312-50V10 · Question #653
The following is an entry captured by a network IDS.You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You
The correct answer is D. The attacker is attempting an exploit that launches a command-line shell. The 0x90 NOP sled combined with the '/bin/sh' string in the payload is a signature of shellcode crafted to spawn a command-line shell via buffer overflow exploitation.
Question
The following is an entry captured by a network IDS.You are assigned the task of analyzing this entry. You notice the value 0x90, which is the most common NOOP instruction for the Intel processor. You figure that the attacker is attempting a buffer overflow attack. You also notice "/bin/sh" in the ASCII part of the output. As an analyst what would you conclude about the attack?
Exhibit
Options
- AThe buffer overflow attack has been neutralized by the IDS
- BThe attacker is creating a directory on the compromised machine
- CThe attacker is attempting a buffer overflow attack and has succeeded
- DThe attacker is attempting an exploit that launches a command-line shell
How the community answered
(47 responses)- A4% (2)
- B19% (9)
- C9% (4)
- D68% (32)
Why each option
The 0x90 NOP sled combined with the '/bin/sh' string in the payload is a signature of shellcode crafted to spawn a command-line shell via buffer overflow exploitation.
IDS detection does not equate to attack neutralization - the entry shows the IDS captured the traffic but provides no evidence the payload was blocked from executing on the target.
Creating a directory would require mkdir-related system calls, not the execution of /bin/sh - the shell path indicates the intent is arbitrary command execution, not file system manipulation.
A network IDS capture alone cannot confirm exploit success - it only shows the attack attempt was sent, not that it executed and spawned a shell on the target host.
In buffer overflow exploits, repeated 0x90 (NOP) instructions form a NOP sled that increases the probability of redirecting execution into the shellcode payload, and '/bin/sh' is the Unix/Linux Bourne shell binary path. Together these artifacts confirm the attacker crafted shellcode specifically designed to spawn an interactive command-line shell on the target system.
Concept tested: Buffer overflow shellcode NOP sled analysis
Source: https://owasp.org/www-community/attacks/Buffer_overflow_attack
Topics
Community Discussion
No community discussion yet for this question.
