|
|
|
|
Snort Forums Archive
Archive Home » General Security Discussion » Is this a buffer overflow
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Is this a buffer overflow
Posted by mykol_j on March 11, 2008 03:36:18
(Yes, I know what one is. I also know they don't always have to have x90 or A for the NOOP sled...). I just can't seem to find any particulars on this type of signature (below). It's coming from a trusted newsgroup server to our newsgroup server. It *looks* like it could be an overflow attempt, but I don't ever see a /bin/sh or any other string that's obvious. And to a newsgroup server? I'm inclined to think it's NOT a buffer overflow attempt.
What do you think (about this)?
Snort alert:
#(33 - 480098) [2008-03-10 20:02:05] [local/1390] [snort/1:1390] SHELLCODE x86 inc ebx NOOP
IPv4: 146.xxx.xxx.xxx -> 146.xxx.xxx.xxx
hlen=5 TOS=0 dlen=1420 ID=6369 flags=0 offset=0 TTL=60 chksum=58919
TCP: port=63963 -> dport: 119 flags=***AP*** seq=2653404914
ack=1405941137 off=5 res=0 win=24840 urp=0 chksum=31090
Payload: length = 1380
000 : 2A 2A C7 2A 2A 2A 2A 78 99 95 93 8B 2A 60 5C 62 **.****x....*`\b
010 : 62 2A 2A 2A 2A 72 2A 2A 2A 2B 2A 2A 2A 72 2A 2A b****r***+***r**
020 : 2A 2B 80 4A 5A 60 58 5B 5A 2A 2A 30 BA 2A 2A 31 *+.JZ`X[Z**0.**1
030 : 2A 2A 2A 3D 6E 5A 5C 5C 5A BB 2B 2A 31 2A 2A 2A ***=nZ\\Z.+*1***
040 : 3D 6E 2B 2C 2D 2A CA 2A 2A 31 2A 2A 2A 3D 6E 5A =n+,-*.**1***=nZ
050 : 5B 5A 5A CA 2B 2A 2D 2A 2A 2A 2B 2A 2B 2A 2A CA [ZZ.+*-***+*+**.
060 : 2C 2A 2D 2A 2A 2A 2B 2C AA 2A 2A CA 2D 2A 2D 2A ,*-***+,.**.-*-*
070 : 2A 2A 2B 2B 3D 4A 2A 2A 2A 2A 2A 2A 2A 29 28 0D **++=J*******)(.
080 : 0A 2A 44 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A .*DJJJJJJJJJJJJJ
090 : 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 4A 29 05 2A AE 2A JJJJJJJJJJJ).*.*
0a0 : 3D 6E 2D 2D 3D 6E 30 34 37 39 2D 2D 3D 6E 2F 31 =n--=n0479--=n/1
0b0 : 39 39 38 3D 6E 2D 3D 6E 30 34 38 3B 38 3D 6E 3D 998=n-=n048;8=n=
0c0 : 6E 30 31 37 40 3E 3A 2F 30 33 38 3B 45 44 3D 7D n017@>:/038;ED=}
0d0 : 30 33 38 3A 3E 44 46 41 36 3A 3E 40 44 48 48 43 038:>DFA6:>@DHHC
0e0 : 3C 41 42 43 46 43 44 43 2B 3D 6E 2F 30 36 43 43 \...2Ml..
180 : 3F 7C FB 0D 0A 1A 4E 5D 8C 9C AC 33 34 40 41 42 ?|....N]...34@AB
190 : 43 44 4F 50 51 52 53 54 5E 5F 60 61 62 63 64 6D CDOPQRST^_`abcdm
1a0 : 6E 6F 70 71 72 73 74 7D 7E 7F 80 81 82 83 84 8D nopqrst}~......
1b0 : 8E 8F 90 91 92 93 94 9D 9E 9F A0 A1 A2 A3 A4 AD ................
1c0 : AE AF B0 B1 B2 B3 B4 BC BD BE BF C0 C1 C2 C3 C4 ................
1d0 : CC CD CE CF D0 D1 D2 D3 D4 DC DD DE DF E0 E1 E2 ................
1e0 : E3 E4 EC ED EE EF F0 F1 F2 F3 F4 FC FD FE FF 3D ...............=
1f0 : 40 01 02 03 04 0B 0C 3D 4D 0E 0F 10 11 12 13 14 @......=M.......
200 : 1B 1C 1D 1E 1F 0D 0A 20 21 22 23 24 2B 2A 2D 2B ....... !"#$+*-+
210 : 2B 2B 2B 2B 2B 2B 2B 2B 2A 2A 2A 2A 2A 2A 2B 2C ++++++++******+,
220 : 2D 3D 6E 2F 30 31 32 33 34 35 3B 2A 2C 2B 2C 3D -=n/012345;*,+,=
230 : 6E 3D 6E 2D 3D 6E 31 2F 3D 6E 3D 6E 2A 2B 2C A1 n=n-=n1/=n=n*+,.
240 : 2A 2B 2C 2D 3B 3D 6E 2F 4B 5B 30 3C 6B 7B 31 8B *+,-;=n/K[0l....3M]
260 : 7C 1A 3F 8C 9C FB 34 40 4E 5E 0B 4F 1B 41 42 43 |.?...4@N^.O.ABC
270 : 44 50 51 52 53 54 5F 60 61 62 63 64 6D 6E 6F 70 DPQRST_`abcdmnop
280 : 71 72 73 74 7D 7E 7F 0D 0A 80 81 82 83 84 8D 8E qrst}~.........
290 : 8F 90 91 92 93 94 9D 9E 9F A0 A1 A2 A3 A4 AC AD ................
2a0 : AE AF B0 B1 B2 B3 B4 BC BD BE BF C0 C1 C2 C3 C4 ................
2b0 : CC CD CE CF D0 D1 D2 D3 D4 DC DD DE DF E0 E1 E2 ................
2c0 : E3 E4 EC ED EE EF F0 F1 F2 F3 F4 FC FD FE FF 3D ...............=
2d0 : 40 01 02 03 04 0C 3D 4D 0E 0F 10 11 12 13 14 1C @.....=M........
2e0 : 1D 1E 1F 20 21 22 23 24 29 EA 2A 3B 32 2B 3D 4A ... !"#$).*;2+=J
2f0 : 2C AA 2D 2B 4B 2A 2C 3B 2B 2D 3B 2B 29 04 2A 36 ,.-+K*,;+-;+).*6
300 : 2D 2B 2A 2C 3B 2D 3B 2A 69 0D 0A 2A 24 EB E2 13 -+*,;-;*i..*$...
310 : AD 17 15 72 E9 27 9A 95 FE 62 85 49 C9 CF 58 52 ...r.'...b.I..XR
320 : 8C B2 C6 20 EF 31 67 E8 BE 2F E5 2A 20 F9 23 1E ... .1g../.* .#.
330 : CA 7B 8C A7 6D 2D E9 3D 40 BD 92 20 20 24 FC 6F .{..m-.=@.. $.o
340 : 24 2B 7B 71 67 E9 F2 D1 9C 6D 4D 26 53 CD 29 2A $+{qg....mM&S.)*
350 : D9 C4 95 F6 67 42 9F 13 70 69 24 29 2A 74 6B 12 ....gB..pi$)*tk.
360 : 46 38 C7 65 FA 52 28 C2 BA 06 39 1A 20 CF F9 D9 F8.e.R(...9. ...
370 : 0B 7E 35 F7 32 F5 29 2A 01 20 D1 2B 28 2C BD 2A .~5.2.)*. .+(,.*
380 : 04 69 48 E9 B7 4B 49 11 FC AE 65 0D 0A 30 37 2A .iH..KI...e..07*
390 : A5 27 93 2C 3D 7D 48 3D 4A 20 CF 3E C3 81 16 58 .'.,=}H=J .>...X
3a0 : 06 FD 5A 65 FD E3 77 32 7E C9 0F C4 87 E9 0B C9 ..Ze..w2~.......
