Penetration Testing mailing list archives
RE: Data carving exploit from pcap file
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 19 Sep 2008 12:46:20 -0400
The exploits I've seen make a socket connection then push: <exploit><nop sled><shellcode> [...] How would I identify the beginning of the sploit?
That's going to be *highly* dependent on the exploit, or more correctly, the vulnerability. The first byte of the payload from the attacker to the target is not likely to be part of the exploit.
The idea I've been playing with would be to do "follow tcp stream" in wireshark...but I'm not sure that will accurately finger the beginning of the exploit.
This view of the pcap file is likely to contain the exploit, but as I said, finding the beginning of the actual exploit isn't always trivial. For instance, in the example of an FTP attack, you might have one-way TCP stream data that looks like this: USER ftp PASS nunya () business com PORT 192,168,1,123,64,111111111111111111111111111111111111111111111\x6a\x6d\x70.. . In this example, the first byte of the exploit and the first byte of the reconstructed TCP stream are not the same. Now, you can tell that the PORT line is the problem because it doesn't look like it should and it has what looks like shellcode at the end. But FTP is an easy protocol to grok packet dumps of. This gets harder if you are looking at a binary protocol or a binary file stream inside a protocol (think WMF browser attacks) that contains an exploit. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Data carving exploit from pcap file Jim Kelly (Sep 18)
- Data carving exploit from pcap file Michael Kitange (Sep 20)
- Re: Data carving exploit from pcap file Abuse 007 (Sep 20)
- RE: Data carving exploit from pcap file Paul Melson (Sep 20)
- Message not available
- Data carving exploit from pcap file Danilo Nascimento (Sep 20)
- <Possible follow-ups>
- Re: Data carving exploit from pcap file redb0ne (Sep 20)