[Emerging-Sigs] Signature for AOA Audio Extractor v2.x ActiveX ROP exploit

dave richards dave.richards0319 at gmail.com
Tue Oct 12 02:04:14 EDT 2010


Hi Matt,

Please find the signature for AoA Audio Extractor v2.x ActiveX ROP exploit

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS
AoA Audio Extractor ActiveX Control Buffer Overflow Attempt";
flow:to_client,established; content:"<OBJECT "; nocase;
content:"classid"; nocase; distance:0; content:"CLSID"; nocase;
distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase;
distance:0; content:"InitLicenKeys"; nocase;
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*125C3F0B-1073-4783-9A7B-D33E54269CA5/si";
classtype:web-application-attack;
reference:url,exploit-db.com/exploits/14599/;
reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt;
sid:2010985; rev:1;)
-- 
Regards,
Dave


More information about the Emerging-sigs mailing list