Security Incidents mailing list archives
Re: SHELLCODE x86 NOOP
From: <foob () return0 net>
Date: Fri, 5 Oct 2001 10:33:59 +0000 (GMT)
Its detecting the 0x90's in the packet, it seems like a bit of a useless rule, as there are many ways of performing nops: "PZPZPZPZPZ" is a push/pop combination which a equiv. to a nop iirc. The interesting point is that this data looks to be headed towards the server - why is the client sending non-ascii data - only a POST of an image or something would make sense. the actual server logs should mention the method that ip address used. hth On Thu, 4 Oct 2001, Michal Nazarewicz wrote:
Siema, I've had same issue once - and I've discovered this to be one of gif/png files on our web server. So it's a false positive, and I believe one could remove this from his snort configuration. It's nothing important and was a headache for me (until I have removed that line). Greetings, Michal 'CeFeK' Nazarewicz EXPLOITed systems +48 60? 4 CEFEK www.nazarewicz.pl-----Original Message----- From: Steve Halligan [mailto:agent33 () geeksquad com] Sent: Thursday, October 04, 2001 5:50 PM To: 'Dan Terhesiu'; incidents () securityfocus com Subject: RE: SHELLCODE x86 NOOP The .ida alert in this case is a misfiring alert. It triggered on the .idata in the payload of this packet. This NOOP alert is more interesting (in fact the packet that caused the .ida misfire would have triggered a NOOP alert if it hadn't triggered the ida alert.) This NOOP could be something bad, or it could be someone doing an HTTP download of a binary from your webserver. Do you have any binaries for download? Keep in mind that a binary attachment to an email could trigger this if you are running a web-based email system. -Steve-----Original Message----- From: Dan Terhesiu [mailto:dante () tvc codec ro] Sent: Thursday, October 04, 2001 4:33 AM To: incidents () securityfocus com Subject: SHELLCODE x86 NOOP Hello to all of you. I've seen this morning several (aprox. 82, as reported by snort) alerts containig "SHELLCODE x86 NOOP". Almost all the connections begin with a "WEB-IIS ISAPI .ida access" alert. I've searched on google about this x86 SHELLCODE, but there is nothing about :80 port there. Because I'm new to this field, I'm asking for your help: is this something I should worry about? Thank you for any help. Here is an example from my alert log: [**] WEB-IIS ISAPI .ida access [**] 10/04-01:55:24.944782 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:53830 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x42156F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 00 00 00 00 00 00 00 00 00 00 60 04 00 A0 00 00 ..........`..... 00 00 80 04 00 1C 1D 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 18 64 04 00 78 03 00 00 00 00 00 00 00 00 00 ..d..x.......... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 2E 74 65 78 74 00 00 00 96 91 02 00 00 10 00 ..text.......... 00 00 92 02 00 00 04 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 20 00 00 60 2E 72 64 61 74 61 00 ..... ..`.rdata. 00 FB 2E 00 00 00 B0 02 00 00 30 00 00 00 96 02 ..........0..... 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. 40 2E 64 61 74 61 00 00 00 10 72 01 00 00 E0 02 @.data....r..... 00 00 76 00 00 00 C6 02 00 00 00 00 00 00 00 00 ..v............. 00 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00 .....