Read Content-Encoding: gzip data from captured stream

2012.09.21

Well, it appear to be easy, but not for me πŸ™‚

Here how looks like capture result in Wireshark:

If You Google “Content-Encoding: gzip decode”, You got list of solutions, none of which worked for me πŸ™‚ Ok, but I have to be sure it RedKit Exploit Kit payload page!

Ok, lets see what we can do.

If You see previous screen, I assume You already in Wireshark – Follow TCP stream

Now we need to choose only responseΒ  – bottom line drop-menu – choose instead of Entire Conversation – [Remote IP]:[protocol] to [Local IP]:[protocol]

and press Save As buttin. Save as sample.gz << If You not sure, why it .gz – default extension for gzip archive is .gz πŸ™‚

If You try to extract now, it will fail with error that archive is corrupted.

Ok. Now we need Hex Editor. I use GHex, You welcome to use Your favourite.

Open sample.gz in hex editor:

Now we need to remove all HTTP header.

We should leave only gzip data itself, and few other bytes, until we’ll see in hex window combination of two bytes: 1F 8B

Hint: This is standard beginning of gzip archive.Β  πŸ™‚

Here how it looks like:

Ok. Now we can save the file. And extract it as regular gzip archive.

In same folder You’ll find file sample.html (or whatever was encoded).

Right click – Edit:

So – it is RedKit Exploit kit πŸ™‚

Now we have another detail for next case πŸ™‚

Meanwhile stay safe and good luck!

Cheers

D.L.

 

Leave a comment