[JaxPM] Decode CodeRed data
j proctor
jproctor at oit.umass.edu
Wed Aug 8 10:36:17 CDT 2001
On the jacksonville-pm-list; Jax.PM'er j proctor <jproctor at oit.umass.edu> wrote -
> > %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u
> > 9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
>
> Is it Unicode or UUEncoded - ? - Maybe I am having a brain fart...
I assumed %u was something like "unsigned". It looks to me like a nice
string of 16-bit words (though I can't necessarily account for the 00 or
00=a at the end). But given that it's a buffer overflow type of security
hole, I'd wager that it's working on the section that affects who has
permission to do what to the server. Go find an x86 disassembler and see
if the hex works backwards to something intelligible.
Not perfect, since you don't know whether the first chunk (9090) is an
instruction or data, but it's a start. If you don't get anything on the
first pass, try shifting that (and maybe the next word or two) off and run
it through again.
j
Jax.PM Moderator's Note:
This message was posted to the Jacksonville Perl Monger's Group listserv.
The group manager can be reached at -- owner-jacksonville-pm-list at pm.org
to whom send all praises, complaints, or comments...
More information about the Jacksonville-pm
mailing list