Snort mailing list archives
[SPAM] Re: Metasploit - CVE-2012-1823 - Snort Sleeping
From: rmkml <rmkml () yahoo fr>
Date: Fri, 26 Apr 2013 23:01:30 +0200 (CEST)
Hi, Can you check without checksuming please? (snort ... -k none ...) Regards Rmkml On Fri, 26 Apr 2013, MA Bel wrote:
> To: snort-sigs () lists sourceforge net > Date: Fri, 26 Apr 2013 14:49:45 -0600 > From: jlay () slave-tothe-box net > Subject: Re: [Snort-sigs] Metasploit - CVE-2012-1823 - Snort Sleeping > > On 2013-04-26 14:43, MA Bel wrote: > > Hi, > > > > I found a working exploit (reverse shell) where Snort’s signature > > fail to trigger an alert. > > > > In a lab I have 3 physical hosts: one Snort, one with BackTrack, and > > one Ubuntu running Metasploitable in VirtualBox. I use Metasploit to > > attack the Metasploitable VM, Snort is in passive (non-inline) mode. > > > > I came across CVE-2012-1823 (PHP CGI Argument Injection) which > > corresponds to three potential snort signatures: 22097, 22063, 22064. > > Metasploit has a nice exploit that will give you a reverse shell. It > > works. > > > > > > http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection > > [1] > > > > SID 22063’s rule attempts to catch the string > > “auto_prepend_file” When the Metasploint exploit is launched, > > WireShark confirms that the string is indeed sent. I get a reverse > > shell. I can list directories, move into them, delete stuff, etc, yet > > Snort does not generate an alert. Yes, rules are up to date, > > activated, etc. The basics are covered. > > > > I decided to strip off all extra parameters and create a very basic > > rule: “content: auto_prepend_file”. No luck catching the exploit. > > I used Scapy to send the “auto_prepend_file” string. Snort woke > > up. I used Scapy to send the whole string sent by Metasploit (I did a > > copy & paste of what I found in Wireshark). That works, Snort wakes > > up. > > > > I don’t understand why an http string sent by Scapy generates an > > alert whereas the same string sent by Metasploit keeps Snort silent. > > I > > am not event using evasion techniques. > > > > How do I get Snort to catch the exploit? I am worried other rules > > won't fire when they should. > > > > Thanks in advance. > > > > Links: > > ------ > > [1] > > > > http://www.metasploit.com/modules/exploit/multi/http/php_cgi_arg_injection > > Got a pcap? > > James > > ------------------------------------------------------------------------------ > Try New Relic Now & We'll Send You this Cool Shirt > New Relic is the only SaaS-based application performance monitoring service > that delivers powerful full stack analytics. Optimize and monitor your > browser, app, & servers with just a few lines of code. Try New Relic > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr > _______________________________________________ > Snort-sigs mailing list > Snort-sigs () lists sourceforge net > https://lists.sourceforge.net/lists/listinfo/snort-sigs > http://www.snort.org > > > Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping lists () packetmail net (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping Alex McDonnell (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
- [SPAM] Re: Metasploit - CVE-2012-1823 - Snort Sleeping rmkml (Apr 26)
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 26)
- <Possible follow-ups>
- Re: Metasploit - CVE-2012-1823 - Snort Sleeping James Lay (Apr 26)
- Message not available
- FW: Metasploit - CVE-2012-1823 - Snort Sleeping MA Bel (Apr 29)
- Message not available