Vulnerability Development mailing list archives

Re: arp packet payload

From: "Bram Matthys (Syzop)" <syzop () vulnscan org>
Date: Sat, 01 Nov 2003 01:19:03 +0100

Hi,

sebastian wrote:

don't know wheater it's mentioned anywhere or old news but here we go:
captured following arp packet last night:

00:44:36.309866 arp who-has 192.168.5.254 tell 192.168.5.164
0x0000   0001 0800 0604 0001 00c0 9f20 d3cd c0a8        ................
0x0010   05a4 0000 0000 0000 c0a8 05fe 4d2d 5345        ............M-SE
0x0020   4152 4348 202a 2048 5454 502f 312e             ARCH.*.HTTP/1.
nice packet, but what makes me curious is the payload. where is it taken from?are there also passwords and other "secret" things, which may beunintentionally sent out to the.i think the source is a windows xp box.


This looks a lot like bad frame padding, the packet itself should have
actually ended, right where the 'M-SEARCH' stuff starts.
Normally this is padded with zero's till the frame is 46 bytes,
but a lot of drivers (especially from Linux) didn't properly pad, so
then you can see old memory contents.. like from network buffers.

Seehttp://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf


        Bram Matthys (Syzop).

Current thread:

Re: arp packet payload Bram Matthys (Syzop) (Nov 01)
- <Possible follow-ups>
- Re: arp packet payload Russell Harding (Nov 01)
- Re: arp packet payload Dave Korn (Nov 03)