Trend Micro management exploit payload perhaps?

Published: 2007-08-23
Last Updated: 2007-08-23 08:00:39 UTC
by William Salusky (Version: 1)
0 comment(s)

No sooner than I post a call for packets but I catch an event that surely looks suspect.  I'm unable to confirm the destination target was in fact running a Trend management service or if the result of the following attempt.  Let's see what our shellcode analysts can determine before we post complete packet payload. 

 

Attacking Client       Trend Management Service???
222.xxx.xxx.83:3418 => xx.xx.xxx.65:5168
                    Suspicious payload perhaps?
00000000  0500 0083 1000 0000 0808 0000 0100 0000  ................
00000010  e007 0000 0000 0000 8888 2825 5bbd d111  ..........(%[...
00000020  9d53 0080 c83a 5c2c 0400 0300 d007 0000  .S...:\,........
00000030  fc6a eb4d e8f9 ffff ff60 8b6c 2424 8b45  .j.M.....`.l$$.E
.
.     (Sorry, intentionally removed to prevent kiddie replay)
.
00000130  6aff ff37 ffd0 68e7 79c6 79ff 7504 ffd6  j..7..h.y.y.u...
00000140  ff77 fcff d068 f08a 045f 53ff d6ff d041  .w...h..._S....A
00000150  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000160  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
.
.
.
00000480  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000490  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000004a0  4141 4141 4141 4141 4141 4141 4141 1c13  AAAAAAAAAAAAAA..
000004b0  7465 4141 4141 4141 4141 4141 4141 4141  teAAAAAAAAAAAAAA 
000004c0  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
.
.
.
000007e0  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000007f0  4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000800  d007 0000 d007 0000                      ........

 

W
Incapable of shell code kung-fu, regardless of his desire.

 

Keywords:
0 comment(s)

Comments


Diary Archives