Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP

From: Dragos Ruiu <dr () kyx net>
Date: Fri, 31 Jan 2003 14:15:32 +0000
Looks like random binary data... I would suspect audio or video streaming 
first. But the 0D 0A ( CR LF) makes it look like some sort of text graphics.

cheers,
--dr

On January 31, 2003 05:36 pm, Marc Quibell wrote:

OK, maybe a dumb thought, but is this just a binary file download? Can
anyone decipher the packet capture? Tia/


000 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
010 : 30 30 30 30 30 30 30 30 30 30 30 64 39 66 66 66   00000000000d9fff
020 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
030 : 66 66 66 66 34 62 36 61 61 61 61 61 61 61 61 61   ffff4b6aaaaaaaaa
040 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
050 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
060 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
070 : 61 61 61 61 61 61 61 0D 0A 61 61 61 61 61 61 61   aaaaaaa..aaaaaaa
080 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
090 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
0a0 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
0b0 : 61 61 61 61 61 61 61 61 61 61 61 61 65 64 39 66   aaaaaaaaaaaaed9f
0c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
0d0 : 66 66 66 64 31 33 36 30 30 30 30 30 30 30 30 30   fffd136000000000
0e0 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
0f0 : 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30 30 30   000000000..00000
100 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
110 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
120 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
130 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
140 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
150 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
160 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
170 : 30 30 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30   00000000000..000
180 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
190 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
1a0 : 30 30 32 35 36 66 66 66 66 66 66 66 66 66 66 66   00256fffffffffff
1b0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1d0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1e0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
1f0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 0D 0A 66   fffffffffffff..f
<snip>




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
dr () kyx net   pgp: http://dragos.com/ kyxpgp
http://cansecwest.com



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: