Check for sec_addr_len being 0

corelight · Apr 27, 2022 · c679fe8 · c679fe8
1 parent 3b04fc2
commit c679fe8
Showing 1 changed file with 26 additions and 9 deletions.
diff --git a/scripts/main.zeek b/scripts/main.zeek
@@ -72,6 +72,27 @@ function correct_frag_length(data: string, regex: pattern): bool
 	return frag_len == |data| - mres$off + 1;
 }
 
+# Required for the underflow to occur.
+function sec_addr_is_zero(data: string, regex: pattern): bool
+{
+	local mres = match_pattern(data, regex);
+	if ( ! mres$matched )
+		return F;
+
+	# mres$off - 1 is the offset to the start of the DCERPC section
+	# 24 bytes until we hit sec_addr_len.
+	local start = mres$off - 1 + 24;
+	local end = mres$off - 1 + 26;
+	if ( end > |data| )
+		return F;
+	local sec_addr_len_bytes = data[start:end];
+	if ( |sec_addr_len_bytes| == 0 )
+		return F;
+
+	local sec_addr_len = bytestring_to_count(data[start:end]);
+	return sec_addr_len == 0;
+}
+
 # Should work if Zeek parsed malformed Bind ACKs correctly.
 event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string)
 {
@@ -91,29 +112,25 @@ event dce_rpc_bind_ack(c: connection, fid: count, sec_addr: string)
 		    $regex="big_endian",
 		    $data=pkt$data));
 }
-# Main event
+
+# Exploit Bind ACKs are malformed, so we have to detect here.
 event dce_rpc_message(c: connection, is_orig: bool, fid: count, ptype_id: count,
     ptype: DCE_RPC::PType)
 {
 	if ( ptype != DCE_RPC::BIND_ACK )
 		return;
-	#if ( ! c?$dce_rpc || ! c$dce_rpc?$named_pipe || ! c$dce_rpc?$endpoint )
-	#		return;
-	#if ( c$dce_rpc$named_pipe != "\pipe\lsass"
-	#    || c$dce_rpc$endpoint != "efsrpc2" )
-	#		return;
-	# c$dce_rpc and c$dce_rpc_state are unfortunately not populated yet, so
-	# we cannot check for those to make the detection more robust.
 	local pkt = get_current_packet();
 	if ( big_endian_specific in pkt$data && correct_frag_length(pkt$data,
+	    big_endian_specific) && sec_addr_is_zero(pkt$data,
 	    big_endian_specific) ) {
 		NOTICE([
 		    $note=ExploitSuccess,
 		    $msg=fmt("%s exploited %s", c$id$orig_h, c$id$resp_h),
 		    $sub="Found via big_endian_specific (in dce_rpc_message)",
 		    $identifier=cat(c$id$orig_h, c$id$resp_h)]);
 	}
-	if ( big_endian in pkt$data && correct_frag_length(pkt$data, big_endian) ) {
+	if ( big_endian in pkt$data && correct_frag_length(pkt$data, big_endian) &&
+	    sec_addr_is_zero(pkt$data, big_endian) ) {
 		NOTICE([
 		    $note=ExploitSuccess,
 		    $msg=fmt("%s exploited %s", c$id$orig_h, c$id$resp_h),