ADM template for Client side sploits

Here is an ADM template to set the killbit for the vulnerable Real Player Active X control and policy hack for Adobe to set the mail:3 stuff for 8.0. Use at your own risk, if this hoses your box and or domain don't come crying to me ;-)....

CLASS MACHINE

CATEGORY VulnFixes

POLICY "Vulnerable Real Player Activex component"
KEYNAME "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}"
EXPLAIN Killit
VALUENAME "Compatibility Flags"
VALUEON NUMERIC 1024
VALUEOFF NUMERIC 0
END POLICY


POLICY "Vulnerable Adobe Acrobat Reader 8"
KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockdown\cDefaultLaunchURLPerms"
EXPLAIN "Set mail:3 per http://www.adobe.com/support/security/advisories/apsa07-04.html"
VALUENAME "tSchemePerms"
VALUEON "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2"
VALUEOFF "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1"
END POLICY

POLICY "Vulnerable Adobe Acrobat 8"
KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockdown\cDefaultLaunchURLPerms"
Explain "Set mail:3 per http://www.adobe.com/support/security/advisories/apsa07-04.html"
VALUENAME "tSchemePerms"
VALUEON "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:3|file:2"
VALUEOFF "version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1"
END POLICY

END CATEGORY

[strings]
VulnFixes="VulnFixes"
Killit="Set kill bit"

A note to Fortune 50 companies

Dear Fortune 50 companies,

If your proxy appliance appears to be leaking valid internal credentials to sites that you visit on the Internet i.e. passing Proxy-Authorization strings, you would like to know wouldn't you? I had such a case recently and when I tried to contact the company via the phone number listed for abuse with ARIN the not so friendly switchboard operator refused to connect me stating that "IT was a restricted department and she could not put me through to anyone without a name." So instead of a five minute phone call, I had to spend 30 minutes scrubbing packet data to remove the aforementioned base64 encoded password to send to your abuse@ e-mail in hopes that somebody would read it. So I ask you please to make sure that your ARIN information is correct and that somebody can actually get a hold of you when they need to.

Regards,

Will

building a swatch config to get the snort msg: in a subject line

I wanted to get the msg from a snort alert into the subject line of e-mails generated by swatch. This script will parse a sid-msg.map and will output a swatch config. Yes the code is crap, and swatch eats up about 125meg with the full VRT and bleeding rulesets, but to me it's worth it. Also swatch seems to blow up if there is a # in the watchfor section of the config so those rules are skipped currently it is only skipping two bleeding MoBB rules. If anybody has a better way to do this, or knows of a different tool, I would be very interested to hear from you ;-)

die("Usage: <swatchbuilder.pl> \n") unless(@ARGV);
foreach $file (@ARGV) {

open(SIDMSGMAP, $file) or die( "Cannot open file: $file\n" );
while(<SIDMSGMAP>) {
my @line= split(/\|\|/,$_);
#clean up sid
$line[0] =~ s/\r?\n//;
$line[0] =~ s/^\s+//;
$line[0] =~ s/\s+$//;
#clean up msg
$line[1] =~ s/\r?\n//;
$line[1] =~ s/^\s+//;
$line[1] =~ s/\s+$//;
$line[1] =~ s/([\@\/\+\&;\`'\\\|"-*?#!~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g;
#wtf? can swatch not deal with escaped #
if($line[1] =~ m/#/)
{
print "\#badsid $line[0] skipping\n";
}
else
{
print "watchfor = \/$line[1]\/\n";
print "mail=user1\@somwhere.com:user2\@somewhere.com,subject=IDS Alarm --$line[1]--\n";
}
}
close(SIDMSGMAP);
}