[Emerging-Sigs] Rule 2011478

Lay, James james.lay at wincofoods.com
Fri Oct 14 11:09:51 EDT 2011

This rule:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:2;)

fires on flv and swf files…according to the exploit it’s for Word docs (RTF is specifically called out).  Unless I’m reading it wrong ☺


More information about the Emerging-sigs mailing list