Exploitation of CVE-2012-0003: Heap Overflow in winmm.dll

Very first exploit for the MS12-004 was seen in the wild on last Friday. As soon as the discovery of the exploit attempt was made, researchers were quick to post their analysis on the vulnerability.

Metasploit module was also made available to public in its latest revision 14640. In this post I will share a video of the exploitation of this vulnerability along with the exploit detection mechanism.

Exploitation Video:


Detection Mechanism:

Following 2 SNORT rules will be able to detect the exploitation attempt of CVE-2012-0003. Both rules are tested against traffic generated by Metaploit exploit module.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Generic Heap Spray Flowbit set";flow:to_client, established;content:"%u0c0c%u0c0c";nocase;fast_pattern:only; flowbits:set,cv.genShellcode; flowbits:noalert; sid:1000008; rev:1;)

This rule sets a flowbit for Generic Heap Spray shellcode.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Exploitation attempt of CVE-2012-0003";flow:to_client, established;flowbits:isset, cv.genShellcode; content:"|4D 54 68 64 00 00 00 06 |";nocase;fast_pattern:only;flowbits:unset,cv.genShellcode;sid:1000009;rev:1;)

This rule checks if the shellcode flowbit is set and then checks for the MIDI file header.

Stay safe!

Rating 4.33 out of 5

One Response to “Exploitation of CVE-2012-0003: Heap Overflow in winmm.dll”

  1. vanya Says:

    nice work :)

Leave a Reply

This entry was posted on Monday, January 30th, 2012 at 3:28 am and is filed under Exploitation, Information Security, Snort Signature. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes