|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Yoann Vandoorselaere (yoann
mandrakesoft.com)Date: Fri Aug 17 2001 - 13:10:22 CDT
On 17 Aug 2001 14:14:56 -0300, Ian Sharkey wrote:
> Most shellcode exploits contains a number of NOP instructions (hex 90 on
> x86), so one scanning for an unusually high number of 90h in a request would
> trigger a possible shellcode injection. Other than that, doing a protocol
> analysis and looking for potential buffer overflow might do the trick too.
> Mileage will vary.
You can use other operation than NOP. So counting the number of NOP in a
packet is really not a good idea, as it would take time and be easily
evaded.
--
Yoann Vandoorselaere | "Programming is a race between programmers, who
try and
MandrakeSoft | make more and more idiot-proof software, and
universe,
| which produces more and more remarkable idiots.
Until
| now, universe leads the race" -- R. Cook
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]