Snort mailing list archives
Possible 16295 FP
From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 25 Oct 2010 10:55:27 -0600
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Kaspersky antivirus library heap buffer overflow - without optional
fields"; flow:to_client,established; file_data; content:"MSCF";
byte_test:2,&,0x0003,26,relative,little;
byte_test:2,!&,0x0004,26,relative,little;
pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy
security-ips drop, service http; reference:bugtraq,14998;
reference:cve,2005-3142; classtype:attempted-user; sid:16295; rev:2;)
Rule hit:
10/25-10:42:14.031398 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus
library heap buffer overflow - without optional fields [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
209.85.225.99:80 -> 66.193.105.132:49789
Packet dump:
10:46:32.724354 IP 209.85.225.99.80 > 66.193.105.132.49879: Flags [.],
ack 1945071829, win 25728, length 1400
0x0000: 4500 05a0 da3b 0000 3906 431e d155 e163
E....;..9.C..U.c
0x0010: 42c1 6984 0050 c2d7 a6eb 4fff 73ef 70d5
B.i..P....O.s.p.
0x0020: 5010 6480 11b8 0000 2229 2c22 2622 2c62
P.d....."),"&",b
0x0030: 2c22 3d22 2c63 5d2e 6a6f 696e 2822 2229
,"=",c].join("")
0x0040: 7d66 756e 6374 696f 6e20 7128 612c 6229
}function.q(a,b)
0x0050: 7b62 3d6e 6577 2052 6567 4578 7028 225b
{b=new.RegExp("[
0x0060: 3f26 5d22 2b62 2b22 3d5b 5e26 5d2a 222c
?&]"+b+"=[^&]*",
0x0070: 2267 6922 293b 613d 612e 7265 706c 6163
"gi");a=a.replac
0x0080: 6528 622c 2222 293b 7265 7475 726e 2061
e(b,"");return.a
0x0090: 3d61 2e72 6570 6c61 6365 282f 5e28 5b5e
=a.replace(/^([^
0x00a0: 3f26 5d2a 2926 282e 2a29 2f2c 2224 313f
?&]*)&(.*)/,"$1?
0x00b0: 2432 2229 7d0a 6675 6e63 7469 6f6e 2075
$2")}.function.u
0x00c0: 2861 2c62 297b 6966 2821 6129 7265 7475
(a,b){if(!a)retu
0x00d0: 726e 2062 3b72 6574 7572 6e28 6e65 7720
rn.b;return(new.
0x00e0: 5265 6745 7870 2822 282c 7c5e 2922 2b62
RegExp("(,|^)"+b
0x00f0: 2b22 282c 7c24 2922 2929 2e74 6573 7428
+"(,|$)")).test(
0x0100: 6129 3f61 3a62 2b22 2c22 2b61 7d66 756e
a)?a:b+","+a}fun
0x0110: 6374 696f 6e20 7028 612c 6229 7b66 6f72
ction.p(a,b){for
0x0120: 2876 6172 2063 3d2f 5b3f 265d 696d 6774
(var.c=/[?&]imgt
0x0130: 7970 653d 285b 5e26 5d2a 292f 672c 643d
ype=([^&]*)/g,d=
0x0140: 6e75 6c6c 2c65 3d22 223b 643d 632e 6578
null,e="";d=c.ex
0x0150: 6563 2861 293b 2965 3d64 5b31 5d3b 7265
ec(a);)e=d[1];re
0x0160: 7475 726e 2074 2861 2c22 696d 6774 7970
turn.t(a,"imgtyp
0x0170: 6522 2c75 2865 2c62 2929 7d66 756e 6374
e",u(e,b))}funct
0x0180: 696f 6e20 7628 297b 7661 7220 613d 6c6f
ion.v(){var.a=lo
0x0190: 6361 7469 6f6e 2e68 6173 683b 6966 2861
cation.hash;if(a
0x01a0: 2626 612e 696e 6465 784f 6628 2273 7461
&&a.indexOf("sta
0x01b0: 7274 2229 3e2d 3129 7b76 6172 2062 3d77
rt")>-1){var.b=w
0x01c0: 696e 646f 772e 6479 6e2e 7365 7452 6573
indow.dyn.setRes
0x01d0: 756c 7473 3b77 696e 646f 772e 6479 6e2e
ults;window.dyn.
0x01e0: 7365 7452 6573 756c 7473 3d66 756e 6374
setResults=funct
0x01f0: 696f 6e28 297b 7769 6e64 6f77 2e64 796e
ion(){window.dyn
0x0200: 2e73 6574 5265 7375 6c74 733d 627d 7d7d
.setResults=b}}}
0x0210: 7628 293b 0a7d 2920 2829 3b64 796e 2e69
v();.}).();dyn.i
0x0220: 6e69 7469 616c 697a 6528 275c 7832 3670
nitialize('\x26p
0x0230: 7265 765c 7833 642f 696d 6167 6573 2533
rev\x3d/images%3
0x0240: 4671 2533 4470 6f6e 6465 726f 7361 2532
Fq%3Dponderosa%2
0x0250: 426c 6162 7325 3236 686c 2533 4465 6e25
Blabs%26hl%3Den%
0x0260: 3236 6762 7625 3344 3225 3236 7462 7325
26gbv%3D2%26tbs%
0x0270: 3344 6973 6368 3a31 272c 302c 3029 3b64
3Disch:1',0,0);d
0x0280: 796e 2e73 6574 5265 7375 6c74 7328 5b5b
yn.setResults([[
0x0290: 222f 696d 6772 6573 3f69 6d67 7572 6c5c
"/imgres?imgurl\
0x02a0: 7833 6468 7474 703a 2f2f 7472 6565 732e
x3dhttp://trees.
0x02b0: 7374 616e 666f 7264 2e65 6475 2f69 6d61
stanford.edu/ima
0x02c0: 6765 732f 5069 6e61 6365 6165 2f70 6f6e
ges/Pinaceae/pon
0x02d0: 6465 726f 7361 2e6a 7067 5c78 3236 696d
derosa.jpg\x26im
0x02e0: 6772 6566 7572 6c5c 7833 6468 7474 703a
grefurl\x3dhttp:
0x02f0: 2f2f 7363 6965 6e63 6562 6c6f 6773 2e63
//scienceblogs.c
0x0300: 6f6d 2f63 6861 6f74 6963 7574 6f70 6961
om/chaoticutopia
0x0310: 2f32 3030 382f 3032 2f77 6861 745f 6d61
/2008/02/what_ma
0x0320: 6b65 735f 7468 655f 7069 6e65 735f 6772
kes_the_pines_gr
0x0330: 6f77 5f70 6172 742e 7068 705c 7832 3675
ow_part.php\x26u
0x0340: 7367 5c78 3364 5f5f 5a47 5767 7556 516a
sg\x3d__ZGWguVQj
0x0350: 7848 744a 3453 4149 6853 7a47 304a 4a74
xHtJ4SAIhSzG0JJt
0x0360: 4d69 735c 7833 645c 7832 3668 5c78 3364
Mis\x3d\x26h\x3d
0x0370: 3638 305c 7832 3677 5c78 3364 3439 365c
680\x26w\x3d496\
0x0380: 7832 3673 7a5c 7833 6439 375c 7832 3668
x26sz\x3d97\x26h
0x0390: 6c5c 7833 6465 6e5c 7832 3673 7461 7274
l\x3den\x26start
0x03a0: 5c78 3364 315c 7832 367a 6f6f 6d5c 7833
\x3d1\x26zoom\x3
0x03b0: 6431 5c78 3236 6974 6273 5c78 3364 3122
d1\x26itbs\x3d1"
0x03c0: 2c22 222c 224e 7364 672d 6139 7a38 7741
,"","Nsdg-a9z8wA
0x03d0: 4c54 4d3a 222c 2268 7474 703a 2f2f 7472
LTM:","http://tr
0x03e0: 6565 732e 7374 616e 666f 7264 2e65 6475
ees.stanford.edu
0x03f0: 2f69 6d61 6765 732f 5069 6e61 6365 6165
/images/Pinaceae
0x0400: 2f70 6f6e 6465 726f 7361 2e6a 7067 222c
/ponderosa.jpg",
0x0410: 2231 3031 222c 2231 3339 222c 2253 6f2c
"101","139","So,
0x0420: 205c 7833 6362 5c78 3365 706f 6e64 6572
.\x3cb\x3eponder
0x0430: 6f73 615c 7833 632f 625c 7833 6520 7069
osa\x3c/b\x3e.pi
0x0440: 6e65 7320 6d61 7920 6265 222c 2222 2c22
nes.may.be","","
0x0450: 222c 2234 3936 2026 7469 6d65 733b 2036
","496.×.6
0x0460: 3830 202d 2039 376b 222c 226a 7067 222c
80.-.97k","jpg",
0x0470: 2273 6369 656e 6365 626c 6f67 732e 636f
"scienceblogs.co
0x0480: 6d22 2c22 222c 2222 2c22 6874 7470 3a2f
m","","","http:/
0x0490: 2f74 302e 6773 7461 7469 632e 636f 6d2f
/t0.gstatic.com/
0x04a0: 696d 6167 6573 222c 2231 222c 5b5d 2c22
images","1",[],"
0x04b0: 222c 302c 2222 2c5b 5d2c 2222 2c22 222c
",0,"",[],"","",
0x04c0: 2222 2c22 222c 2222 2c22 222c 2222 2c22
"","","","","","
0x04d0: 222c 2222 5d2c 5b22 2f69 6d67 7265 733f
",""],["/imgres?
0x04e0: 696d 6775 726c 5c78 3364 6874 7470 3a2f
imgurl\x3dhttp:/
0x04f0: 2f62 6579 6572 7265 6e65 7761 626c 6566
/beyerrenewablef
0x0500: 7565 6c73 2e63 6f6d 2f6d 696e 6572 616c
uels.com/mineral
0x0510: 2532 3532 306c 6162 7325 3235 3230 7465
%2520labs%2520te
0x0520: 7374 2532 3532 3067 7265 656e 7761 7374
st%2520greenwast
0x0530: 6525 3235 3230 706f 6c79 2532 3532 0d0a
e%2520poly%252..
0x0540: 3130 3030 0d0a 3067 6c79 6365 726f 6c2e
1000..0glycerol.
0x0550: 6a70 675c 7832 3669 6d67 7265 6675 726c
jpg\x26imgrefurl
0x0560: 5c78 3364 6874 7470 3a2f 2f62 6579 6572
\x3dhttp://beyer
0x0570: 7265 6e65 7761 626c 6566 7565 6c73 2e63
renewablefuels.c
0x0580: 6f6d 2f4d 6169 6e25 3235 3230 5465 7374
om/Main%2520Test
0x0590: 2532 3532 3050 6167 652e 6874 6d5c 7832
%2520Page.htm\x2
Looks like more google happiness.
James Lay
IT Security Analyst
WinCo Foods
208-672-2014 Office
208-559-1855 Cell
650 N Armstrong Pl.
Boise, Idaho 83704
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Possible 16295 FP Lay, James (Oct 25)
- Re: Possible 16295 FP rmkml (Oct 25)