On Fri, 24 Sep 2004 [EMAIL PROTECTED] wrote:
; Hi All, ; ; I've done done my *first* ndb sigs for some of the current windows expolits: ; ; JS.dragdrop.1:3:*:64796E7372633D22*2E65786522 ; JS.dragdrop.2:3:*:666F6C6465723D227368656C6C??7374617274757022 ; exploit.jpg:5:*:FFD8FF(E0|FE)*FFFE00(00|01) ; ; They need testing I guess... but no problems here... so far. Slight modification to the last one. The new .ndb file allows the signature offset to be defined, so instead of * in the third field you should put 0 to anchor the JPEG magic number to the start of the file. The 5 means it is definitely a graphics file before it is checked against the signature but that encompasses more than just JPEGs. I'm using Exploit.MS04-028:5:0:ffd8ff(e0|fe)*fffe00(00|01) here which works fine for me. A quick question for the database maintainers though - are you planning to add a signature for this exploit (particularly now that an exploit toolkit exists) ? All of my commercial scanners here now detect it - F-Prot even released a new version yesterday to specifically catch it. Thanks, Andy ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
