Vulnerability Development mailing list archives
Re: Remote exploit for popular Sniffer Ettercap.
From: Brian <bmc () snort org>
Date: Wed, 12 Dec 2001 19:51:57 -0500
The snort signatures released by GOBBLES Labs posted to their website at www.bugtraq.org/misc/GOBBLES.rules to catch this exploit are not valid. Not only does the string "GOBBLES IDENTIFY" never showup in the payload sent by the exploit, but if it did, that is an extremely simple string to evade. Below is a correctly working (and "official" :P) snort signature. alert tcp any any -> any any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:1;) -brian
Current thread:
- Remote exploit for popular Sniffer Ettercap. vuln-dev (Dec 12)
- Re: Remote exploit for popular Sniffer Ettercap. Brian (Dec 12)
- Re: Remote exploit for popular Sniffer Ettercap. Giorgio (Dec 12)
- Re: Remote exploit for popular Sniffer Ettercap. Blue Boar (Dec 12)
- <Possible follow-ups>
- Re: Remote exploit for popular Sniffer Ettercap. ALoR (Dec 12)