Data carving exploit from pcap file

["Michael Kitange" <michaelkitange () gmail com>]

i'm not sure but from my experience with exploits, the shellcode comes
right after the nop's.
hope this helps.

On 9/19/08, Jim Kelly <macubergeek () comcast net> wrote:
> I wonder if anyone has a strategy/method for this:
>
> Say you have a pcap file you believe has an exploit (you see a bunch
> of nops and suspect that's part of a nop sled)
>
> The exploits I've seen make a socket connection then push:
> <exploit><nop sled><shellcode>
>
> ok if this sequence makes sense, I can easily see the nops 90 90 90 etc
> shellcode would come after that, could probably google the hex to try
> and validate that it was in fact shellcode....
> the beginning of the nops  would be the end of the sploit...
>
> How would I identify the beginning of the sploit?
>
> The idea I've been playing with would be to do "follow tcp stream" in
> wireshark...but I'm not sure that will accurately finger the beginning
> of the exploit.
>
> Any suggestions welcome and appreciated.
>
> Jk
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

-- 
Sent from Gmail for mobile | mobile.google.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------