On Tue, 21 Sep 2004 01:06:23 +0100 Kevin Spicer <[EMAIL PROTECTED]> wrote:
> I'm just playing about with this and I can't seem to get it to work > quite the way I expect. I've created two signatures, to match the > jpeg exploit we discussed recently. My idea is that although the > signature is very small it minimises false positives by being > restricted to graphics files and then looking for the jpeg magic > number at the start of the file. Since we established the other day > that the four byte sequence that triggers the exploit can't appear in > a genuine jpeg this should be okay. > Anyway, I created signatures in local.ndb as follows... > > Exploit.Jpeg.comment.1:5:0:ffd8*fffe0000 > Exploit.Jpeg.comment.2:5:0:ffd8*fffe0001 > > And tried scanning the exploit sample from here > http://www.gulftech.org/?node=downloads > Nothing! > Trying again with --debug I see this message > LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.2) > LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.1) That means it doesn't recognize JPEG as CL_TYPE_GRAPHICS but as CL_TYPE_UNKNOWN_DATA. It seems there's a small type in filetypes.c. Try changing {0, "\377\330\377", 4, "JPEG", CL_TYPE_GRAPHICS}, to {0, "\377\330\377", 3, "JPEG", CL_TYPE_GRAPHICS} -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Sep 21 03:16:15 CEST 2004
pgpAD8YoX4gYB.pgp
Description: PGP signature