Snort mailing list archives

Re: Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 31 Jan 2003 14:09:46 -0500

It looks to me like that packet is text and contains an ASCII hex dump of abinary file. The only thing even slightly unusual is that the lines areawfully long (120 chars per line) and there's no spaces used.

(Yes, I am looking at the right part.. your email literally contains whatappears to be an ASCII hex dump of a packet containing an oddly formattedASCII hex dump of a binary file)


There's nothing in the actual data aside from ASCII 0-9, a-f and 0d0a (crlf)



At 11:36 AM 1/31/2003 -0600, Marc Quibell wrote:

OK, maybe a dumb thought, but is this just a binary file download? Can anyone
decipher the packet capture? Tia/


000 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
010 : 30 30 30 30 30 30 30 30 30 30 30 64 39 66 66 66   00000000000d9fff
020 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
030 : 66 66 66 66 34 62 36 61 61 61 61 61 61 61 61 61   ffff4b6aaaaaaaaa
040 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
050 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
060 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
070 : 61 61 61 61 61 61 61 0D 0A 61 61 61 61 61 61 61   aaaaaaa..aaaaaaa
080 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
090 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
0a0 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
0b0 : 61 61 61 61 61 61 61 61 61 61 61 61 65 64 39 66   aaaaaaaaaaaaed9f
0c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
0d0 : 66 66 66 64 31 33 36 30 30 30 30 30 30 30 30 30   fffd136000000000
0e0 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0f0 : 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30 30 30   000000000..00000
100 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
110 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
120 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
130 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
140 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
150 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
160 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
170 : 30 30 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30   00000000000..000
180 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
190 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
1a0 : 30 30 32 35 36 66 66 66 66 66 66 66 66 66 66 66   00256fffffffffff
1b0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1d0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1e0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1f0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 0D 0A 66   fffffffffffff..f
<snip>




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP Marc Quibell (Jan 31)
- Re: Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP Matt Kettler (Jan 31)
- Re: Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP Dragos Ruiu (Jan 31)