Re: Remote exploit for popular Sniffer Ettercap.

From: Brian (bmcat_private)
Date: Wed Dec 12 2001 - 16:51:57 PST

Next message: Giorgio: "Re: Remote exploit for popular Sniffer Ettercap."

Previous message: ALoR: "Re: Remote exploit for popular Sniffer Ettercap."
In reply to: vuln-dev: "Remote exploit for popular Sniffer Ettercap."
Next in thread: Giorgio: "Re: Remote exploit for popular Sniffer Ettercap."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The snort signatures released by GOBBLES Labs posted to their website
at www.bugtraq.org/misc/GOBBLES.rules to catch this exploit are not 
valid.

Not only does the string "GOBBLES IDENTIFY" never showup in the
payload sent by the exploit, but if it did, that is an extremely 
simple string to evade.

Below is a correctly working (and "official" :P) snort signature.

alert tcp any any -> any any 6667 (msg:"EXPLOIT Ettercap IRC parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:1;)

-brian

Next message: Giorgio: "Re: Remote exploit for popular Sniffer Ettercap."
Previous message: ALoR: "Re: Remote exploit for popular Sniffer Ettercap."
In reply to: vuln-dev: "Remote exploit for popular Sniffer Ettercap."
Next in thread: Giorgio: "Re: Remote exploit for popular Sniffer Ettercap."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 17:37:53 PST