Re: SMTP ETRN overflow attempt

[Matt Kettler <mkettler () evi-inc com>]

At 11:37 AM 5/6/2003 -0500, NO JUNK MAIL wrote:
>  Would anybody have a raw packet or more info on what the packet looks 
> like when it is a lagitamite attack.

The the DMail ETRN vulnerability is a classic linear buffer overflow 
attack. It's going to consist of the text "ETRN" (any case) followed by 500 
bytes of arbitrary data ( can be absolutely anything with no CRs), followed 
by exploit code (can vary).

You might be able to narrow this up by looking for "ETRN " instead of 
"ETRN", as the space will need to be in there. Also note that this rule is 
coded to only look for this data at the start of a packet.

One well-known exploit 
(http://downloads.securityfocus.com/vulnerabilities/exploits/netwinroot.c) 
just fills the entire "don't care" buffer space with a return address, but 
the data itself (up to where the return address needs to be) can be 
*anything*.

As far as I can tell from reading around, the actual size of the buffer 
area prior to the return address is about 260ish bytes.

It should be noted that a DOS against this can be accomplished in under 500 
bytes, so the rule will only detect an attack that is trying to gain 
access, not merely crash the dmail package. 



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users