@....idata. 00 F2 14 00 00 00 60 04 00 00 16 00 00 00 3C 03 ......`.......<. 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 .............@.. C0 2E 72 73 72 63 00 00 00 1C 1D 00 00 00 80 04 ..rsrc.......... 00 00 1E 00 00 00 52 03 00 00 00 00 00 00 00 00 ......R......... 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 .....@..@....... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ........ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:36.942082 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:44615 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x42E847 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 C3 8B 4C 24 04 81 E1 FF 00 00 00 8A 81 B0 01 43 ..L$...........C 00 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 A1 4C 38 44 00 85 C0 74 10 8B 44 24 04 25 FF ..L8D...t..D$.%. 00 00 00 8A 80 B0 00 43 00 C3 A1 50 38 44 00 85 .......C...P8D.. C0 74 11 8B 4C 24 04 81 E1 FF 00 00 00 8A 81 B0 .t..L$.......... 02 43 00 C3 A1 54 38 44 00 85 C0 74 11 8B 54 24 .C...T8D...t..T$ 04 81 E2 FF 00 00 00 8A 82 B0 03 43 00 C3 8A 44 ...........C...D 24 04 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 $............... 90 A1 58 38 44 00 85 C0 74 10 8B 44 24 04 25 FF ..X8D...t..D$.%. 00 00 00 8A 80 B0 05 43 00 C3 8A 44 24 04 C3 90 .......C...D$... 90 A1 2C 68 43 00 81 EC B4 01 00 00 53 33 DB 56 ..,hC.......S3.V 3B C3 57 0F 84 A0 01 00 00 39 1D 28 68 43 00 0F ;.W......9.(hC.. 85 A6 00 00 00 66 39 1D 24 68 43 00 75 4A A1 BC .....f9.$hC.uJ.. 40 44 00 8D 4C 24 14 51 C7 44 24 18 03 00 00 00 @D..L$.Q.D$..... C7 44 24 1C 40 E2 40 00 89 5C 24 20 89 5C 24 24 .D$.@.@..\$ .\$$ 89 44 24 28 89 5C 24 2C 89 5C 24 30 89 5C 24 34 .D$(.\$,.\$0.\$4 89 5C 24 38 C7 44 24 3C B8 06 43 00 FF 15 28 66 .\$8.D$<..C...(f 44 00 66 A3 24 68 43 00 8B 35 78 66 44 00 6A 18 D.f.$hC..5xfD.j. FF D6 6A 17 A3 18 68 43 00 FF D6 8D 54 24 6C A3 ..j...hC....T$l. 1C 68 43 00 53 B9 55 00 00 00 33 C0 8D 7C 24 70 .hC.S.U...3..|$p 52 68 54 01 00 00 F3 AB 6A 29 C7 44 24 7C 54 01 RhT.....j).D$|T. 00 00 FF 15 7C 66 44 00 8D 84 24 48 01 00 00 50 ....|fD...$H...P FF 15 60 64 44 00 A3 20 68 43 00 8B 8C 24 CC 01 ..`dD.. hC...$.. 00 00 8B 94 24 C8 01 00 00 51 52 8D 44 24 54 68 ....$....QR.D$Th B0 06 43 00 50 E8 47 3A 01 00 A1 28 68 43 00 83 ..C.P.G:...(hC.. C4 10 3B C3 0F 85 B3 00 00 00 53 FF 15 88 64 44 ..;.......S...dD 00 8D 4C 24 0C 8B F0 51 8D 7C 24 50 83 C9 FF 33 ..L$...Q.|$P...3 C0 F2 AE F7 D1 49 8D 54 24 50 51 52 56 FF 15 64 .....I.T$PQRV..d 64 44 00 56 FF 15 A0 64 44 00 8B 8C 24 C4 01 00 dD.V...dD...$... 00 8D 44 24 3C 50 51 FF 15 20 66 44 00 8B 44 24 ..D$<PQ.. fD..D$ 3C 83 F8 10 8B C8 7D 05 B9 10 00 00 00 8B 44 24 <.....}.......D$ 40 8B 54 24 10 2B C2 83 F8 10 7D 05 B8 10 00 00 @.T$.+....}..... 00 8B 35 BC 40 44 00 53 56 53 53 52 8B 54 24 20 ..5.@D.SVSSR.T$ 52 50 51 8B 0D 24 68 43 RPQ..$hC =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:37.521677 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0xCE 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:46919 IpLen:20 DgmLen:192 DF ***AP*** Seq: 0x42F0A7 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 F8 22 75 06 B8 58 08 43 00 C3 83 F8 23 75 06 B8 ."u..X.C....#u.. 4C 08 43 00 C3 83 F8 24 75 06 B8 40 08 43 00 C3 L.C....$u..@.C.. 83 F8 00 43 00 C3 83 F8 26 75 06 B8 28 08 43 00 ...C....&u..(.C. C3 83 F8 27 75 06 B8 1C 08 43 00 C3 3D FF 00 00 ...'u....C..