[Snort-users] Packet contents: EXPERIMENTAL SHELLCODE x86 NOOP

Dragos Ruiu dr at ...381...
Fri Jan 31 15:18:02 EST 2003


Looks like random binary data... I would suspect audio or video streaming 
first. But the 0D 0A ( CR LF) makes it look like some sort of text graphics.

cheers,
--dr

On January 31, 2003 05:36 pm, Marc Quibell wrote:
> OK, maybe a dumb thought, but is this just a binary file download? Can
> anyone decipher the packet capture? Tia/
>
>
> 000 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 010 : 30 30 30 30 30 30 30 30 30 30 30 64 39 66 66 66   00000000000d9fff
> 020 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
> 030 : 66 66 66 66 34 62 36 61 61 61 61 61 61 61 61 61   ffff4b6aaaaaaaaa
> 040 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
> 050 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
> 060 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
> 070 : 61 61 61 61 61 61 61 0D 0A 61 61 61 61 61 61 61   aaaaaaa..aaaaaaa
> 080 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
> 090 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
> 0a0 : 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
> 0b0 : 61 61 61 61 61 61 61 61 61 61 61 61 65 64 39 66   aaaaaaaaaaaaed9f
> 0c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
> 0d0 : 66 66 66 64 31 33 36 30 30 30 30 30 30 30 30 30   fffd136000000000
> 0e0 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 0f0 : 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30 30 30   000000000..00000
> 100 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 110 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 120 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 130 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 140 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 150 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 160 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 170 : 30 30 30 30 30 30 30 30 30 30 30 0D 0A 30 30 30   00000000000..000
> 180 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 190 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
> 1a0 : 30 30 32 35 36 66 66 66 66 66 66 66 66 66 66 66   00256fffffffffff
> 1b0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
> 1c0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
> 1d0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
> 1e0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66   ffffffffffffffff
> 1f0 : 66 66 66 66 66 66 66 66 66 66 66 66 66 0D 0A 66   fffffffffffff..f
> <snip>
>
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
dr at ...381...   pgp: http://dragos.com/ kyxpgp
http://cansecwest.com





More information about the Snort-users mailing list