A forensic analyst suspects that a buffer overflow exists in a kernel module. The analyst executes the following command: dd if=/dev/ram of=/tmp/mem/dmp
The analyst then reviews the associated output:
^34^#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/bin/bash^21^03#45
However, the analyst is unable to find any evidence of the running shell.
Which of the following of the MOST likely reason the analyst cannot find a process ID for the shell?
A. The NX bit is enabled
B. The system uses ASLR
C. The shell is obfuscated
D. The code uses dynamic libraries
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
you are so annoying. prove why something is wrong, once. not surprising if you failed your exam as well.
What is the right answer? Any one?
Okay – help me 007….
You’ve been straight up – do you have a link? i’m totally useless on linux /unix. What I’m seeing is an obfuscated shell scrambles the output
In this case, he can’t find it at all, so wouldn’t it be due to the script didn’t run ? such as might occur if the nx bit were set or ASLR? – OR – is that the point, it would show in the memory dump with no execute/ASLR?
Okay – help me 007….
You’ve been straight up – do you have a link? i’m totally useless on linux /unix. What I’m seeing is an obfuscated shell scrambles the output – https: // http://www.krazyworks.com/ obfuscating-shell-scripts /
In this case, he can’t find it at all, so wouldn’t it be due to the script didn’t run ? such as might occur if the nx bit were set or ASLR? – OR – is that the point, it would show in the memory dump with no execute/ASLR?
C – the shell is obfuscated
if the analyse cannot find the running shell, it must be obfuscated, hence he cannot find the process ID for the shell.
Wrong.