Penetration Testing mailing list archives
Re: Data carving exploit from pcap file
From: "Abuse 007" <abuse007 () gmail com>
Date: Sat, 20 Sep 2008 01:55:55 +1000
Hi Jim, Dump the data from the TCP stream (the payloads) to a file and then analyze that file in a dissassembler. You'll need a basic understanding of assembly to reason wether it is not code (just data) or if it is code and if so is it shellcode for an exploit. Do you mind sharing the sample? Cheers. On Fri, Sep 19, 2008 at 8:13 AM, Jim Kelly <macubergeek () comcast net> wrote:
I wonder if anyone has a strategy/method for this: Say you have a pcap file you believe has an exploit (you see a bunch of nops and suspect that's part of a nop sled) The exploits I've seen make a socket connection then push: <exploit><nop sled><shellcode> ok if this sequence makes sense, I can easily see the nops 90 90 90 etc shellcode would come after that, could probably google the hex to try and validate that it was in fact shellcode.... the beginning of the nops would be the end of the sploit... How would I identify the beginning of the sploit? The idea I've been playing with would be to do "follow tcp stream" in wireshark...but I'm not sure that will accurately finger the beginning of the exploit. Any suggestions welcome and appreciated. Jk ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes inSecuring Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Data carving exploit from pcap file Jim Kelly (Sep 18)
- Data carving exploit from pcap file Michael Kitange (Sep 20)
- Re: Data carving exploit from pcap file Abuse 007 (Sep 20)
- RE: Data carving exploit from pcap file Paul Melson (Sep 20)
- Message not available
- Data carving exploit from pcap file Danilo Nascimento (Sep 20)
- <Possible follow-ups>
- Re: Data carving exploit from pcap file redb0ne (Sep 20)