=... 00 B8 14 08 43 00 74 05 B8 08 08 43 00 C3 90 90 ....C.t....C.... 90 90 90 90 90 90 90 90 90 90 90 90 8B 44 24 10 .............D$. 85 C0 75 10 8B 44 24 04 50 E8 FE 14 00 00 83 C4 ..u..D$.P....... 04 33 C0 C3 8B 4C 24 0C 50 51 E8 0D 00 00 00 83 .3...L$.PQ...... C4 08 B8 01 00 00 00 C3 90 90 90 90 8B 44 24 08 .............D$. 8B C8 48 24 08 8B C8 48 ..H$...H =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:37.998818 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:50247 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x42F56F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 50 51 E8 F2 F8 FF FF 83 C4 08 C7 46 14 03 00 00 PQ.........F.... 00 5E C3 90 90 90 90 90 90 56 8B 74 24 08 81 3E .^.......V.t$..> FB 00 00 00 75 28 83 7E 10 27 75 22 83 3D 24 07 ....u(.~.'u".=$. 43 00 02 75 19 6A 24 68 FB 00 00 00 E8 B8 F8 FF C..u.j$h........ FF 83 C4 08 C7 05 24 07 43 00 00 00 00 00 6A 00 ......$.C.....j. 56 E8 03 FF FF FF 83 C4 08 5E C3 90 90 90 90 90 V........^...... 90 90 90 90 90 90 90 90 90 8B 0D 34 68 43 00 81 ...........4hC.. EC A4 08 00 00 8D 41 E8 53 56 83 F8 0F 57 0F 87 ......A.SV...W.. C9 03 00 00 33 D2 8A 90 64 F1 40 00 FF 24 95 50 ....3...d.@..$.P F1 40 00 83 3D 30 68 43 00 01 0F 85 CE 00 00 00 .@..=0hC........ A1 40 68 43 00 80 38 01 0F 85 C0 00 00 00 BF F4 .@hC..8......... 2F 44 00 83 C9 FF 33 C0 8D 94 24 B4 00 00 00 F2 /D....3...$..... AE F7 D1 2B F9 C6 84 24 B0 00 00 00 FF 8B C1 8B ...+...$........ F7 8B FA C6 84 24 B1 00 00 00 FA C1 E9 02 C6 84 .....$.......... 24 B2 00 00 00 20 C6 84 24 B3 00 00 00 00 F3 A5 $.... ..$....... 8B C8 33 C0 83 E1 03 8B 15 3C 68 43 00 F3 A4 BF ..3......<hC.... F4 2F 44 00 83 C9 FF F2 AE F7 D1 83 C1 03 C6 84 ./D............. 0C B0 00 00 00 FF C6 84 0C B1 00 00 00 F0 83 C1 ................ 02 51 8D 8C 24 B4 00 00 00 51 52 E8 79 12 00 00 .Q..$....QR.y... 83 C4 0C 68 34 0A 43 00 E8 DC A0 FF FF 83 C4 04 ...h4.C......... 8D 44 24 40 68 F4 2F 44 00 68 1C 0A 43 00 50 E8 .D$@h./D.h..C.P. 55 2D 01 00 83 C4 0C 8D 4C 24 40 51 E8 B8 A0 FF U-......L$@Q.... FF 83 C4 04 5F 5E 5B 81 C4 A4 08 00 00 C3 68 F8 ...._^[.......h. 09 43 00 E8 A1 A0 FF FF 83 C4 04 5F 5E 5B 81 C4 .C........._^[.. A4 08 00 00 C3 83 3D 30 68 43 00 01 0F 85 CD 00 ......=0hC...... 00 00 8B 15 40 68 43 00 80 3A 01 0F 85 BE 00 00 ....@hC..:...... 00 A0 D4 2F 44 00 33 C9 84 C0 C6 84 24 B0 00 00 .../D.3.....$... 00 FF C6 84 24 B1 00 00 00 FA C6 84 24 B2 00 00 ....$.......$... 00 18 C6 84 24 B3 00 00 00 00 74 25 3C 61 7C 0C ....$.....t%<a|. 3C 7A 7F 08 0F BE C0 83 E8 20 EB 03 0F BE C0 88 <z....... ...... 84 0C B4 00 00 00 8A 81 D5 2F 44 00 41 84 C0 75 ........./D.A..u DB 8D B4 0C B4 00 00 00 83 C1 06 51 8D 84 24 B4 ...........Q..$. 00 00 00 C6 06 FF C6 84 0C B3 00 00 00 F0 8B 0D ................ 3C 68 43 00 50 51 E8 8E <hC.PQ.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:40.016927 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:56391 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x42EA5F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 00 8D 44 24 6C 68 00 00 00 80 81 E1 FF FF 00 00 ..D$lh.......... 50 51 68 88 00 00 00 FF 15 18 66 44 00 6A 04 50 PQh.......fD.j.P A3 28 68 43 00 FF 15 30 66 44 00 5F 5E 5B 81 C4 .(hC...0fD._^[.. B4 01 00 00 C3 8D 54 24 4C 52 50 FF 15 38 66 44 ......T$LRP..8fD 00 5F 5E 5B 81 C4 B4 01 00 00 C3 90 90 90 90 90 ._^[............ 