Vulnerability Development mailing list archives
Re: arp packet payload
From: "Bram Matthys (Syzop)" <syzop () vulnscan org>
Date: Sat, 01 Nov 2003 01:19:03 +0100
Hi, sebastian wrote:
don't know wheater it's mentioned anywhere or old news but here we go: captured following arp packet last night: 00:44:36.309866 arp who-has 192.168.5.254 tell 192.168.5.164 0x0000 0001 0800 0604 0001 00c0 9f20 d3cd c0a8 ................ 0x0010 05a4 0000 0000 0000 c0a8 05fe 4d2d 5345 ............M-SE 0x0020 4152 4348 202a 2048 5454 502f 312e ARCH.*.HTTP/1.nice packet, but what makes me curious is the payload. where is it taken from? are there also passwords and other "secret" things, which may be unintentionally sent out to the. i think the source is a windows xp box.
This looks a lot like bad frame padding, the packet itself should have actually ended, right where the 'M-SEARCH' stuff starts. Normally this is padded with zero's till the frame is 46 bytes, but a lot of drivers (especially from Linux) didn't properly pad, so then you can see old memory contents.. like from network buffers.See http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
Bram Matthys (Syzop).
Current thread:
- Re: arp packet payload Bram Matthys (Syzop) (Nov 01)
- <Possible follow-ups>
- Re: arp packet payload Russell Harding (Nov 01)
- Re: arp packet payload Dave Korn (Nov 03)