Re: Data carving exploit from pcap file

[redb0ne () hush com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> ok if this sequence makes sense, I can easily see the nops 90 90
> 90 etc
> shellcode would come after that, could probably google the hex to
> try
> and validate that it was in fact shellcode....

I wouldn't bother. You could probably create a binary file with the
hex and put it into a disassembler to see what the shellcode is
doing.

If there are a ton of NOPs though, then it more than likely is
shellcode.

> the beginning of the nops would be the end of the sploit...

Not necessarily.

Memory corruption vulnerabilities like buffer overflows can be
exploited any number of ways, it isn't always (and in this day and
age is very infrequently going to be) just dumping a bunch of data
into a buffer.

> How would I identify the beginning of the sploit?

It would help if you provided more information, the dump especially
:)

What protocol is it?

> The idea I've been playing with would be to do "follow tcp stream"
> in
> wireshark...but I'm not sure that will accurately finger the
> beginning
> of the exploit.

What you are asking is very unreasonable, we need more information
to help you. Like I said earlier, please remember that exploits
take a number of different forms and are more often than not going
to be a lot more than just a long string with shellcode in it. So
the start of the NOPs isn't necessarily going to be the end of the
exploit, in a lot of cases the shellcode could be put into a
location that is completely different from where the vuln is.

Take a look at the protocol being exploited, then go from there. If
it is RPC, Google the RPC interface for vulnerabilities, if it is a
file then do the same for the file format. Things like this take
research and there is no silver bullet.

I know I'd be more than happy (as would others) to help, but we
need a dump. Also, wouldn't this be more appropriate for incidents@?

> Any suggestions welcome and appreciated.
>
> Jk
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQMCAAYFAkjVNqAACgkQGwcl4JwqQeARBAP+Mi8r9Q2TRYiB6QKWGLy0wNrNg79E
UAggHVuAgo2s9g0CPDHGvy/Zlt6uGoj8wsdiR5RyTUp3U/4jj4AaiJON5/ia8T0aHdkb
SEbZBh0QrNcWa044/PpZj6qeWQykCk8ygbPukP737QDxttGbDMcIaDNP10gF/bzG7ohM
qpxV/yE=
=67Ys
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------