0

I am writing a custom rule for the following exploit: http://www.exploit-db.com/exploits/36100/

I have ran the exploit, and the packet I am writing the rule around can be seen here: http://txt.do/cxgb

This is the current rule I am using:

alert tcp any any -> any any (msg:"X360 VideoPlayer ActiveX Control Buffer Overflow"; flow:to_server,established; content:"\x64\xa1\x18\x00\x00\x00\x83\xc0\x08\x8b\x20\x81\xc4\x30\xf8\xff\xff"; fast_pattern; http_client_body; metadata: service http; sid:1000007; rev:1;)

However, Snort is failing to alert on this. Can anybody see why? Thanks in advance.

Donut
  • 110,061
  • 20
  • 134
  • 146
BuffetOverFlow
  • 5
  • 5
  • I know that it helps when having port numbers stated however for this particular exploit the port number seems to change each time so I am unable to enter a port number into the http preprocessor configuration for ports – BuffetOverFlow Mar 10 '15 at 14:06

1 Answers1

1

As you mentioned in your comment, since you don't have a port specified snort won't treat the traffic as http and therefore will not populate the http buffers. Since this is the case you need to remove the http content modifier because this will never match. Take out the "http_client_body".

To match the literal character \ you need to escape it with a \ for example "\\x64"

Also, this content is going from server to client (it's serving an http page). You need to change the flow to "flow: to_client, established"

johnjg12
  • 1,083
  • 8
  • 17
  • I have also just noticed snort doesn't like \ as part of the content, is that right? If so if I was to take all of the \ out of content would this still match? – BuffetOverFlow Mar 11 '15 at 14:51
  • Actually I think you need to put an extra \ in front of all of the \ because this is an escape character, so to get the literal \ you need to escape it. – johnjg12 Mar 11 '15 at 14:54
  • Your flow direction is backwards as well. See my edited answer, let me know if this doesn't resolve it. – johnjg12 Mar 11 '15 at 23:06