buffer overflows encapsultation

[gregory duchemin <c3rb3r () HOTMAIL COM>]

hi,
has someone here already seen or heard something about Eggshells
encapsulating buffer overflow.
I mean an eggshell to exploit, for instance, a low priviledge user like
nobody through a usual vulnerable cgi but this eggshell would be crafted to
locally exploit another buffer overflow in the way this time to get root.
It may be possible (not necessarly easily) with an execve system call and a
long enough buffer to sploit.
If root can be gained in a simple manner (like a setuid floodable
parameter), our second (encapsulated) buffer address would be passed as
argument of execve and thus should be push on stack before interruption
call.
I guess that finding the good offsets values will be a bit more complicated
but shouldn't be impossible at all ?!  did u see something like that around
here ?
do u see any reason why this shouldn't be possible ?
It seems to be an interresting case to study.
Most of remote buffer exploits would be turned in remote root compromission
in two pass.
cheers,

 Gregory Duchemin

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.