90 90 90 90 90 90 90 90 90 8B 44 24 08 83 EC 50 ..........D$...P 83 C0 FE 53 8B 5C 24 64 55 8B 6C 24 5C 56 3D 82 ...S.\$dU.l$\V=. 00 00 00 57 0F 87 A8 01 00 00 33 C9 8A 88 40 E4 ...W......3...@. 40 00 FF 24 8D 28 E4 40 00 B8 01 00 00 00 5F 5E @..$.(.@......_^ 5D 5B 83 C4 50 C2 10 00 8B 7C 24 64 8D 54 24 20 ][..P....|$d.T$ 52 57 FF 15 04 67 44 00 8B 1D 40 64 44 00 8B F0 RW...gD...@dD... A1 20 68 43 00 50 56 FF D3 6A 07 FF 15 B4 64 44 . hC.PV..j....dD 00 50 56 FF D3 8B 0D 18 68 43 00 51 FF 15 54 64 .PV.....hC.Q..Td 44 00 50 56 89 44 24 74 FF D3 8D 54 24 10 52 57 D.PV.D$t...T$.RW 89 44 24 78 FF 15 14 66 44 00 8B 44 24 1C 8B 4C .D$x...fD..D$..L 24 18 8B 54 24 14 50 8B 44 24 14 51 52 50 56 FF $..T$.P.D$.QRPV. 15 58 64 44 00 57 FF 15 70 66 44 00 89 44 24 68 .XdD.W..pfD..D$h 40 50 89 44 24 68 E8 3E 21 00 00 8B 4C 24 68 83 @P.D$h.>!...L$h. C4 04 8B E8 51 55 57 FF 15 74 66 44 00 8B 15 1C ....QUW..tfD.... 68 43 00 52 56 FF 15 48 64 44 00 A1 18 68 43 00 hC.RV..HdD...hC. 50 56 FF 15 90 64 44 00 8B 4C 24 68 8B 54 24 14 PV...dD..L$h.T$. 8B 44 24 10 51 83 C2 03 55 83 C0 03 52 50 56 FF .D$.Q...U...RPV. 15 5C 64 44 00 55 E8 7E 21 00 00 8B 4C 24 74 83 .\dD.U.~!...L$t. C4 04 51 56 FF D3 8B 54 24 6C 52 FF 15 84 64 44 ..QV...T$lR...dD 00 8D 44 24 20 50 57 FF 15 08 67 44 00 33 C0 5F ..D$ PW...gD.3._ 5E 5D 5B 83 C4 50 C2 10 00 83 C8 FF 5F 5E 5D 5B ^][..P......_^][ 83 C4 50 C2 10 00 8B 0D 20 68 43 00 51 FF 15 84 ..P..... hC.Q... 64 44 00 C7 05 20 68 43 00 00 00 00 00 EB 63 6A dD... hC......cj 00 FF 15 88 64 44 00 8B 15 20 68 43 00 8B F0 52 ....dD... hC...R 56 FF 15 40 64 44 00 8D 44 24 10 8B FB 50 83 C9 V..@dD..D$...P.. FF 33 C0 F2 AE F7 D1 49 51 53 56 FF 15 64 64 44 .3.....IQSV..ddD 00 6A 16 8B 4C 24 18 8B 54 24 14 83 C1 06 83 C2 .j..L$..T$...... 06 51 52 6A 00 6A 00 6A 00 55 FF 15 F8 65 44 00 .QRj.j.j.U...eD. 6A 00 6A 00 55 FF 15 50 j.j.U..P =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:47.561147 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:35933 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x438417 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 56 02 88 46 04 8B C1 8B D1 C1 E8 08 C1 EA 10 88 V..F............ 46 06 8B 44 24 30 88 56 05 88 4E 07 83 C4 10 83 F..D$0.V..N..... C6 08 48 8B E9 89 44 24 20 0F 85 62 FF FF FF 89 ..H...D$ ..b.... BB 48 10 00 00 5F 89 AB 4C 10 00 00 5E 5D 5B 83 .H..._..L...^][. C4 08 C3 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 8B 44 24 08 8B 4C 24 04 68 10 7E 43 00 50 51 ..D$..L$.h.~C.PQ E8 0C 00 00 00 83 C4 0C C3 90 90 90 90 90 90 90 ................ 90 8A 44 24 08 83 EC 0C A8 07 53 55 56 57 74 17 ..D$......SUVWt. 68 7D 01 00 00 68 AC 1B 43 00 68 18 1A 43 00 E8 h}...h..C.h..C.. 1D B2 00 00 83 C4 0C 8B 44 24 28 8B 88 4C 10 00 ........D$(..L.. 00 8B 98 48 10 00 00 89 4C 24 10 8B 4C 24 24 85 ...H....L$..L$$. C9 0F 8E BA 00 00 00 8B 74 24 20 83 C1 07 C1 E9 ........t$ ..... 03 89 4C 24 24 33 D2 33 C9 8A 36 8A 4E 02 8A 56 ..L$$3.3..6.N..V 01 50 C1 E2 08 0B D1 33 C9 8A 4E 03 C1 E2 08 0B .P.....3..N..... D1 33 C9 8A 4E 06 8B FA 33 D2 8A 76 04 8A 56 05 .3..N...3..v..V. C1 E2 08 0B D1 33 C9 8A 4E 07 C1 E2 08 0B D1 8B .....3..N....... EA 8D 54 24 18 52 55 57 E8 B4 F9 FF FF 8B 54 24 ..T$.RUW......T$ 24 8B 44 24 20 8B 4C 24 28 33 DA 33 C1 8B CB 8B $.D$ .L$(3.3.... D3 88 5E 03 C1 E9 18 C1 EA 10 88 0E 88 56 01 8B ..