In a recent competition, our team was in need of something that could block the ms12-020 exploit (we would lose points with the BSOD). The remote desktop version being run was not recent enough to support NLA so that was out the door. We decided to try to drop packets with ms12-020 shellcode in it at the firewall. We were able to successfully drop packets with shellcode in them and keep Remote Desktop working. The rule is listed below.
-A FORWARD -p tcp -m tcp --dport 3389 -m string --algo bm --hex-string "|04 01 01 04 01 01 01 01 ff 30 19 02 01 ff 02 01 ff 02 01 00 02|" -j DROP
The --hex-string attribute can be expanded upon to block any maliscious payloads as long as a hex signature is identified. This is obviously very useful when you don't have the ability to set up something like Network Level Authentication, but still need to protect against common exploits. Let us know what you think!
-- d0m3$t!k and r00t0v3rr1d3
No comments:
Post a Comment