Re: Data carving exploit from pcap file

["Abuse 007" <abuse007 () gmail com>]

Hi Jim,

Dump the data from the TCP stream (the payloads) to a file and then
analyze that file in a dissassembler. You'll need a basic
understanding of assembly to reason wether it is not code (just data)
or if it is code and if so is it shellcode for an exploit.

Do you mind sharing the sample?

Cheers.

On Fri, Sep 19, 2008 at 8:13 AM, Jim Kelly <macubergeek () comcast net> wrote:
> I wonder if anyone has a strategy/method for this:
>
> Say you have a pcap file you believe has an exploit (you see a bunch of nops
> and suspect that's part of a nop sled)
>
> The exploits I've seen make a socket connection then push:
> <exploit><nop sled><shellcode>
>
> ok if this sequence makes sense, I can easily see the nops 90 90 90 etc
> shellcode would come after that, could probably google the hex to try and
> validate that it was in fact shellcode....
> the beginning of the nops  would be the end of the sploit...
>
> How would I identify the beginning of the sploit?
>
> The idea I've been playing with would be to do "follow tcp stream" in
> wireshark...but I'm not sure that will accurately finger the beginning of
> the exploit.
>
> Any suggestions welcome and appreciated.
>
> Jk
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes inSecuring Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------