Well if you look at the rule, you can see that all it's looking for is a few x86 NOOP commands in a row. It doesn't really have anything to do with an old CRC32 exploit.
On Friday 19 September 2003 10:38 am, Brian Dinello wrote: > All: > > Just to add to the readily growing list of stupid things this "exploit" > does, it set off my Snort IDS when attemping to root my test box. Looks > like it _may_ actually incorporate some shell code in a REALLY old CRC32 > overflow from 2001. Here's the CVE link, if anyone's interested: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144 > > And the snort sig that it hit: > alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 > overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 > 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; > reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; > rev:3;) > > And the systems that it _may_ be able to affect/infect: > Affected Systems: > OpenSSH versions prior to 2.2 > Multiple Cisco network devices > Multiple Netscreen network devices > SSH Secure Communications prior to 1.2.31 > > Needless to say, I doubt anyone will soon be reporting any instances of > this piece of code actually doing anything to a remote host. > > Brian Dinello, CISSP > > > > > -----Original Message----- > From: Adam Balogh [mailto:[EMAIL PROTECTED] > Posted At: Friday, September 19, 2003 8:59 AM > Posted To: Full Disclosure > Conversation: [Full-Disclosure] Re: new openssh exploit in the wild! > *isFAKE AS [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! > *isFAKE AS [EMAIL PROTECTED] > > > Probably a scriptkiddie or some random idiot. The fun part was it came > up totally different offsets then i mean TOTALLY different each time you > ran it and if you gave it a offset it would "work" no matter what. For > those people who ran it.. change all your > passwords. :) > > /Adam > > Vitaly Osipov wrote: > > On Fri, 2003-09-19 at 14:21, V.O. wrote: > > Yeah, I missed the fact that after "calculating" the offset it starts > > to "exploit" in the same way as if it was given an offset as a > > parameter. Anyway, I simply wanted to note that whoever posted it here > > > > was either knowingly lying about its purpose or not having a clue > > about UNIX at all :) > > > > W. > > > > > > ----- Original Message ----- > > From: "Adam Balogh" <[EMAIL PROTECTED]> > > To: "Full Disclosure" <[EMAIL PROTECTED]> > > Sent: Friday, September 19, 2003 9:47 PM > > Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! * > > isFAKE > > > AS [EMAIL PROTECTED] > > > > > Vitaly Osipov wrote: > > > > which is obviously not true. Btw as far as I understand, the > > > > troyan code > > > > is triggered when > > > > > > the "exploit" is run with the offset specified, and not in a > > > > "bruteforcing" mode. > > > > > > W. > > > > > > Me and my friend tried to run it on a lab-box thats not connected > > > directly to internet and doesnt relay mails. It doesn't use that > > > special offset as a trigger. We got so many "sys3" accounts in > > > /etc/passwd as many times we ran it plus those outgoing-mails que'd. > > > > > > /Adam Balogh > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Patrick Dolan UNT Computing and Information Technology Center PGP ID: E5571154 Primary key fingerprint: 5681 25E4 6BE6 298E 9CF0 6F8D B13B 2456 E557 1154 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
