Dailydave mailing list archives
Re: Testing the quickness of signature writers
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 02 May 2006 10:39:24 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Caswell wrote:
On May 1, 2006, at 5:58 PM, Dave Aitel wrote:So this is our basic IDS tester of the week. It's in the April CANVAS release (that's today), and my bet is that NO IDS detects it, since none of them were brave enough to send me a VM to test. But now everyone has it, so we'll see if they have the ability to quickly pump out a signature. It's a easier test than the previous one, so we expect par time of less than one week. Less than one day is considered a birdy. :>If only the wife didn't expect me to eat dinner with the family, then help the girls with their homework. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB- PHP horde help module arbitrary command execution attempt"; flow:established,to_server; uricontent:"/services/help/"; pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U"; classtype:web-application- attack;) Brian
That's a bit like getting a hole in one....on the wrong hole. Seeing as how I also thought it was April, when it's clearly May, we'll give you a half point here for effort. But the movie: http://www.immunityinc.com/documentation/BABYBOTTLE_cmdline.html is not horde, but MS06-014. It's the RDS.DataStore exploit. The CANVAS version has a wee encoder/decoder as well. On thing we found while writing up the exploits for horde and for BABYBOTTLE was that all the things you're used to seeing in the world of shellcode also apply to scripting languages. Encoder/Decoders, callback/GOcode payloads, etc. Scripting engines are both easier and harder. You don't have to worry about what architecture you're on, and you do have some high-level stuff to play with, but you lose access to the low level stuff, and you have to account for platform/engine changes. Scripting languages change pretty fast, and bits of them are supported on different platforms. With Horde you can't really just drop a linux trojan to disk and run it because you'll end up wondering why it didn't work against your Win32 or BSD hosts. Does your script break if I shove a space in between the \x3b and the \x26? I try to understand snort signatures, but they're essentially optimized to be exactly the opposite of what my brain can handle. PCRE is here http://www.snort.org/docs/snort_manual/node21.html#SECTION004510000000000000000 but maybe I'm not seeing it right. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEV28cB8JNm+PA+iURAq/DAJ49Z2weAL0vOf+ipZjyfsyD6KrM4wCeOGq1 MXCa6jnZDxSO4jJfVVZD7II= =bI8B -----END PGP SIGNATURE-----
Current thread:
- Testing the quickness of signature writers Dave Aitel (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- RE: Testing the quickness of signature writers Dave Korn (May 02)
- RE: Testing the quickness of signature writers M. Shirk (May 02)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- Re: Testing the quickness of signature writers Brian Caswell (May 02)
- RE: Testing the quickness of signature writers Dave Korn (May 02)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 02)