Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Yoann Vandoorselaere (yoannmandrakesoft.com)
Date: Fri Aug 17 2001 - 13:10:22 CDT
On 17 Aug 2001 14:14:56 -0300, Ian Sharkey wrote:
> Most shellcode exploits contains a number of NOP instructions (hex 90 on
> x86), so one scanning for an unusually high number of 90h in a request would
> trigger a possible shellcode injection. Other than that, doing a protocol
> analysis and looking for potential buffer overflow might do the trick too.
> Mileage will vary.
You can use other operation than NOP. So counting the number of NOP in a
packet is really not a good idea, as it would take time and be easily
-- Yoann Vandoorselaere | "Programming is a race between programmers, who try and MandrakeSoft | make more and more idiot-proof software, and universe, | which produces more and more remarkable idiots. Until | now, universe leads the race" -- R. Cook