Jump to content

Locating evidence of a buffer overflow in Wireshark


crunchymom

Recommended Posts

Okay, so first, I'm a student. 

I'm completing a project that requires analyzing a pcap file in Wireshark. One part of it is finding the series of packets that indicate a buffer overflow, followed by an SQL injection. I have no idea whatsoever how to filter for this, or even what to look for if I do see it. It's the only part that I haven't been able to solve yet. Everything else, Google was pretty helpful. 

Hints? Ideas? Filter recommendations? 

Thank you! 

Link to comment
Share on other sites

I'd imagine the sqli is going to be visible in data in a Web request, so filtering for http should help you find that. You might be able to filter the data somehow to check for common strings associated with sqli.
 

For the buffer overflow it'll probably be visible as a long string containing some hex at the end. Maybe it would be easier to filter out the other traffic first using "!". So you could get rid of arp with "!arp" and so on. Do the same with dns and any other noise that might be in the capture and take a look through what's left afterward.

Link to comment
Share on other sites

SQLi should be easy to spot over http. Anything encrypted over SSL/TLS is not going to be easy to see what is happening other than watching the IP/Domain requests and ports. If any of the shellcode use for overflow contains nops, you will be able to see rows of consecutive hexadecimal, like 90 90 90 90 90 repeating for example, but this will be much harder to find since it doesn't have to be nop used so much as it can be small bits of code to create an escape and overflow. Depends on what is vulnerable, so monitoring specific web apps and open ports/services in use, and inspecting those specifically would be more where to look. Much of it might be obfuscated too since evading IDS/IPS systems is also a common practice with malware attacks, only straight forward, plain text attacks are going to be easily spotted. You may also have to decode incoming streams to read them since it could be wrapped in gzip compressed data or such as well, making it harder to spot.

 

Came across this post on twitter today and thought of your question. not exactly buffer overflow sniffing in wireshark, but might help put you on a path to test on a virtual home lab with some tools - https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder?dysig_tid=9ef06cf0a7d346f7bff7ec87baab566a&POSITION=DynamicSignal&REFERRING_SITE=Twitter&CREATIVE=112037&COUNTRY=&POSTID=eb4e3989-0b7c-4d8e-b154-f1ee5a967238 Reversing malware is not something I've ever looked at so much as pulling strings from files and looking at windows pe data for stuff while using tools like anubis for some more analysis.

Edited by digip
Link to comment
Share on other sites

Okay, apparently I'm more newbie than a normal newbie, because most of that went over my head. Can we upload screenshots here? I'm going to try. I think I found both attacks, but in the same breath, I have no idea. Please tell me if this looks like either SQL or Buffer Overflow to you. 
 

Actually, I don't think I can. I see the tab for insert other media, and it brings me to "existing attachments"... How does this work? 

Link to comment
Share on other sites

10 hours ago, crunchymom said:

Okay, apparently I'm more newbie than a normal newbie, because most of that went over my head. Can we upload screenshots here? I'm going to try. I think I found both attacks, but in the same breath, I have no idea. Please tell me if this looks like either SQL or Buffer Overflow to you. 
 

Actually, I don't think I can. I see the tab for insert other media, and it brings me to "existing attachments"... How does this work? 

Well, lets make sure you have the basics.. http://www.dummies.com/education/internet-basics/the-internet-for-dummies-cheat-sheet/ /sarcasm

Insert other media, like UPLOAD an image, but your account is under a certain number of posts, you probably can't upload attachments yet anyway. Uploads are also limited in size for everyone's account, so the fill up quickly. Personally, I would suggest uploading images/screenshots to imgur, and non-image files to something like a dropbox account for safe storage without tampering. Free file sharing sites should be avoided(although dropbox is free) as many contain nefarious things going on with them. If you own your own website domain, using your own hosting would be better.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...