RE: Data carving exploit from pcap file

["Paul Melson" <pmelson () gmail com>]

> The exploits I've seen make a socket connection then push:
> <exploit><nop sled><shellcode>
>
> [...]
>
> How would I identify the beginning of the sploit?

That's going to be *highly* dependent on the exploit, or more correctly, the
vulnerability.  The first byte of the payload from the attacker to the
target is not likely to be part of the exploit.


> The idea I've been playing with would be to do "follow tcp stream" in  
> wireshark...but I'm not sure that will accurately finger the beginning  
> of the exploit.

This view of the pcap file is likely to contain the exploit, but as I said,
finding the beginning of the actual exploit isn't always trivial.  For
instance, in the example of an FTP attack, you might have one-way TCP stream
data that looks like this:

USER ftp
PASS nunya () business com
PORT
192,168,1,123,64,111111111111111111111111111111111111111111111\x6a\x6d\x70..
.

In this example, the first byte of the exploit and the first byte of the
reconstructed TCP stream are not the same.  Now, you can tell that the PORT
line is the problem because it doesn't look like it should and it has what
looks like shellcode at the end.  But FTP is an easy protocol to grok packet
dumps of.  This gets harder if you are looking at a binary protocol or a
binary file stream inside a protocol (think WMF browser attacks) that
contains an exploit.  

PaulM




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------