Penetration Testing mailing list archives
Data carving exploit from pcap file
From: Jim Kelly <macubergeek () comcast net>
Date: Thu, 18 Sep 2008 18:13:53 -0400
I wonder if anyone has a strategy/method for this:Say you have a pcap file you believe has an exploit (you see a bunch of nops and suspect that's part of a nop sled)
The exploits I've seen make a socket connection then push: <exploit><nop sled><shellcode> ok if this sequence makes sense, I can easily see the nops 90 90 90 etcshellcode would come after that, could probably google the hex to try and validate that it was in fact shellcode....
the beginning of the nops would be the end of the sploit... How would I identify the beginning of the sploit?The idea I've been playing with would be to do "follow tcp stream" in wireshark...but I'm not sure that will accurately finger the beginning of the exploit.
Any suggestions welcome and appreciated. Jk ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Data carving exploit from pcap file Jim Kelly (Sep 18)
- Data carving exploit from pcap file Michael Kitange (Sep 20)
- Re: Data carving exploit from pcap file Abuse 007 (Sep 20)
- RE: Data carving exploit from pcap file Paul Melson (Sep 20)
- Message not available
- Data carving exploit from pcap file Danilo Nascimento (Sep 20)
- <Possible follow-ups>
- Re: Data carving exploit from pcap file redb0ne (Sep 20)