Re: arp packet payload
From: Bram Matthys (Syzop) (syzop_at_vulnscan.org)
Date: 11/01/03
- Previous message: Eric Knight: "Release of the Default Account Database v4.00"
- Next in thread: Russell Harding: "Re: arp packet payload"
- Maybe reply: Russell Harding: "Re: arp packet payload"
- Maybe reply: Dave Korn: "Re: arp packet payload"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 01 Nov 2003 01:19:03 +0100 To: sebastian <reitenba@fh-brandenburg.de>
Hi,
sebastian wrote:
> don't know wheater it's mentioned anywhere or old news but here we go:
> captured following arp packet last night:
>
> 00:44:36.309866 arp who-has 192.168.5.254 tell 192.168.5.164
> 0x0000 0001 0800 0604 0001 00c0 9f20 d3cd c0a8 ................
> 0x0010 05a4 0000 0000 0000 c0a8 05fe 4d2d 5345 ............M-SE
> 0x0020 4152 4348 202a 2048 5454 502f 312e ARCH.*.HTTP/1.
>
> nice packet, but what makes me curious is the payload. where is it taken from?
> are there also passwords and other "secret" things, which may be
> unintentionally sent out to the.
> i think the source is a windows xp box.
This looks a lot like bad frame padding, the packet itself should have
actually ended, right where the 'M-SEARCH' stuff starts.
Normally this is padded with zero's till the frame is 46 bytes,
but a lot of drivers (especially from Linux) didn't properly pad, so
then you can see old memory contents.. like from network buffers.
See
http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf
Bram Matthys (Syzop).
- Previous message: Eric Knight: "Release of the Default Account Database v4.00"
- Next in thread: Russell Harding: "Re: arp packet payload"
- Maybe reply: Russell Harding: "Re: arp packet payload"
- Maybe reply: Dave Korn: "Re: arp packet payload"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
