Snort mailing list archives
Possible FP 12280?
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 22 Oct 2010 08:39:35 -0600
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
VML source file memory corruption"; flow:to_client,established;
content:"imagedata"; nocase;
pcre:"/<(?P<t>[A-Z]+\x3A)\s*[^>]+>.*<[A-Z]+\x3A\s*imagedata\s+[^>]*src\s
*=\s*(?P<q>\x22|\x27|)[\w\x25\x2D\x2E]+(?P=q)[^>]*>.*?<\x2F/smi";
reference:bugtraq,25310; reference:cve,2007-1749;
reference:url,www.microsoft.com/technet/security/Bulletin/MS07-050.mspx;
classtype:attempted-user; sid:12280; rev:2;)
Rule hit:
10/22-08:34:59.217505 [**] [1:12280:2] WEB-CLIENT VML source file
memory corruption [**] [Classification: Attempted User Privilege Gain]
[Priority: 1] {TCP} 97.74.144.97:80 -> 66.193.105.132:16331
Packet dump:
08:34:59.217505 IP 97.74.144.97.80 > 66.193.105.132.16331: Flags [.],
ack 3213, win 15008, length 1400
0x0000: 4500 05a0 559d 4000 3906 48ca 614a 9061
E...U. () 9 H aJ.a
0x0010: 42c1 6984 0050 3fcb e7d4 6a57 5dea 813c
B.i..P?...jW]..<
0x0020: 5010 3aa0 d0f8 0000 2254 6578 7420 426f
P.:....."Text.Bo
0x0030: 783a 204f 7220 436c 6963 6b20 4865 7265
x:.Or.Click.Here
0x0040: 2074 6f20 5072 696e 7420 616e 204f 7264
.to.Print.an.Ord
0x0050: 6572 2046 6f72 6d26 2331 333b 220d 0a76
er.Form "..v
0x0060: 3a73 6861 7065 733d 225f 7830 3030 305f
:shapes="_x0000_
0x0070: 7331 3233 3222 3e3c 2f73 7061 6e3e 3c21
s1232"></span><!
0x0080: 5b65 6e64 6966 5d3e 3c21 2d2d 5b69 6620
[endif]><!--[if.
0x0090: 6774 6520 766d 6c20 315d 3e3c 763a 7265
gte.vml.1]><v:re
0x00a0: 6374 2069 643d 225f 7830 3030 305f 7331
ct.id="_x0000_s1
0x00b0: 3233 3722 0d0a 2068 7265 663d 2268 7474
237"...href="htt
0x00c0: 703a 2f2f 7777 772e 6d61 7071 7565 7374
p://www.mapquest
0x00d0: 2e63 6f6d 2f6d 712f 352d 6a30 6667 3973
.com/mq/5-j0fg9s
0x00e0: 716c 664b 7461 2220 7374 796c 653d 2770
qlfKta".style='p
0x00f0: 6f73 6974 696f 6e3a 6162 736f 6c75 7465
osition:absolute
0x0100: 3b0d 0a20 6c65 6674 3a32 3731 2e32 3770
;...left:271.27p
0x0110: 743b 746f 703a 3630 332e 3235 7074 3b77
t;top:603.25pt;w
0x0120: 6964 7468 3a38 342e 3435 7074 3b68 6569
idth:84.45pt;hei
0x0130: 6768 743a 3137 7074 3b7a 2d69 6e64 6578
ght:17pt;z-index
0x0140: 3a31 3638 3b0d 0a20 6d73 6f2d 7772 6170
:168;...mso-wrap
0x0150: 2d64 6973 7461 6e63 652d 6c65 6674 3a32
-distance-left:2
0x0160: 2e38 3870 743b 6d73 6f2d 7772 6170 2d64
.88pt;mso-wrap-d
0x0170: 6973 7461 6e63 652d 746f 703a 322e 3838
istance-top:2.88
0x0180: 7074 3b0d 0a20 6d73 6f2d 7772 6170 2d64
pt;...mso-wrap-d
0x0190: 6973 7461 6e63 652d 7269 6768 743a 322e
istance-right:2.
0x01a0: 3838 7074 3b6d 736f 2d77 7261 702d 6469
88pt;mso-wrap-di
0x01b0: 7374 616e 6365 2d62 6f74 746f 6d3a 322e
stance-bottom:2.
0x01c0: 3838 7074 270d 0a20 6f3a 7072 6566 6572
88pt'...o:prefer
0x01d0: 7265 6c61 7469 7665 3d22 7422 2066 696c
relative="t".fil
0x01e0: 6c65 643d 2266 2220 6669 6c6c 636f 6c6f
led="f".fillcolo
0x01f0: 723d 2277 6869 7465 205b 375d 2220 7374
r="white.[7]".st
0x0200: 726f 6b65 643d 2266 220d 0a20 7374 726f
roked="f"...stro
0x0210: 6b65 636f 6c6f 723d 2262 6c61 636b 205b
kecolor="black.[
0x0220: 305d 2220 6f3a 636c 6970 746f 7772 6170
0]".o:cliptowrap
0x0230: 3d22 7422 3e0d 0a20 3c76 3a66 696c 6c20
="t">...<v:fill.
0x0240: 636f 6c6f 7232 3d22 7768 6974 6520 5b37
color2="white.[7
0x0250: 5d22 2f3e 0d0a 203c 763a 7374 726f 6b65
]"/>...<v:stroke
0x0260: 2063 6f6c 6f72 323d 2277 6869 7465 205b
.color2="white.[
0x0270: 375d 223e 0d0a 2020 3c6f 3a6c 6566 7420
7]">....<o:left.
