Penetration Testing mailing list archives
Re: Data carving exploit from pcap file
From: redb0ne () hush com
Date: Sat, 20 Sep 2008 13:45:02 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ok if this sequence makes sense, I can easily see the nops 90 90 90 etc shellcode would come after that, could probably google the hex to try and validate that it was in fact shellcode....
I wouldn't bother. You could probably create a binary file with the hex and put it into a disassembler to see what the shellcode is doing. If there are a ton of NOPs though, then it more than likely is shellcode.
the beginning of the nops would be the end of the sploit...
Not necessarily. Memory corruption vulnerabilities like buffer overflows can be exploited any number of ways, it isn't always (and in this day and age is very infrequently going to be) just dumping a bunch of data into a buffer.
How would I identify the beginning of the sploit?
It would help if you provided more information, the dump especially :) What protocol is it?
The idea I've been playing with would be to do "follow tcp stream" in wireshark...but I'm not sure that will accurately finger the beginning of the exploit.
What you are asking is very unreasonable, we need more information to help you. Like I said earlier, please remember that exploits take a number of different forms and are more often than not going to be a lot more than just a long string with shellcode in it. So the start of the NOPs isn't necessarily going to be the end of the exploit, in a lot of cases the shellcode could be put into a location that is completely different from where the vuln is. Take a look at the protocol being exploited, then go from there. If it is RPC, Google the RPC interface for vulnerabilities, if it is a file then do the same for the file format. Things like this take research and there is no silver bullet. I know I'd be more than happy (as would others) to help, but we need a dump. Also, wouldn't this be more appropriate for incidents@?
Any suggestions welcome and appreciated. Jk
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkjVNqAACgkQGwcl4JwqQeARBAP+Mi8r9Q2TRYiB6QKWGLy0wNrNg79E UAggHVuAgo2s9g0CPDHGvy/Zlt6uGoj8wsdiR5RyTUp3U/4jj4AaiJON5/ia8T0aHdkb SEbZBh0QrNcWa044/PpZj6qeWQykCk8ygbPukP737QDxttGbDMcIaDNP10gF/bzG7ohM qpxV/yE= =67Ys -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Data carving exploit from pcap file Jim Kelly (Sep 18)
- Data carving exploit from pcap file Michael Kitange (Sep 20)
- Re: Data carving exploit from pcap file Abuse 007 (Sep 20)
- RE: Data carving exploit from pcap file Paul Melson (Sep 20)
- Message not available
- Data carving exploit from pcap file Danilo Nascimento (Sep 20)
- <Possible follow-ups>
- Re: Data carving exploit from pcap file redb0ne (Sep 20)