MS15-034 is currently actively exploited in the wild. There are multiple blogs detailing the issue and providing POC's for the same. I've put together a very basic snort rule based on the blog from Didier Stevens.
alert tcp any any <> any any (msg:"MS Windows: CVE-2015-1635"; flow:to_server,established; pcre:"/^Range:\x20bytes[^\r\n]*18446744073709551615/smi"; classtype:attempted-dos; sid:12345; rev:1;)
Sample capture here.
I added this rule but it doesn't seem to be firing when doing a simple wget request. Can you show the wget request to trigger this rule? Thanks!
ReplyDeleteMy bad, there was a minor bug in the direction of the rule. Fixed it. Try using the updated rule.
ReplyDeletewget --header "Range: bytes=1-18446744073709551615" http://host
This wget should get the rule triggering.