how to identify the pattern

[rhyskidd at gmail.com (Rhys Kidd)]

If you're trying to write a decently useful signature for this particular
vulnerability keep in mind this is but one of many exploits written for the
MS06-001 patch. Having said this, most other exploits for MS06-001 are
fairly similar (and static).

One will want their inspection engine's pre-processor to hand gzip, chunked
encoding etc generally as these can be enable or disabled as the attacker
requires. Once your pre-processor supplies the raw bytes of the WMF record
stream, have a look at the Metasploit module itself (
http://www.metasploit.com/dev/trac/browser/framework3/trunk/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb
).

One will then need to find recurring and dependable patterns that are
consistent across each 'instance' of the exploit Metasploit generates, and
which aren't too prevalent in normal, non-malicious WMF records (otherwise
users will complain of too many false positives). Here is where you will
have problems. Vulnerabilities such as MS06-001 that have garnered alot of
publicity usually have very well written Metasploit modules. By well
written, I mean modules that as far as possible use random characters,
lengths and pre & post padding to make IDS/IPS signature writting as
difficult as possible.

Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070913/6770adc5/attachment.htm>