We saw some exploit code posted to milw0rm yesterday that relates to a vulnerability in the Microsoft IIS FTP module. Basically, it exploits a vulnerability where the server doesn't correctly parse directory names. The attacks makes use of the FTP NLST command which will cause a stack overflow to occur when the name of the directory contains certain characters. The exploit itself uses the directory name
w00t$port but this should not be relied upon for detection purposes, also the shellcode should not be used for detection either.
Fortunately, Snort has detection dating back over 5 years for this issue.
The following Snort rules will catch this attack:
2374 - FTP NLST overflow attempt
3441 - FTP PORT bounce attempt
1973 - FTP MKD overflow attempt
1529 - FTP SITE overflow attempt
Also, the FTP/Telnet preprocessor will also generate events for this attack:
125:3:1 - FTP Parameter Length Overflow
125:6:1 - FTP Response Length Overflow
125:8:1 - FTP Bounce