Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/post/solaris/escalate/srsexec_readline.md
Views: 11789
Vulnerable Application
The vulnerable binary (srsexec) is included in the package Sun Remote Services Net Connect Software Proxy Core (SUNWsrspx). The vulnerable versions are 3.2.3 and 3.2.4, for Solaris 10. This package was included on the extras/companion CD which doesn't seem to available anymore. srsexec's vulnerability is that it runs with the suid bit set, and in debug verbose mode if given a file as input, the first line of that file will be echoed back. Common exploitation is to read /etc/shadow, to get root's password hash, however any file can be read.
In lieu of this, a mock application was created in python and is available here. Follow the instructions in the python script to install, argparse also needs to be sent to the Solaris box since pypi.org doesn't accept ssl2/3 which are the only versions in Solaris 10u9.
The output from srsexec is slightly odd. The first line of the file will be after binaries file line: and truncated at 20 characters. If the output is longer than 20 characters, then the next line will start with the last 2 characters from the previous line, followed by the next 18 characters, and so on.
Verification Steps
Install the application
Start msfconsole
Get a user level session
Do:
use solaris/escalate/srsexec_readlineDo:
set session [#]Do:
runYou should be able to read the first line of a file.
If
/etc/shadowis selected, checkcreds.
Options
File
The file that should have the first line read. Default is /etc/shadow and root's hash will be databased.