0x0280: 763a 6578 743d 2276 6965 7722 2063 6f6c
v:ext="view".col
0x0290: 6f72 3d22 626c 6163 6b20 5b30 5d22 2063
or="black.[0]".c
0x02a0: 6f6c 6f72 323d 2277 6869 7465 205b 375d
olor2="white.[7]
0x02b0: 222f 3e0d 0a20 203c 6f3a 746f 7020 763a
"/>....<o:top.v:
0x02c0: 6578 743d 2276 6965 7722 2063 6f6c 6f72
ext="view".color
0x02d0: 3d22 626c 6163 6b20 5b30 5d22 2063 6f6c
="black.[0]".col
0x02e0: 6f72 323d 2277 6869 7465 205b 375d 222f
or2="white.[7]"/
0x02f0: 3e0d 0a20 203c 6f3a 7269 6768 7420 763a
....<o:right.v:
0x0300: 6578 743d 2276 6965 7722 2063 6f6c 6f72
ext="view".color
0x0310: 3d22 626c 6163 6b20 5b30 5d22 2063 6f6c
="black.[0]".col
0x0320: 6f72 323d 2277 6869 7465 205b 375d 222f
or2="white.[7]"/
0x0330: 3e0d 0a20 203c 6f3a 626f 7474 6f6d 2076
....<o:bottom.v
0x0340: 3a65 7874 3d22 7669 6577 2220 636f 6c6f
:ext="view".colo
0x0350: 723d 2262 6c61 636b 205b 305d 2220 636f
r="black.[0]".co
0x0360: 6c6f 7232 3d22 7768 6974 6520 5b37 5d22
lor2="white.[7]"
0x0370: 2f3e 0d0a 2020 3c6f 3a63 6f6c 756d 6e20
/>....<o:column.
0x0380: 763a 6578 743d 2276 6965 7722 2063 6f6c
v:ext="view".col
0x0390: 6f72 3d22 626c 6163 6b20 5b30 5d22 2063
or="black.[0]".c
0x03a0: 6f6c 6f72 323d 2277 6869 7465 205b 375d
olor2="white.[7]
0x03b0: 222f 3e0d 0a20 3c2f 763a 7374 726f 6b65
"/>...</v:stroke
0x03c0: 3e0d 0a20 3c76 3a69 6d61 6765 6461 7461
...<v:imagedata
0x03d0: 2073 7263 3d22 696d 6167 6537 3036 2e70
.src="image706.p
0x03e0: 6e67 2220 6f3a 7469 746c 653d 2222 2f3e
ng".o:title=""/>
0x03f0: 0d0a 203c 763a 7368 6164 6f77 2063 6f6c
...<v:shadow.col
0x0400: 6f72 3d22 2363 6363 205b 345d 222f 3e0d
or="#ccc.[4]"/>.
0x0410: 0a20 3c76 3a70 6174 6820 6f3a 6578 7472
..<v:path.o:extr
0x0420: 7573 696f 6e6f 6b3d 2266 2220 696e 7365
usionok="f".inse
0x0430: 7470 656e 6f6b 3d22 6622 2f3e 0d0a 203c
tpenok="f"/>...<
0x0440: 6f3a 6c6f 636b 2076 3a65 7874 3d22 6564
o:lock.v:ext="ed
0x0450: 6974 2220 6173 7065 6374 7261 7469 6f3d
it".aspectratio=
0x0460: 2274 222f 3e0d 0a3c 2f76 3a72 6563 743e
"t"/>..</v:rect>
0x0470: 3c21 5b65 6e64 6966 5d2d 2d3e 3c21 5b69
<![endif]--><![i
0x0480: 6620 2176 6d6c 5d3e 3c73 7061 6e20 7374
f.!vml]><span.st
0x0490: 796c 653d 2770 6f73 6974 696f 6e3a 6162
yle='position:ab
0x04a0: 736f 6c75 7465 3b7a 2d69 6e64 6578 3a31
solute;z-index:1
0x04b0: 3638 3b0d 0a6c 6566 743a 3336 3270 783b
68;..left:362px;
0x04c0: 746f 703a 3830 3470 783b 7769 6474 683a
top:804px;width:
0x04d0: 3131 3270 783b 6865 6967 6874 3a32 3370
112px;height:23p
0x04e0: 7827 3e3c 610d 0a68 7265 663d 2268 7474
x'><a..href="htt
0x04f0: 703a 2f2f 7777 772e 6d61 7071 7565 7374
p://www.mapquest
0x0500: 2e63 6f6d 2f6d 712f 352d 6a30 6667 3973
.com/mq/5-j0fg9s
0x0510: 716c 664b 7461 223e 3c69 6d67 2062 6f72
qlfKta"><img.bor
0x0520: 6465 723d 3020 7769 6474 683d 3131 320d
der=0.width=112.
0x0530: 0a68 6569 6768 743d 3233 2073 7263 3d69
.height=23.src=i
0x0540: 6d61 6765 3639 342e 6769 6620 763a 7368
mage694.gif.v:sh
0x0550: 6170 6573 3d22 5f78 3030 3030 5f73 3132
apes="_x0000_s12
0x0560: 3337 223e 3c2f 613e 3c2f 7370 616e 3e3c
37"></a></span><
0x0570: 215b 656e 6469 665d 3e3c 212d 2d5b 6966
![endif]><!--[if
0x0580: 2067 7465 2076 6d6c 2031 5d3e 3c76 3a73
.gte.vml.1]><v:s
0x0590: 6861 7065 0d0a 2069 643d 225f 7830 3030
hape...id="_x000
James Lay
IT Security Analyst
WinCo Foods
208-672-2014 Office
208-559-1855 Cell
650 N Armstrong Pl.
Boise, Idaho 83704
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Possible FP 12280? Lay, James (Oct 22)
- Re: Possible FP 12280? L0rd Ch0de1m0rt (Oct 22)