Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Data carving exploit from pcap file

From: Jim Kelly <macubergeek () comcast net>
Date: Thu, 18 Sep 2008 18:13:53 -0400
I wonder if anyone has a strategy/method for this:
Say you have a pcap file you believe has an exploit (you see a bunch of nops and suspect that's part of a nop sled) 

The exploits I've seen make a socket connection then push:
<exploit><nop sled><shellcode>

ok if this sequence makes sense, I can easily see the nops 90 90 90 etc
shellcode would come after that, could probably google the hex to try and validate that it was in fact shellcode.... 
the beginning of the nops  would be the end of the sploit...

How would I identify the beginning of the sploit?
The idea I've been playing with would be to do "follow tcp stream" in wireshark...but I'm not sure that will accurately finger the beginning of the exploit. 

Any suggestions welcome and appreciated.

Jk

------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in Securing Web Applications 
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: