 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
At 11:37 AM 5/6/2003 -0500, NO JUNK MAIL wrote: Would anybody have a raw packet or more info on what the packet looks like when it is a lagitamite attack. The the DMail ETRN vulnerability is a classic linear buffer overflow attack. It's going to consist of the text "ETRN" (any case) followed by 500 bytes of arbitrary data ( can be absolutely anything with no CRs), followed by exploit code (can vary). You might be able to narrow this up by looking for "ETRN " instead of "ETRN", as the space will need to be in there. Also note that this rule is coded to only look for this data at the start of a packet. One well-known exploit (http://downloads.securityfocus.com/vulnerabilities/exploits/netwinroot.c) just fills the entire "don't care" buffer space with a return address, but the data itself (up to where the return address needs to be) can be *anything*. As far as I can tell from reading around, the actual size of the buffer area prior to the return address is about 260ish bytes. It should be noted that a DOS against this can be accomplished in under 500 bytes, so the rule will only detect an attack that is trying to gain access, not merely crash the dmail package. ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list [EMAIL PROTECTED] Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.