Very first exploit for the MS12-004 was seen in the wild on last Friday. As soon as the discovery of the exploit attempt was made, researchers were quick to post their analysis on the vulnerability.
Metasploit module was also made available to public in its latest revision 14640. In this post I will share a video of the exploitation of this vulnerability along with the exploit detection mechanism.
Following 2 SNORT rules will be able to detect the exploitation attempt of CVE-2012-0003. Both rules are tested against traffic generated by Metaploit exploit module.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Generic Heap Spray Flowbit set";flow:to_client, established;content:"%u0c0c%u0c0c";nocase;fast_pattern:only; flowbits:set,cv.genShellcode; flowbits:noalert; sid:1000008; rev:1;)
This rule sets a flowbit for Generic Heap Spray shellcode.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Exploitation attempt of CVE-2012-0003";flow:to_client, established;flowbits:isset, cv.genShellcode; content:"|4D 54 68 64 00 00 00 06 |";nocase;fast_pattern:only;flowbits:unset,cv.genShellcode;sid:1000009;rev:1;)
This rule checks if the shellcode flowbit is set and then checks for the MIDI file header.