Tuesday, April 24, 2012

Block MS12-020 with iptables

In a recent competition, our team was in need of something that could block the ms12-020 exploit (we would lose points with the BSOD). The remote desktop version being run was not recent enough to support NLA so that was out the door. We decided to try to drop packets with ms12-020 shellcode in it at the firewall. We were able to successfully drop packets with shellcode in them and keep Remote Desktop working. The rule is listed below.

-A FORWARD -p tcp -m tcp --dport 3389 -m string --algo bm --hex-string "|04 01 01 04 01 01 01 01 ff 30 19 02 01 ff 02 01 ff 02 01 00 02|" -j DROP

The --hex-string attribute can be expanded upon to block any maliscious payloads as long as a hex signature is identified. This is obviously very useful when you don't have the ability to set up something like Network Level Authentication, but still need to protect against common exploits. Let us know what you think!

-- d0m3$t!k and r00t0v3rr1d3
This is officially the beginning of the Delusions of Grandeur blog. Hopefully we will have good things to say and you can check back here occasionally when we discover cool new things.

-- Delusions of Grandeur