3b0 : 84 4E F6 EE 05 6F 59 13 BF 27 5D 78 F9 71 58 5C .N...oY..']x.qX\
3c0 : 23 47 FB 71 D7 4D 0F A8 28 9A 62 F9 D2 20 D9 5C #G.q.M..(.b.. .\
3d0 : D6 D9 E1 CC 67 74 7B 53 C5 C2 B9 3D 49 2A B8 AB ....gt{S...=I*..
3e0 : 79 CF 7F E4 FC 5E E5 C9 E9 95 43 16 3D 4D 47 D5 y...^....C.=MG.
3f0 : C4 9A 1C 1C 90 3D 40 66 D9 0C A1 ED 17 64 EC EC .....=@f.....d..
400 : 10 97 40 06 70 EB A6 F5 C2 BE 1A 25 B8 0D 0A 5D ..@.p......%...]
410 : F8 A4 81 B9 22 CC 6D B2 DB B8 4C 78 A7 79 C0 55 ....".m...Lx.y.U
420 : E8 BD E7 E7 CE C9 85 E8 25 46 FF 0F D4 DD A7 B8 ........%F......
430 : A4 66 8D 51 14 31 DF 6E 0E 20 69 7B 15 1E D8 B9 .f.Q.1.n. i{....
440 : 89 6E 8A 63 87 E5 A8 5E 03 AB 69 F6 49 A4 C2 CA .n.c...^..i.I...
450 : 1F 64 99 2B 3D 49 32 50 06 99 40 FE 17 5B 33 F3 .d.+=I2P..@..[3.
460 : 2D 92 96 8E 8F F9 70 86 01 8B D2 EB D0 08 9D D2 -.....p.........
470 : 14 9C 06 61 83 08 45 AE 89 5F 23 25 E5 71 9C A7 ...a..E.._#%.q..
480 : 77 9D 7F BF C7 13 7B 81 03 F5 E9 26 5B 5E CD 0D w....{....&[^..
490 : 0A 7C 19 21 F5 BF 05 78 F0 A7 E0 BF 57 B0 89 6A .|.!...x....W..j
4a0 : 1B 78 D3 92 ED 21 D7 43 6F BB 6C AB C6 46 9D 05 .x...!.Co.l..F..
4b0 : FC DA E6 79 D1 93 C4 CB 37 D5 ED 2F E7 3D 49 F6 ...y....7../.=I.
4c0 : 69 DF 57 6D 39 DE E8 EA A9 FC D6 F8 64 B0 F7 86 i.Wm9.......d...
4d0 : 55 67 23 5F A8 15 64 9B 35 9F 78 74 15 83 20 66 Ug#_..d.5.xt.. f
4e0 : D9 82 FC 90 DB 8A 50 E2 AC 0B 72 1D 57 18 4B 66 ......P...r.W.Kf
4f0 : 75 40 A4 BF 17 C9 6D 7E CD BA 3D 4D 2A 0B A5 51 u@....m~..=M*..Q
500 : D1 FC E7 72 A3 D1 07 58 F1 C3 4F 9E FD 18 6E 1A ...r...X..O...n.
510 : 3B 0D 0A F6 A3 29 2A 93 93 20 14 33 23 22 67 6B ;....)*.. .3#"gk
520 : 1E 94 FB 23 A6 AF F5 0E E5 5D 9C EC 83 4B 8F 95 ...#.....]...K..
530 : 91 ED 2C 47 71 21 EC E1 70 68 1F 20 71 ED F9 3E ..,Gq!..ph. q..>
540 : 58 D9 92 D8 7C 62 0F 89 1E 95 E2 81 22 83 31 88 X...|b......".1.
550 : A9 E6 55 C4 D1 A5 A4 C1 F6 20 01 F2 EE 22 DB CE ..U...... ..."..
560 : D3 72 10 0E .r..
|
|
Posted by LeonW on April 27, 2008 07:08:30
I think that you should not rely on shellcode detection. There are so many ways to obfuscate it that reliable discovery is tricky at best.
*Depending on what you need to achieve*, it could be wise to disable the shellcode rules. |
|
Posted by mykol_j on April 28, 2008 08:36:38
Thanks. Good to hear, I've kinda been coming to that conclussion myself -- seems there's a ton of false-positive "NOOP/NOP sleds" in binary files... |
|
|
|
|
|
