|
Three interesting sigs in from Akash Mahajan of Stillsecure this morning. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Aurigma Image Uploader ImageUploaer4.ocx ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"0x40000"; content:"Acton"; nocase; content:"clsid"; nocase; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; nocase; classtype:web-application-attack; reference:bugtraq,27539; reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007815; rev:2;) The above replaces the previous sig which was just looking for the CLSID. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.
0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F5
6F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/
5086; reference:url,www.milw0rm.com/exploits/5100; classtype:web-application-attack; sid:2007847; rev:1;) For the Sony exploit, and finally: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit"; flow:to_client,established; content:"clsid"; nocase; content:"EEE78591-FE22-11D0-8BEF-0060081841DE"; nocase; content:"0x40000"; content:"FindEngine"; nocase; reference:url,www.milw0rm.com/exploits/5087; reference:bugtraq,24426; classtype:web-application-attack; sid:2007848; rev:1;) Thanks for submitting these Akash. As always, please report any issues or feedback. Matt
|
