Forensic Challenge 11 - "Dive Into Exploit"

Challenge 11 - Dive Into Exploit (provided by Georg Wicherski from Giraffe Chapter)

Please submit your solution by 2012, May 31th at http://www.honeynet.org/challenge2010.

Results will be announced on 2012, June 30th. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org.

Skill Level: Advanced

1. What vulnerability is being exploited in the given packet capture? Can you identify the exploit?
2. How does the first stage load the second stage?
3. Elaborate the cryptographic security (or absence thereof) of the second stage. How does it load the third stage?
4. How does the third stage load the last stage? Please reconstruct the original last stage before being loaded.
5. Where is the secret message located and what does it say?
6. Please explain why an attacker might deliver his payload in this way.

Only submissions answering all six questions correctly will be considered. The most accurate submission wins. If there is no correct submission within two months since this challenge has been posted, the challenge will be
closed without a winner.

This work by Georg Wicherski is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners
1. Ruud Schramp
1.5. Carl Pulley

AttachmentSize
fc.pcap198.37 KB
1340832859_HoneynetFC11_RSchramp_NFI.zip3.24 MB
1341138564_carlpulley-challenge11.pdf308.74 KB