Juha brings up a good point here. Notice that these two strings LOOK different but the garbage (shell code) at the end is infact the same. These are afterall buffer overflow exploits which means that they fill up an input buffer so that it overflows and then insert some code to run at the end. So all the NNNNNNNN in the original exploit was doing was just taking up space in the buffer until it was overflowing and the shell code (the assembly code that runs and does the actual work) was inserted at the end. As such (and as a later email hints at) you should not have set up NNNNNNN as a trigger for your IDS. Set up a part of the shellcode instead. Do some research, it is extremly likly that the shellcode will be inserted at the exact same place in the packet regardless of what the first buffer filling text is. Hope this helps Dean On Sun, Aug 05, 2001 at 11:53:09AM +1200, Juha Saarinen wrote:
I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-(
Noticed that the GET requests look different now:
203.231.234.229 - - [05/Aug/2001:11:46:35 +1200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 283 "-" "-"
Whereas earlier on, they looked like this:
65.192.84.7 - - [05/Aug/2001:06:51:26 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNN%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90 90%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-"
-- Juha Saarinen
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog