[Snort-users] Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP

Matt Kettler mkettler at ...4108...
Fri Jan 31 11:09:06 EST 2003


It looks to me like that packet is text and contains an ASCII hex dump of a 
binary file. The only thing even slightly unusual is that the lines are 
awfully long  (120 chars per line) and there's no spaces used.

(Yes, I am looking at the right part.. your email literally contains what 
appears to be an ASCII hex dump of a packet containing an oddly formatted 
ASCII hex dump of a binary file)

There's nothing in the actual data aside from ASCII 0-9, a-f and 0d0a (crlf)



At 11:36 AM 1/31/2003 -0600, Marc Quibell wrote:


>OK, maybe a dumb thought, but is this just a binary file download? Can anyone
>decipher the packet capture? Tia/
>
>
>000 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>010 : 30 30 30 30 30 30 30 30 30 30 30 64 39 66 66 66   00000000000d9fff
>020 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
>030 : 66 66 66 66 34 62 36 61 61 61 61 61 61 61 61 61   ffff4b6aaaaaaaaa
>040 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
>050 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
>060 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
>070 : 61 61 61 61 61 61 61 0D 0A 61 61 61 61 61 61 61   aaaaaaa..aaaaaaa
>080 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
>090 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
>0a0 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
>0b0 : 61 61 61 61 61 61 61 61 61 61 61 61 65 64 39 66   aaaaaaaaaaaaed9f
>0c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
>0d0 : 66 66 66 64 31 33 36 30 30 30 30 30 30 30 30 30   fffd136000000000
>0e0 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>0f0 : 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30 30 30   000000000..00000
>100 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>110 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>120 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>130 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>140 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>150 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>160 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>170 : 30 30 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30   00000000000..000
>180 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>190 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
>1a0 : 30 30 32 35 36 66 66 66 66 66 66 66 66 66 66 66   00256fffffffffff
>1b0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
>1c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
>1d0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
>1e0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
>1f0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 0D 0A 66   fffffffffffff..f
><snip>
>
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by:
>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
>http://www.vasoftware.com
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list