/usr/local/share/snort/attack-responses.rules:alert ip any any -> any any
(msg:"ATTACK-RESPONSES id check returned root";
content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
Dest port 25
PAYLOAD:
/usr/bin/su....
.original adv:..
www.idefense.com
/application/poi
/display?id=219&
type=vulnerabili
ties....original
exploit:..http:
//fakehalo.us/xo
sx-cf.c......---
example usage -
--....server:/tm
p v9$ id..uid=50
2(v9) gid=502(v9
) groups=502(v9)
..server:/tmp v9
$ gcc xosx-cf.c
-o xosx-cf..serv
er:/tmp v9$ ./xo
sx-cf..(*)MacOS
X[CF_CHARSET_PAT
H]: local root e
xploit...(*)by:
v9@fakehalo.us,
found by iDefens
e adv. (anon)...
.[*] setting up
the environment.
..[*] executing
su... (press ENT
ER at the "Passw
ord: " prompt)..
..Password:..sh-
2.05b# id..uid=0
(root) gid=502(v
9) groups=502(v9
)......--- xosx-
cf.c ---..../*[
MacOS X[CF_CHARS
ET_PATH]: local
root exploit. ]*
********.. *
Shouldn't this rule exclude port 25?
/usr/local/share/snort/attack-responses.rules:alert ip any any -> any !25
(msg:"ATTACK-RESPONSES id check returned root";
content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
-------------------------------------------------------
This SF.net email is sponsored by: 2005 Windows Mobile Application Contest
Submit applications for Windows Mobile(tm)-based Pocket PCs or Smartphones
for the chance to win $25,000 and application distribution. Enter today at
http://ads.osdn.com/?ad_id=6882&alloc_id=15148&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
