-
March 9th, 2005, 04:10 PM
#1
k-otik - Automated Script for W2K3 Malformed Packet Vuln
Yep. That didn't take long. This will prolly morph into a worm before long. If you are not aware of the issue, see this post:
http://www.antionline.com/showthread...hreadid=266661
Here is the link to the code used to automate the attack:
http://www.k-otik.com/exploits/20050307.windos.c.php
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
March 9th, 2005, 05:34 PM
#2
Do you know if theres a snort signature or white hat breakdown of this exploit?
I guess now that Sourcefire is screwing all the snort users with there new licensing scheme I will start submiting more rules to here and other forums I goto.
That which does not kill me makes me stronger -- Friedrich Nietzche
-
March 9th, 2005, 08:41 PM
#3
Not sure if one exists for snort but you can certainly craft one up in no time.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
March 9th, 2005, 09:19 PM
#4
The problem with a Snort sig for this is that you would need a sig for each vulnerable server. Since the source address has to be spoofed as the same as the attacked target you either need to define a variable for each asset, ($HTTP_SERVER__1, $HTTP_SERVER_2 etc.) and then write a rule for each variable or write rules with the addresses hard coded in. The only fixed thing is the SYN flag must be set. Thus rules would look like this:-
alert tcp $HTTP_1 any -> $HTTP_1 any (msg: "Land Attack on HTTP 1"; Flags: S; classtype: attempted-dos;)
or
alert tcp 192.168.1.1 any -> 192.168.1.1 any (msg: "Land Attack on HTTP 1"; Flags: S; classtype: attempted-dos;)
You couldn't use:-
alert tcp $HTTP_SERVERS any -> $HTTP_SERVERS any (msg: "Land Attack on HTTP 1"; Flags: S; classtype: attempted-dos;)
when you have multiple servers because if one server talks to the other it would FP, (false Positive), though it should work if you only have one web server.
Having said that I'm not sure that this would run in snort. It might throw an error when it parses the rules and kick out.
[Edit]
It doesn't blow out snort so it should work.... But it's all a bit of a waste really.... If snort picks it up then it's already done it's bit.
It's possible you could place a react clause in the rule to RST both ends of the connection, (oer a single end since they are both "the same"), which _might_ bring the attacked server out of the loop)
[/EDIT]
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|