萬盛學電腦網

 萬盛學電腦網 >> 病毒防治 >> Snort檢測MS05-051攻擊

Snort檢測MS05-051攻擊

      MS05-051漏洞及相關的攻擊代碼和蠕蟲已經出現一些日子了(計算機愛好者,學習計算機基礎,電腦入門,請到本站http://.,我站同時提供計算機基礎知識教程,計算機基礎知識試題供大家學習和使用),,從IDS的角度來看,如何檢測利用MS05-051漏洞的攻擊呢?

Snort雖然提供了一些規則來檢測攻擊相關的請求,但並遠不是攻擊本身:

alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP IXnRemote BuildContextW little endian attempt"; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT v4 IXnRemote BuildContextW attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; pcre:"/^.{10}/sR";)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP v4 IXnRemote BuildContextW attempt"; content:"|04 00|"; byte_test:1,!&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|00 07|"; within:2; distance:28; pcre:"/^.{10}/sR";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT IXnRemote BuildContextW attempt"; flow:established,to_server; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT IXnRemote BuildContextW little endian attempt"; flow:established,to_server; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|07 00|"; within:2; distance:19;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP IXnRemote BuildContextW attempt"; flowbits:isset,dce.bind.IXnRemote; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 07|"; within:2; distance:19;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT v4 IXnRemote BuildContextW little endian attempt"; flow:established,to_server; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; pcre:"/^.{10}/sR";)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC DIRECT-UDP v4 IXnRemote BuildContextW little endian attempt"; content:"|04 00|"; byte_test:1,&,16,2,relative; content:"|E0 0C|k|90 0B C7|g|10 B3 17 00 DD 01 06|b|DA|"; within:16; distance:22; content:"|07 00|"; within:2; distance:28; pcre:"/^.{10}/sR";)

對於正常的請求,這些規則也可能觸發告警,顯然這是不令人滿意的。


漏洞分析
--------

要檢測攻擊當然需要先對MS05-051漏洞作一下比較深入的成因分析,以下的分析完全整理自小四(scz at nsfocus dot com)的工作。

漏洞的成因在於遠程調用msdtcprx!BuildContextW()時存在內存破壞問題,msdtcprx.dll!BuildContextW()對應DCE-RPC 7號調用,相應的最簡請求報文參數手工解碼如下:

--------------------------------------------------------------------------
0x00, 0x00,                                     // +0x000 param0開始,2字節長
0x00, 0x00,                                     // 填充字節,4字節對齊
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // +0x004 param1開始,24字節長
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00,                         // +0x018 param2開始,參數最大可能長度,4字節長
0x00, 0x00, 0x00, 0x00,                         // 參數最小可能長度,4字節長
0x01, 0x00, 0x00, 0x00,                         // 參數實際長度,4字節長
0x00, 0x00,                                     // 參數串,Unicode格式
0x00, 0x00,                                     // 填充字節,4字節對齊
0x01, 0x00, 0x00, 0x00,                         // +0x028 pwszHostName,param3開始,參數最大可能長度,4字節長
0x00, 0x00, 0x00, 0x00,                         // 參數最小可能長度,4字節長
0x01, 0x00, 0x00, 0x00,                         // 參數實際長度,4字節長
0x00, 0x00,                                     // 參數串,Unicode格式
0x00, 0x00,                                     // 填充字節,4字節對齊
0x01, 0x00, 0x00, 0x00,                         // +0x038 pwszUuidString param4開始,參數最大可能長度,4字節長,正常情況下應該是0x00000025,如果大於此值則是畸形的
0x00, 0x00, 0x00, 0x00,                         // 參數最小可能長度,4字節長
0x01, 0x00, 0x00, 0x00,                         // 參數實際長度,4字節長
0x00, 0x00,                                     // 參數串,Unicode格式
0x00, 0x00,                                     // 填充字節,4字節對齊
0x01, 0x00, 0x00, 0x00,                         // +0x048 param5開始,參數最大可能長度,4字節長,正常情況下應該是0x00000025,如果大於此值則是畸形的
0x00, 0x00, 0x00, 0x00,                         // 參數最小可能長度,4

copyright © 萬盛學電腦網 all rights reserved