^..........V.. CB 8B D0 C1 E9 08 C1 EA 18 88 4E 02 88 56 04 8B ..........N..V.. C8 8B D0 C1 E9 10 C1 EA 08 88 46 07 8B 44 24 34 ..........F..D$4 88 4E 05 88 56 06 83 C4 10 83 C6 08 48 8B DF 89 .N..V.......H... 44 24 24 8B 44 24 28 89 6C 24 10 0F 85 54 FF FF D$$.D$(.l$...T.. FF 8B 4C 24 10 5F 5E 89 98 48 10 00 00 5D 89 88 ..L$._^..H...].. 4C 10 00 00 5B 83 C4 0C C3 90 90 90 90 90 90 90 L...[........... 90 81 EC 48 02 00 00 8D 44 24 00 53 56 57 68 07 ...H....D$.SVWh. 01 00 00 50 FF 15 4C 65 44 00 BF DC 1B 43 00 83 ...P..LeD....C.. C9 FF 33 C0 8D 54 24 0C F2 AE F7 D1 2B F9 8B F7 ..3..T$.....+... 8B D9 8B FA 83 C9 FF F2 AE 8B CB 4F C1 E9 02 F3 ...........O.... A5 8B CB 8D 84 24 14 01 00 00 83 E1 03 50 F3 A4 .....$.......P.. 8D 4C 24 10 51 FF 15 34 65 44 00 8B BC 24 58 02 .L$.Q..4eD...$X. 00 00 8B F0 83 FE FF 74 2E 8B 1D 38 65 44 00 8D .......t...8eD.. 94 24 14 01 00 00 68 40 01 00 00 52 FF D7 83 C4 .$....h@...R.... 08 8D 84 24 14 01 00 00 ...$.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:55.535563 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111TOS:0x0 ID:9856IpLen:20 DgmLen:576 DF ***A**** Seq: 0x43F56F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 4C 02 FE 8A 0D 88 A4 43 00 A1 98 A4 43 00 8B 15 L......C....C... 90 A4 43 00 2A C8 88 4C 02 FF C3 90 90 90 90 90 ..C.*..L........ 90 90 90 90 90 90 90 90 90 8B 4C 24 04 8D 44 24 ..........L$..D$ 04 56 50 51 E8 B0 00 00 00 83 C4 08 8B F0 E8 36 .VPQ...........6 FF FF FF 8B 54 24 08 52 56 E8 1B 00 00 00 83 C4 ....T$.RV....... 08 56 E8 82 17 FF FF 83 C4 04 5E C3 90 90 90 90 .V........^..... 90 90 90 90 90 90 90 90 90 8B 44 24 08 8B 4C 24 ..........D$..L$ 04 50 51 E8 01 FE FF FF 8B 15 88 A4 43 00 A1 98 .PQ.........C... A4 43 00 8B 0D 90 A4 43 00 2B D0 C1 FA 18 88 54 .C.....C.+.....T 01 FC 8B 15 88 A4 43 00 A1 98 A4 43 00 8B 0D 90 ......C....C.... A4 43 00 2B D0 83 C4 08 C1 FA 10 88 54 01 FD 8B .C.+........T... 15 88 A4 43 00 A1 98 A4 43 00 8B 0D 90 A4 43 00 ...C....C.....C. 2B D0 C1 FA 08 88 54 01 FE 8A 15 88 A4 43 00 A1 +.....T......C.. 98 A4 43 00 8B 0D 90 A4 43 00 2A D0 88 54 01 FF ..C.....C.*..T.. C3 90 90 90 90 90 90 90 90 53 8B 5C 24 08 55 56 .........S.\$.UV 57 33 FF 66 8B 3B 8D 2C 3F 8D 45 01 50 E8 47 16 W3.f.;.,?.E.P.G. FF FF 8B F0 83 C4 04 85 F6 75 0D 68 80 27 43 00 .........u.h.'C. E8 C4 65 FE FF 83 C4 04 85 FF C6 06 00 7E 1D 8D ..e..........~.. 46 02 8D 0C 2B 33 D2 83 C0 02 8A 51 01 83 E9 02 F...+3.....Q.... 88 50 FD 8A 51 02 88 50 FE 4F 75 E9 8A 0E 33 C0 .P..Q..P.Ou...3. 84 C9 75 11 B1 80 84 4C 30 01 75 09 8A 54 30 01 ..u....L0.u..T0. 40 84 D2 74 F1 2B E8 03 C6 8D 7D 01 57 50 56 E8 @..t.+....}.WPV. B5 2D 00 00 8B 44 24 24 83 C4 0C 89 38 8B C6 5F .-...D$$....8.._ 5E 5D 5B C3 90 90 90 90 90 A1 50 A4 43 00 83 EC ^][.......P.C... 08 85 C0 53 56 74 51 8D 4C 24 0C 8D 54 24 08 51 ...SVtQ.L$..T$.Q 8B 0D 88 A4 43 00 52 8B 15 90 A4 43 00 83 C1 FB ....C.R....C.... 83 C2 05 51 52 FF 50 08 83 C4 10 85 C0 74 29 8B ...QR.P......t). 44 24 0C 8B 4C 24 08 50 51 C7 05 88 A4 43 00 05 D$..L$.PQ....C.. 00 00 00 E8 B1 FC FF FF 8B 54 24 10 83 C4 08 52 .........T$....R E8 04 16 FF FF 83 C4 04 A1 3C A4 43 00 85 C0 74 .........<.C...t 05 8B 48 20 EB 05 B9 08 00 00 00 83 F9 08 7D 05 ..H ..........}. B9 08 00 00 00 A1 88 A4 43 00 33 F6 83 C0 04 99 ........C.3..... F7 F9 8B C1 2B C2 99 F7 F9 8B 0D 90 A4 43 00 8B ....+........C.. DA 83 C3 04 85 DB 88 59 .......Y =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:55:58.581281 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:16512 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x442A5F Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 00 50 E8 32 00 00 00 83 C4 0C C3 90 90 90 90 90 .P.2............ 90 90 90 90 90 90 90 90 90 8B 44 24 04 6A 00 6A ..........D$.j.j 01 50 E8 12 00 00 00 83 C4 0C C3 90 90 90 90 90 .P.............. 90 90 90 90 90 90 90 90 90 A1 F8 26 44 00 53 55 ...........&D.SU 8B 6C 24 0C 83 F8 01 56 75 0E 55 FF 15 24 65 44 .l$....Vu.U..$eD 00 50 FF 15 08 65 44 00 8B 44 24 14 8B 5C 24 18 .P...eD..D$..\$. 85 C0 C7 05 F4 26 44 00 01 00 00 00 88 1D F0 26 .....&D........& 44 00 75 3E 8B 0D 08 52 44 00 85 C9 74 22 8B 35 D.u>...RD...t".5 04 52 44 00 83 EE 04 3B F1 72 15 8B 06 85 C0 74 .RD....;.r.....t 08 FF D0 8B 0D 08 52 44 00 83 EE 04 3B F1 73 EB ......RD....;.s. 68 1C E0 42 00 68 14 E0 42 00 E8 3A 00 00 00 83 h..B.h..B..:.... C4 08 68 24 E0 42 00 68 20 E0 42 00 E8 28 00 00 ..h$.B.h .B..(.. 00 83 C4 08 85 DB 75 11 55 C7 05 F8 26 44 00 01 ......u.U...&D.. 00 00 00 FF 15 0C 65 44 00 5E 5D 5B C3 90 90 90 ......eD.^][.... 90 90 90 90 90 90 90 90 90 56 8B 74 24 08 57 8B .........V.t$.W. 7C 24 10 3B F7 73 0F 8B 06 85 C0 74 02 FF D0 83 |$.;.s.....t.... C6 04 3B F7 72 F1 5F 5E C3 A1 38 27 44 00 83 EC ..;.r._^..8'D... 08 85 C0 53 75 1E 8B 44 24 10 83 F8 41 0F 8C DD ...Su..D$...A... 00 00 00 83 F8 5A 0F 8F D4 00 00 00 83 C0 20 5B .....Z........ [ 83 C4 08 C3 8B 5C 24 10 81 FB 00 01 00 00 7D 2C .....\$.......}, 83 3D 9C 2C 43 00 01 7E 0D 6A 01 53 E8 F8 00 00 .=.,C..~.j.S.... 00 83 C4 08 EB 0B A1 90 2A 43 00 8A 04 58 83 E0 ........*C...X.. 01 85 C0 75 07 8B C3 5B 83 C4 08 C3 8B 15 90 2A ...u...[.......* 43 00 8B C3 C1 F8 08 8B C8 81 E1 FF 00 00 00 F6 C............... 44 4A 01 80 74 14 88 44 24 10 88 5C 24 11 C6 44 DJ..t..D$..\$..D 24 12 00 B8 02 00 00 00 EB 0E 88 5C 24 10 C6 44 $..........\$..D 24 11 00 B8 01 00 00 00 6A 00 8D 4C 24 08 6A 03 $.......j..L$.j. 51 8D 54 24 1C 50 A1 38 27 44 00 52 68 00 01 00 Q.T$.P.8'D.Rh... 00 50 E8 72 32 00 00 83 C4 1C 85 C0 75 07 8B C3 .P.r2.......u... 5B 83 C4 08 C3 83 F8 01 75 0E 8B 44 24 04 25 FF [.......u..D$.%. 00 00 00 5B 83 C4 08 C3 8B 44 24 05 8B 4C 24 04 ...[.....D$..L$. 25 FF 00 00 00 81 E1 FF 00 00 00 C1 E0 08 0B C1 %............... 5B 83 C4 08 C3 90 90 90 90 55 8B EC 56 33 C0 50 [........U..V3.P 50 50 50 50 50 50 50 8B PPPPPPP. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:56:01.991104 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:59781 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x445DCF Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 83 C4 08 EB 0F 8B 74 24 08 A1 90 2A 43 00 8A 04 ......t$...*C... 70 83 E0 04 85 C0 75 06 83 E6 DF 83 EE 07 8B C6 p.....u......... 5E C3 90 90 90 90 90 90 90 8B 4C 24 04 8B 41 04 ^.........L$..A. 48 89 41 04 78 0A 8B 11 33 C0 8A 02 42 89 11 C3 H.A.x...3...B... 51 E8 33 20 00 00 83 C4 04 C3 90 90 90 90 90 90 Q.3 ............ 90 90 90 90 90 90 90 90 90 8B 44 24 04 83 F8 FF ..........D$.... 74 0E 8B 4C 24 08 51 50 E8 BC 31 00 00 83 C4 08 t..L$.QP..1..... C3 90 90 90 90 90 90 90 90 53 8B 5C 24 0C 56 57 .........S.\$.VW 8B 7C 24 10 53 FF 07 E8 9D FF FF FF 83 C4 04 8B .|$.S........... F0 56 E8 42 31 00 00 83 C4 04 85 C0 74 1D 8B 37 .V.B1.......t..7 53 46 89 37 E8 80 FF FF FF 83 C4 04 8B F0 56 E8 SF.7..........V. 25 31 00 00 83 C4 04 85 C0 75 E3 8B C6 5F 5E 5B %1.......u..._^[ C3 90 90 90 90 90 90 90 90 A1 2C 27 44 00 53 8B ..........,'D.S. 1D D4 64 44 00 55 56 57 85 C0 75 49 6A 00 6A 00 ..dD.UVW..uIj.j. 6A 01 68 E8 A4 43 00 68 00 01 00 00 6A 00 FF D3 j.h..C.h....j... 85 C0 74 07 B8 02 00 00 00 EB 25 6A 00 6A 00 6A ..t.......%j.j.j 01 68 D4 DB 42 00 68 00 01 00 00 6A 00 FF 15 D0 .h..B.h....j.... 64 44 00 85 C0 0F 84 C3 01 00 00 B8 01 00 00 00 dD.............. A3 2C 27 44 00 8B 74 24 20 85 F6 7E 17 8B 7C 24 .,'D..t$ ..~..|$ 1C 56 57 E8 B1 01 00 00 8B F0 A1 2C 27 44 00 83 .VW........,'D.. C4 08 EB 04 8B 7C 24 1C 83 F8 02 75 1D 8B 44 24 .....|$....u..D$ 28 8B 4C 24 24 8B 54 24 18 50 8B 44 24 18 51 56 (.L$$.T$.P.D$.QV 57 52 50 FF D3 5F 5E 5D 5B C3 83 F8 01 0F 85 D2 WRP.._^][....... 00 00 00 8B 6C 24 2C C7 44 24 20 00 00 00 00 85 ....l$,.D$ ..... ED 75 0C 8B 0D 48 27 44 00 89 4C 24 2C 8B E9 6A .u...H'D..L$,..j 00 6A 00 56 57 6A 09 55 FF 15 DC 64 44 00 8B F8 .j.VWj.U...dD... 85 FF 75 05 5F 5E 5D 5B C3 8D 14 3F 52 E8 E7 D0 ..u._^][...?R... FF FF 8B D8 83 C4 04 85 DB 75 05 5F 5E 5D 5B C3 .........u._^][. 8B 44 24 1C 57 53 56 50 6A 01 55 FF 15 DC 64 44 .D$.WSVPj.U...dD 00 85 C0 0F 84 EF 00 00 00 8B 6C 24 18 8B 4C 24 ..........l$..L$ 14 6A 00 6A 00 57 53 55 51 FF 15 D0 64 44 00 8B .j.j.WSUQ...dD.. F0 85 F6 0F 84 CF 00 00 00 F7 C5 00 04 00 00 74 ...............t 49 8B 44 24 28 85 C0 74 24 3B F0 0F 8F B7 00 00 I.D$(..t$;...... 00 8B 54 24 24 50 8B 44 ..T$$P.D =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:56:02.762176 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:61573 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x446C77 Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 41 80 38 00 74 F9 3B CA 73 1E 2B D9 3B DA 72 4C A.8.t.;.s.+.;.rL 8B F0 EB 07 25 FF 00 00 00 03 F0 3B 74 24 14 72 ....%......;t$.r BD 33 C0 5F 5E 5D 5B C3 8D 04 16 8D 9F F8 00 00 .3._^][......... 00 3B C3 73 09 2B CA 89 07 89 4F 04 EB 09 89 2F .;.s.+....O..../ C7 47 04 00 00 00 00 8D 04 7F 88 16 8D 14 80 8D .G.............. 46 08 C1 E0 04 2B C2 5F 5E 5D 5B C3 5F 5E 5D 33 F....+._^][._^]3 C0 5B C3 90 90 90 90 90 90 90 90 90 90 90 90 90 .[.............. 90 8B 4C 24 04 53 55 8B 6C 24 10 56 57 8B 79 10 ..L$.SU.l$.VW.y. 8B D5 2B D7 8B 7C 24 1C C1 FA 0C 8B 5C 24 20 33 ..+..|$.....\$ 3 C0 8D 4C D1 18 33 D2 8A 17 89 4C 24 18 8B F2 3B ..L..3....L$...; F3 76 1B 88 1F 8B 01 2B F3 C7 41 04 F1 00 00 00 .v.....+..A..... 03 C6 89 01 B8 01 00 00 00 5F 5E 5D 5B C3 73 70 ........._^][.sp 8D 0C 3B 8D 95 F8 00 00 00 3B CA 77 63 8D 14 3E ..;......;.wc..> 3B D1 73 0C 80 3A 00 75 05 42 3B D1 72 F6 3B D1 ;.s..:.u.B;.r.;. 75 4E 88 1F 8B 45 00 3B F8 77 34 3B C8 76 30 8D uN...E.;.w4;.v0. 85 F8 00 00 00 3B C8 73 19 89 4D 00 8A 11 33 C0 .....;.s..M...3. 84 D2 75 09 8A 54 08 01 40 84 D2 74 F7 89 45 04 ..u..T..@..t..E. EB 0D 8D 45 08 C7 45 04 00 00 00 00 89 45 00 8B ...E..E......E.. 44 24 18 2B F3 8B 08 03 CE 89 08 B8 01 00 00 00 D$.+............ 5F 5E 5D 5B C3 90 90 90 90 90 90 90 90 90 90 90 _^][............ 90 8B 44 24 04 8B 0D E0 41 44 00 3B C1 73 3F 8B ..D$....AD.;.s?. C8 8B D0 C1 F9 05 83 E2 1F 8B 0C 8D E0 40 44 00 .............@D. F6 44 D1 04 01 74 27 50 E8 54 2F 00 00 83 C4 04 .D...t'P.T/..... 50 FF 15 8C 65 44 00 85 C0 75 08 FF 15 F0 64 44 P...eD...u....dD 00 EB 02 33 C0 85 C0 74 12 A3 B4 26 44 00 C7 05 ...3...t...&D... B0 26 44 00 09 00 00 00 83 C8 FF C3 90 90 90 90 .&D............. 90 8B 44 24 04 8B 0D E0 41 44 00 81 EC 1C 04 00 ..D$....AD...... 00 3B C1 53 55 56 57 0F 83 91 01 00 00 8B C8 8B .;.SUVW......... F0 C1 F9 05 83 E6 1F 8B 14 8D E0 40 44 00 8D 3C ...........@D..< 8D E0 40 44 00 C1 E6 03 89 7C 24 24 89 74 24 14 ..@D.....|$$.t$. 8A 4C 16 04 F6 C1 01 0F 84 61 01 00 00 8B 9C 24 .L.......a.....$ 38 04 00 00 33 ED 3B DD 89 6C 24 10 89 6C 24 20 8...3.;..l$..l$ 75 0D 33 C0 5F 5E 5D 5B 81 C4 1C 04 00 00 C3 F6 u.3._^][........ C1 20 74 0C 6A 02 55 50 . t.j.UP =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ [**] SHELLCODE x86 NOOP [**] 10/04-01:56:03.631988 0:50:4:65:52:2A -> 0:E0:81:2:EA:BD type:0x800 len:0x24E 212.93.136.252:63842 -> xxx.xxx.xxx.xxx:80 TCP TTL:111 TOS:0x0 ID:63877 IpLen:20 DgmLen:576 DF ***A**** Seq: 0x447DCF Ack: 0xFCEEB102 Win: 0x860 TcpLen: 20 83 C8 FF 5F 5E 5D 5B C3 33 C0 5F 5E 5D 5B C3 5F ..._^][.3._^][._ 5E 5D C7 05 B0 26 44 00 09 00 00 00 C7 05 B4 26 ^]...&D........& 44 00 00 00 00 00 83 C8 FF 5B C3 90 90 90 90 90 D........[...... 90 90 90 90 90 90 90 90 90 56 8B 74 24 08 8B 46 .........V.t$..F 0C A8 83 74 25 A8 08 74 21 8B 46 08 50 E8 97 B4 ...t%..t!.F.P... FF FF 8B 46 0C 83 C4 04 25 F7 FB FF FF 89 46 0C ...F....%.....F. 33 C0 89 06 89 46 08 89 46 04 5E C3 90 90 90 90 3....F..F.^..... 90 90 90 90 90 90 90 90 90 56 8B 74 24 08 57 8B .........V.t$.W. 46 0C A8 83 0F 84 D5 00 00 00 A8 40 0F 85 CD 00 F..........@.... 00 00 A8 02 74 0B 0C 20 89 46 0C 83 C8 FF 5F 5E ....t.. .F...._^ C3 0C 01 A9 0C 01 00 00 89 46 0C 75 0B 56 E8 06 .........F.u.V.. FD FF FF 83 C4 04 EB 05 8B 46 08 89 06 8B 4E 18 .........F....N. 8B 56 08 8B 46 10 51 52 50 E8 9B 00 00 00 83 C4 .V..F.QRP....... 0C 89 46 04 85 C0 74 6E 83 F8 FF 74 69 8B 56 0C ..F...tn...ti.V. F6 C2 82 75 32 8B 4E 10 83 F9 FF 74 14 8B F9 C1 ...u2.N....t.... FF 05 83 E1 1F 8B 3C BD E0 40 44 00 8D 3C CF EB ......<..@D..<.. 05 BF B0 51 43 00 8A 4F 04 80 E1 82 80 F9 82 75 ...QC..O.......u 06 80 CE 20 89 56 0C 81 7E 18 00 02 00 00 75 14 ... .V..~.....u. 8B 4E 0C F6 C1 08 74 0C F6 C5 04 75 07 C7 46 18 .N....t....u..F. 00 10 00 00 48 33 D2 89 46 04 8B 06 8A 10 40 89 ....H3..F.....@. 06 8B C2 5F 5E C3 8B 4E 0C C7 46 04 00 00 00 00 ..._^..N..F..... F7 D8 1B C0 83 E0 10 83 C0 10 0B C8 89 4E 0C 5F .............N._ 83 C8 FF 5E C3 90 90 90 90 A1 E0 41 44 00 83 EC ...^.......AD... 0C 53 8B 5C 24 14 55 56 3B D8 57 0F 83 1D 02 00 .S.\$.UV;.W..... 00 8B C3 83 E3 1F C1 F8 05 C1 E3 03 8B 0C 85 E0 ................ 40 44 00 8D 34 85 E0 40 44 00 89 74 24 14 8D 04 @D..4..@D..t$... 0B 89 44 24 10 8A 50 04 F6 C2 01 0F 84 ED 01 00 ..D$..P......... 00 8B 4C 24 28 8B 7C 24 24 33 ED 8B C7 85 C9 0F ..L$(.|$$3...... 84 CF 01 00 00 F6 C2 02 0F 85 C6 01 00 00 F6 C2 ................ 48 74 1E 8B 54 24 10 8A 52 05 80 FA 0A 74 12 88 Ht..T$..R....t.. 17 8B 16 8D 47 01 BD 01 00 00 00 49 C6 44 13 05 ....G......I.D.. 0A 8D 54 24 10 6A 00 52 51 50 8B 06 8B 0C 03 51 ..T$.j.RQP.....Q FF 15 54 65 44 00 85 C0 75 48 FF 15 F0 64 44 00 ..TeD...uH...dD. 83 F8 05 75 1A A3 B4 26 ...u...& =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+ -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SHELLCODE x86 NOOP Dan Terhesiu (Oct 04)
- Re: SHELLCODE x86 NOOP Nick FitzGerald (Oct 04)
- <Possible follow-ups>
- RE: SHELLCODE x86 NOOP Steve Halligan (Oct 04)
- Re: SHELLCODE x86 NOOP Michal Nazarewicz (Oct 04)
- Re: SHELLCODE x86 NOOP foob (Oct 05)