Metasploit mailing list archives
how to identify the pattern
From: rhyskidd at gmail.com (Rhys Kidd)
Date: Thu, 13 Sep 2007 19:05:28 +0800
If you're trying to write a decently useful signature for this particular vulnerability keep in mind this is but one of many exploits written for the MS06-001 patch. Having said this, most other exploits for MS06-001 are fairly similar (and static). One will want their inspection engine's pre-processor to hand gzip, chunked encoding etc generally as these can be enable or disabled as the attacker requires. Once your pre-processor supplies the raw bytes of the WMF record stream, have a look at the Metasploit module itself ( http://www.metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb ). One will then need to find recurring and dependable patterns that are consistent across each 'instance' of the exploit Metasploit generates, and which aren't too prevalent in normal, non-malicious WMF records (otherwise users will complain of too many false positives). Here is where you will have problems. Vulnerabilities such as MS06-001 that have garnered alot of publicity usually have very well written Metasploit modules. By well written, I mean modules that as far as possible use random characters, lengths and pre & post padding to make IDS/IPS signature writting as difficult as possible. Rhys -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070913/6770adc5/attachment.htm>
Current thread:
- Defcon Video, (continued)
- Defcon Video Suman Saini (Sep 12)
- Defcon Video Patrick Webster (Sep 12)
- Defcon Video Suman Saini (Sep 12)
- Defcon Video H D Moore (Sep 12)
- Defcon Video H D Moore (Sep 12)
- Defcon Video kellicot at umich.edu (Sep 14)
- Defcon Video Giorgio Casali (Sep 18)
- how to identify the pattern Suman Saini (Sep 13)
- how to identify the pattern Rhys Kidd (Sep 13)
- how to identify the pattern Suman Saini (Sep 13)