Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FP 12634

From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 12 Oct 2010 09:18:12 -0600
Rule:

 

exploit.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2";
flow:to_client,established; content:"MM|00|*";
byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8;
byte_test:4,>,6,0,relative,big; metadata:service http;
reference:cve,2007-2217;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-055.mspx;
classtype:attempted-user; sid:12634; rev:5;)

 

Rule hit:

10/12-09:00:44.468266  [**] [1:12634:5] EXPLOIT Microsoft Kodak Imaging
large offset malformed tiff 2 [**] [Classification: Attempted User
Privilege Gain] [Priority: 1] {TCP} 65.55.87.115:80 -> external_ip:37350

 

Partial packet dump

09:00:44.470269 IP 65.55.87.115.80 > 66.193.105.132.37350: Flags [P.],
ack 1, win 65535, length 1169

        0x0000:  4500 04b9 a4fd 4000 3906 5352 4137 5773
E.....@.9.SRA7Ws

        0x0010:  42c1 6984 0050 91e6 36ee cf5f ef5a bdc2
B.i..P..6.._.Z..

        0x0020:  5018 ffff 1c09 0000 0000 0000 0002 0601
P...............

        0x0030:  0507 0003 04ff c400 3410 0001 0302 0501
........4.......

        0x0040:  0604 0407 0000 0000 0000 0102 0311 0004
................

        0x0050:  0506 1221 3113 0722 3241 5161 7191 a1b1
...!1.."2AQaq...

        0x0060:  1415 81f0 1733 5282 92a2 c2ff c400 1a01
.....3R.........

        0x0070:  0002 0301 0100 0000 0000 0000 0000 0000
................

        0x0080:  0304 0102 0500 06ff c400 2411 0002 0104
..........$.....

        0x0090:  0201 0403 0000 0000 0000 0000 0102 0003
................

        0x00a0:  0411 1221 3151 4142 61a1 0515 32ff da00
...!1QABa...2...

        0x00b0:  0c03 0100 0211 0311 003f 00a3 404e e78f
.........?..@N..

        0x00c0:  3902 4fca 8b48 de0a 47b4 6f5c 0260 2756
9.O..H..G.o\.`'V


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: