLES.rules to catch this exploit are not 
valid.

Not only does the string "GOBBLES IDENTIFY" never showup in the
payload sent by the exploit, but if it did, that is an extremely 
simple string to evade.

Below is a correctly working (and "official" :P) snort signature.

alert tcp any any -> any any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG 
nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; 
classtype:misc-attack; sid:1382; rev:1;)

-brian

Current thread:

Remote exploit for popular Sniffer Ettercap. vuln-dev (Dec 12)
- Re: Remote exploit for popular Sniffer Ettercap. Brian (Dec 12)
- Re: Remote exploit for popular Sniffer Ettercap. Giorgio (Dec 12)
  - Re: Remote exploit for popular Sniffer Ettercap. Blue Boar (Dec 12)
- <Possible follow-ups>
- Re: Remote exploit for popular Sniffer Ettercap. ALoR (Dec 12)