Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyone come up with a custom sig for WMF Exploit?

Based on bleeding snort sid, this is what I've got, but it doesn't seem to be working:

wmf exploit file:

\x01\x00\x09\x00\x00\x03.{10}\x00\x00.{0, 5000}\x26\x06\x09\x00

3 REPLIES
Cisco Employee

Re: Anyone come up with a custom sig for WMF Exploit?

Signature 5693-1 which was released in S210 addresses this vulnerability.

New Member

Re: Anyone come up with a custom sig for WMF Exploit?

I installed release S211 (modified 5693-1 signature) and attempted to download an WMF file across the sensor, but the signature did not fire. What causes the WMF signature to fire?

Cisco Employee

Re: Anyone come up with a custom sig for WMF Exploit?

This signature fires upon detecting a malicious wmf file downloaded from a web server running on a port specified in the #WEBPORTS variable.

150
Views
0
Helpful
3
Replies
CreatePlease login to create content